Depends on what was in the packet. They may be trying to get you Web server
to accept an illegal command that would open up a hole that could be
exploited. For example causing the web server process to crash so they
could gain access at a root level. The series of packets sent could
represent a number of such attempts.
Is their a web server? Try to crash it with method 1. Did it work? No, try
to crash it with method 2. Did it work. . .etc.
> (2) May 6 20:04:20 bastion ipmon[87]: 20:04:20.104592 iprb @0:3 p
> 192.168.1.65,1752 -> 209.xxx.xxx.xxx,80 PR tcp len 20 44 -S
> (1) May 6 20:04:23 bastion ipmon[87]: 20:04:23.065728 iprb @0:3 p
> 38.149.215.71,1752 -> 209.xxx.xxx.xxx,80 PR tcp len 20 44 -S
> (1) May 6 20:04:23 bastion ipmon[87]: 20:04:23.171150 iprb @0:3 p
> 38.149.215.71,1752 -> 209.xxx.xxx.xxx,80 PR tcp len 20 40 -A
> (1) May 6 20:04:23 bastion ipmon[87]: 20:04:23.173108 iprb @0:3 p
> 38.149.215.71,1752 -> 209.xxx.xxx.xxx,80 PR tcp len 20 114 -AP
> (1) May 6 20:04:23 bastion ipmon[87]: 20:04:23.298487 iprb @0:3 p
> 38.149.215.71,1752 -> 209.xxx.xxx.xxx,80 PR tcp len 20 40 -A
> (1) May 6 20:04:31 bastion ipmon[87]: 20:04:30.479423 iprb @0:3 p
> 192.168.1.65,1752 -> 209.xxx.xxx.xxx,80 PR tcp len 20 40 -AF
> (1) May 6 20:04:40 bastion ipmon[87]: 20:04:40.094519 iprb @0:3 p
> 192.168.1.65,1752 -> 209.xxx.xxx.xxx,80 PR tcp len 20 40 -AF
> (1) May 6 20:04:59 bastion ipmon[87]: 20:04:59.323681 iprb @0:3 p
> 192.168.1.65,1752 -> 209.xxx.xxx.xxx,80 PR tcp len 20 40 -AF
> (1) May 6 20:05:38 bastion ipmon[87]: 20:05:37.782541 iprb @0:3 p
> 192.168.1.65,1752 -> 209.xxx.xxx.xxx,80 PR tcp len 20 40 -AF
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
