From owner-freebsd-security  Mon May 13 07:42:51 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.3/8.7.3) id HAA24991
          for security-outgoing; Mon, 13 May 1996 07:42:51 -0700 (PDT)
Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.76.24])
          by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id HAA24954
          for <freebsd-security@FreeBSD.ORG>; Mon, 13 May 1996 07:42:43 -0700 (PDT)
Message-Id: <199605131442.HAA24954@freefall.freebsd.org>
Received: by cheops.anu.edu.au
	(1.37.109.16/16.2) id AA037908521; Tue, 14 May 1996 00:42:01 +1000
From: Darren Reed <avalon@coombs.anu.edu.au>
Subject: Re: anyone ever get this message?
To: tbalfe@tioga.com (Thomas J Balfe)
Date: Tue, 14 May 1996 00:42:01 +1000 (EST)
Cc: freebsd-security@FreeBSD.ORG
In-Reply-To: <Pine.BSF.3.91.960513062549.2726A-100000@falcon.tioga.com> from "Thomas J Balfe" at May 13, 96 06:26:30 am
X-Mailer: ELM [version 2.4 PL23]
Content-Type: text
Sender: owner-security@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

In some mail from Thomas J Balfe, sie said:
> 
> May 13 06:22:39 falcon in.identd[2686]: warning: can't get client 
> address: Socket is not connected
> May 13 06:22:39 falcon in.identd[2686]: connect from unknown

Looks like a half-open port scan.

Linux does similar and on BSD tcp wrappers, for the most part, don't pick
them up.

Unless you have something recording packets, you'll never see the source
address (connection is closed before accept can work).

darren