From owner-freebsd-security  Wed May 15 16:17:07 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.3/8.7.3) id QAA01871
          for security-outgoing; Wed, 15 May 1996 16:17:07 -0700 (PDT)
Received: from haven.uniserve.com (haven.uniserve.com [198.53.215.121])
          by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id QAA01866
          for <freebsd-security@freebsd.org>; Wed, 15 May 1996 16:17:04 -0700 (PDT)
Received: by haven.uniserve.com id <30761-153>; Wed, 15 May 1996 16:20:29 -0800
Date: 	Wed, 15 May 1996 16:20:18 -0700 (PDT)
From: Tom Samplonius <tom@uniserve.com>
To: Darren Reed <avalon@coombs.anu.edu.au>
cc: Thomas J Balfe <tbalfe@tioga.com>, freebsd-security@freebsd.org
Subject: Re: anyone ever get this message?
In-Reply-To: <199605131442.HAA24954@freefall.freebsd.org>
Message-ID: <Pine.BSF.3.91.960515161622.1373E-100000@haven.uniserve.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk


On Tue, 14 May 1996, Darren Reed wrote:

> In some mail from Thomas J Balfe, sie said:
> > 
> > May 13 06:22:39 falcon in.identd[2686]: warning: can't get client 
> > address: Socket is not connected
> > May 13 06:22:39 falcon in.identd[2686]: connect from unknown
> 
> Looks like a half-open port scan.

  No, inetd wouldn't spawn idnetd unless the socket was open.

> Linux does similar and on BSD tcp wrappers, for the most part, don't pick
> them up.
> 
> Unless you have something recording packets, you'll never see the source
> address (connection is closed before accept can work).

  Here's problably what happens:

  - you iniatate connect to some server
  - server sends ident query
  - you close you connect to server
  - ident query arrives but socket doesn't exist


Tom