Re: scan for 109, new worm-variant or simple scan?

From: Jeff Nieusma (nieusmaat_private)
Date: Wed Apr 25 2001 - 16:01:40 PDT

  • Next message: Xiaomei Zhou: "repeated rpc.rexd processes"

    here's another sampling of blocked traffic:
    
    Apr 24 08:44:16 MDT: denied tcp 210.119.103.190(109) -> 10.37.128.1(109)
    ...                                                              .1(109)
    Apr 24 08:44:26 MDT: denied tcp 210.119.103.190(109) -> 10.37.130.1(109)
    Apr 24 08:44:36 MDT: denied tcp 210.119.103.190(111) -> 10.37.128.1(111)
    ...                                                           ....1
    Apr 24 08:45:53 MDT: denied tcp 210.119.103.190(111) -> 10.37.143.1(111)
    Apr 24 08:48:17 MDT: denied tcp 210.119.103.190(109) -> 10.7.175.1(109)
    Apr 24 08:48:37 MDT: denied tcp 210.119.103.190(111) -> 10.7.175.1(111)
    Apr 24 09:06:18 MDT: denied tcp 210.119.103.190(109) -> 10.37.128.2(109)
    ...                                                           ....2
    Apr 24 09:07:25 MDT: denied tcp 210.119.103.190(111) -> 10.37.139.2(111)
    Apr 24 09:10:09 MDT: denied tcp 210.119.103.190(109) -> 10.7.175.2(109)
    Apr 24 09:10:29 MDT: denied tcp 210.119.103.190(111) -> 10.7.175.2(111)
    Apr 24 09:28:18 MDT: denied tcp 210.119.103.190(111) -> 10.37.128.3(111)
    ...                                                           ....3
    Apr 24 09:29:35 MDT: denied tcp 210.119.103.190(111) -> 10.37.143.3(111)
    Apr 24 09:31:59 MDT: denied tcp 210.119.103.190(109) -> 10.7.175.3(109)
    ... .4 .5 .6 .7 .8 --- .86 .87 ...
    Apr 25 16:13:20 MDT: denied tcp 210.119.103.190(109) -> 10.37.128.88(109)
    ...                                                           ....88
    Apr 25 16:14:56 MDT: denied tcp 210.119.103.190(111) -> 10.37.143.88(111)
    Apr 25 16:17:39 MDT: denied tcp 210.119.103.190(111) -> 10.7.175.88(111)
    ... he's not finished, but I didn't want to delay this message any more. :-)
    
    Anyone heard of any new POP2 exploits? Or is this just a tired old hacker
    nothing better to do than waste bandwidth...
    
    - Jeff
    
    > -----Original Message-----
    > From: Scott Nursten [mailto:scottnat_private]
    > Sent: Wednesday, April 25, 2001 11:17 AM
    >
    > [snip]
    > I have seen some similar scans recently but unfortunately it 
    > is on a net that we don't run IDS on (well, we do 
    > "technically" - but we don't let anything in there :))
    > 
    > Apr 24 19:07:48 edge1-th 147637: 4w6d: %SEC-6-IPACCESSLOGP: 
    > list 103 denied tcp 203.232.4.4(21) ->  x.x.x.76(21), 1 packet
    > [snip]
    
    > buschermannat_private wrote:
    > >
    > > Hi all,
    > > yesterday we received a scan for ports 53, 109 and 111 with 
    > the synscantool
    > > from one ip for about one minute.
    > > Port 53 and 111 are the wellknown vulnerabilities of bind-daemon and
    > > rpc.statd but what is 109 for?
    > > I know itīs pop2 but i canīt remember any exploits lately besides
    > >
    > > http://www.securityfocus.com/vdb/?id=283
    > >
    > > and this is old news.
    > >
    > > Has anyone received similar scans in the last time?
    > > [snip]
    



    This archive was generated by hypermail 2b30 : Wed Apr 25 2001 - 16:39:32 PDT