here's another sampling of blocked traffic: Apr 24 08:44:16 MDT: denied tcp 210.119.103.190(109) -> 10.37.128.1(109) ... .1(109) Apr 24 08:44:26 MDT: denied tcp 210.119.103.190(109) -> 10.37.130.1(109) Apr 24 08:44:36 MDT: denied tcp 210.119.103.190(111) -> 10.37.128.1(111) ... ....1 Apr 24 08:45:53 MDT: denied tcp 210.119.103.190(111) -> 10.37.143.1(111) Apr 24 08:48:17 MDT: denied tcp 210.119.103.190(109) -> 10.7.175.1(109) Apr 24 08:48:37 MDT: denied tcp 210.119.103.190(111) -> 10.7.175.1(111) Apr 24 09:06:18 MDT: denied tcp 210.119.103.190(109) -> 10.37.128.2(109) ... ....2 Apr 24 09:07:25 MDT: denied tcp 210.119.103.190(111) -> 10.37.139.2(111) Apr 24 09:10:09 MDT: denied tcp 210.119.103.190(109) -> 10.7.175.2(109) Apr 24 09:10:29 MDT: denied tcp 210.119.103.190(111) -> 10.7.175.2(111) Apr 24 09:28:18 MDT: denied tcp 210.119.103.190(111) -> 10.37.128.3(111) ... ....3 Apr 24 09:29:35 MDT: denied tcp 210.119.103.190(111) -> 10.37.143.3(111) Apr 24 09:31:59 MDT: denied tcp 210.119.103.190(109) -> 10.7.175.3(109) ... .4 .5 .6 .7 .8 --- .86 .87 ... Apr 25 16:13:20 MDT: denied tcp 210.119.103.190(109) -> 10.37.128.88(109) ... ....88 Apr 25 16:14:56 MDT: denied tcp 210.119.103.190(111) -> 10.37.143.88(111) Apr 25 16:17:39 MDT: denied tcp 210.119.103.190(111) -> 10.7.175.88(111) ... he's not finished, but I didn't want to delay this message any more. :-) Anyone heard of any new POP2 exploits? Or is this just a tired old hacker nothing better to do than waste bandwidth... - Jeff > -----Original Message----- > From: Scott Nursten [mailto:scottnat_private] > Sent: Wednesday, April 25, 2001 11:17 AM > > [snip] > I have seen some similar scans recently but unfortunately it > is on a net that we don't run IDS on (well, we do > "technically" - but we don't let anything in there :)) > > Apr 24 19:07:48 edge1-th 147637: 4w6d: %SEC-6-IPACCESSLOGP: > list 103 denied tcp 203.232.4.4(21) -> x.x.x.76(21), 1 packet > [snip] > buschermannat_private wrote: > > > > Hi all, > > yesterday we received a scan for ports 53, 109 and 111 with > the synscantool > > from one ip for about one minute. > > Port 53 and 111 are the wellknown vulnerabilities of bind-daemon and > > rpc.statd but what is 109 for? > > I know itīs pop2 but i canīt remember any exploits lately besides > > > > http://www.securityfocus.com/vdb/?id=283 > > > > and this is old news. > > > > Has anyone received similar scans in the last time? > > [snip]
This archive was generated by hypermail 2b30 : Wed Apr 25 2001 - 16:39:32 PDT