Re: scan for 109, new worm-variant or simple scan?

From: Jeff Nieusma (nieusmaat_private)
Date: Wed Apr 25 2001 - 16:01:40 PDT

Next message: Xiaomei Zhou: "repeated rpc.rexd processes"

Previous message: Jon O.: "Re: scan for 109, new worm-variant or simple scan?"
Maybe in reply to: buschermannat_private: "scan for 109, new worm-variant or simple scan?"
Next in thread: Russell Fulton: "Re: scan for 109, new worm-variant or simple scan?"
Reply: Russell Fulton: "Re: scan for 109, new worm-variant or simple scan?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

here's another sampling of blocked traffic:

Apr 24 08:44:16 MDT: denied tcp 210.119.103.190(109) -> 10.37.128.1(109)
...                                                              .1(109)
Apr 24 08:44:26 MDT: denied tcp 210.119.103.190(109) -> 10.37.130.1(109)
Apr 24 08:44:36 MDT: denied tcp 210.119.103.190(111) -> 10.37.128.1(111)
...                                                           ....1
Apr 24 08:45:53 MDT: denied tcp 210.119.103.190(111) -> 10.37.143.1(111)
Apr 24 08:48:17 MDT: denied tcp 210.119.103.190(109) -> 10.7.175.1(109)
Apr 24 08:48:37 MDT: denied tcp 210.119.103.190(111) -> 10.7.175.1(111)
Apr 24 09:06:18 MDT: denied tcp 210.119.103.190(109) -> 10.37.128.2(109)
...                                                           ....2
Apr 24 09:07:25 MDT: denied tcp 210.119.103.190(111) -> 10.37.139.2(111)
Apr 24 09:10:09 MDT: denied tcp 210.119.103.190(109) -> 10.7.175.2(109)
Apr 24 09:10:29 MDT: denied tcp 210.119.103.190(111) -> 10.7.175.2(111)
Apr 24 09:28:18 MDT: denied tcp 210.119.103.190(111) -> 10.37.128.3(111)
...                                                           ....3
Apr 24 09:29:35 MDT: denied tcp 210.119.103.190(111) -> 10.37.143.3(111)
Apr 24 09:31:59 MDT: denied tcp 210.119.103.190(109) -> 10.7.175.3(109)
... .4 .5 .6 .7 .8 --- .86 .87 ...
Apr 25 16:13:20 MDT: denied tcp 210.119.103.190(109) -> 10.37.128.88(109)
...                                                           ....88
Apr 25 16:14:56 MDT: denied tcp 210.119.103.190(111) -> 10.37.143.88(111)
Apr 25 16:17:39 MDT: denied tcp 210.119.103.190(111) -> 10.7.175.88(111)
... he's not finished, but I didn't want to delay this message any more. :-)

Anyone heard of any new POP2 exploits? Or is this just a tired old hacker
nothing better to do than waste bandwidth...

- Jeff

> -----Original Message-----
> From: Scott Nursten [mailto:scottnat_private]
> Sent: Wednesday, April 25, 2001 11:17 AM
>
> [snip]
> I have seen some similar scans recently but unfortunately it 
> is on a net that we don't run IDS on (well, we do 
> "technically" - but we don't let anything in there :))
> 
> Apr 24 19:07:48 edge1-th 147637: 4w6d: %SEC-6-IPACCESSLOGP: 
> list 103 denied tcp 203.232.4.4(21) ->  x.x.x.76(21), 1 packet
> [snip]

> buschermannat_private wrote:
> >
> > Hi all,
> > yesterday we received a scan for ports 53, 109 and 111 with 
> the synscantool
> > from one ip for about one minute.
> > Port 53 and 111 are the wellknown vulnerabilities of bind-daemon and
> > rpc.statd but what is 109 for?
> > I know it´s pop2 but i can´t remember any exploits lately besides
> >
> > http://www.securityfocus.com/vdb/?id=283
> >
> > and this is old news.
> >
> > Has anyone received similar scans in the last time?
> > [snip]

Next message: Xiaomei Zhou: "repeated rpc.rexd processes"
Previous message: Jon O.: "Re: scan for 109, new worm-variant or simple scan?"
Maybe in reply to: buschermannat_private: "scan for 109, new worm-variant or simple scan?"
Next in thread: Russell Fulton: "Re: scan for 109, new worm-variant or simple scan?"
Reply: Russell Fulton: "Re: scan for 109, new worm-variant or simple scan?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Apr 25 2001 - 16:39:32 PDT