At 10:42 AM +1200 6/25/01, Russell Fulton wrote: >Yesterday (Sunday 24th) we were attacked from several different IP >using an iterated X86 lpr exploit against any machine that response on >port 515. Even though we block 515 for the vast bulk of our addresses >I logged over 80,000 probes to the 20 or so addresses that responded! I went back through my logs. I was getting probed on port 515, usually 2 tests per probe (the port is blocked completely) starting on June 19. One probe a day, each from a different IP. Starting June 23 7:22am (central daylight time), possibly still ongoing, I've had probes from 7 different IP's. The whois lookup of the IP's is what you'd expect for a worm spreading from already infected machines -- a RoadRunner machine, couple of university machines (New Orleans, and Florida State), somebody called BroadBand Now. Last probe was at 19:54 (CDT) but they've been at least 5 hours apart so I may still be getting probed. Kevin
This archive was generated by hypermail 2b30 : Sun Jun 24 2001 - 21:51:20 PDT