> > From: r.fultonat_private [mailto:r.fultonat_private] > > Sent: Sunday, June 24, 2001 6:42 PM > > To: incidentsat_private > > Subject: massive lpr exploit attempt > > > > > > Yesterday (Sunday 24th) we were attacked from several different IP > > using an iterated X86 lpr exploit against any machine that response on > > port 515. Even though we block 515 for the vast bulk of our addresses > > I logged over 80,000 probes to the 20 or so addresses that responded! > > > > These attacks are the same as I saw a few months ago (hmm... I'm sure > > I posted something about them then but I can't find anything in the > > archives). One feature of these attacks is that while the attacker is > > trying exploits on port 515 they are also making connection attempts on > > port 3897 (presumably looking for a root shell that signals that one of > > the exploits succeeded). Thus if you run argus then you can pick up > > any successful exploits by dumping all established tcp sessions to port > > 3897. > > Out of the blue, we just registered a dramatic upsurge in lpr scans over the past two days. Please don't tell me there is another lpd exploit making the rounds. -geoff -- ----------------------------------------------------------------------- Geoff Galitz | "Beer is proof that God loves us." Research Computing, UC Berkeley | Theodore Roosevelt galitzat_private | ----------------------------------------------------------------------- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Jun 27 2001 - 18:22:49 PDT