Re: Strange broadcasts to printer port

From: Mike Patchen (MPatchenat_private)
Date: Thu Jun 28 2001 - 10:55:15 PDT

  • Next message: Jeremy Sanders: "Re: Printer exploit?"

    I have been seeing a lot of these too (5-7 per day).  Snort identifies them as "BACKDOOR Q access".  The only difference that I see is that the TOS is 0x00 in my logs.  I usually see these as a scan across my IP range, instead of being targeted at a certain machine.
    
    Mike Patchen
    IT Technician
    City of Chaska
    
    >>> Patrick Oonk <patrickat_private> 06/28/01 09:27AM >>>
    Hi,
    
    I have been seeing syn packets from src 255.255.255.255:31337 to random
    ip-numbers port 515 in our nets for months.  Does anyone kow what could cause this?
    
    The packets are coming from outside our network.
    
    tcpdump:
    
    15:55:10.669625 255.255.255.255.31337 > 213.156.28.202.printer: S 100:100(0) win 512 [tos 0x20] [ttl 1]
                              4520 0028 f2b0 0000 0106 d499 ffff ffff
                              d59c 1cca 7a69 0203 0000 0064 0000 0000
                              5002 0200 3eac 0000 0000 0000 0000
    
    Snort: 
    
    06/28-16:18:51.995065 255.255.255.255:31337 -> 213.156.9.61:515
    TCP TTL:1 TOS:0x20 ID:62128 IpLen:20 DgmLen:40
    ******S* Seq: 0x64  Ack: 0x0  Win: 0x200  TcpLen: 20
    
    
    	.
     .p.
    	.
    
    -- 
     Patrick Oonk - PO1-6BONE - E: patrickat_private - www.pine.nl/~patrick 
     Pine Internet  -  PAT31337-RIPE  -   Hushmail: p.oonkat_private 
     T: +31-70-3111010  -   F: +31-70-3111011   -  http://security.nl 
     PGPID 155C3934 fp DD29 1787 8F49 51B8 4FDF  2F64 A65C 42AE 155C 3934
     Excuse of the day: The UPS is on strike.
    
    
    ----------------------------------------------------------------------------
    
    
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:
    
    http://aris.securityfocus.com 
    
    
    
    
    ----------------------------------------------------------------------------
    
    
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:
    
    http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Thu Jun 28 2001 - 19:53:40 PDT