Re: Printer exploit?

From: Jeremy Sanders (jsandersat_private)
Date: Fri Jun 29 2001 - 07:37:31 PDT

  • Next message: Vangelis Haniotakis: "Weird scan on port 1214" 

    It didn't make it past my router filters to the ids but here are the router logs for port 515 attempts


Jun 16 00:19:31 nsfbrd 205242: 2w2d: %SEC-6-IPACCESSLOGP: list 101 denied tcp 216.129.142.30(2425) (Serial0/0 DLCI 300) -> x.x.x.254(515), 1 packet
Jun 16 00:19:45 nsfbrd 205244: 2w2d: %SEC-6-IPACCESSLOGP: list 101 denied tcp 216.129.142.30(3934) (Serial0/0 DLCI 300) -> x.x.x.131(515), 1 packet
Jun 16 00:19:48 nsfbrd 205245: 2w2d: %SEC-6-IPACCESSLOGP: list 101 denied tcp 216.129.142.30(3931) (Serial0/0 DLCI 300) -> x.x.x.128(515), 1 packet
Jun 16 00:19:55 nsfbrd 205247: 2w2d: %SEC-6-IPACCESSLOGP: list 101 denied tcp 216.129.142.30(3969) (Serial0/0 DLCI 300) -> x.x.x.159(515), 1 packet
Jun 22 13:50:14 nsfbrd 25962: 1d21h: %SEC-6-IPACCESSLOGP: list 101 denied tcp 213.154.144.33(1810) (Serial0/0 DLCI 300) -> x.x.x.254(515), 1 packet
Jun 28 03:41:16 nsfbrd 10859: 17:20:44: %SEC-6-IPACCESSLOGP: list 101 denied tcp 213.77.158.147(4207) (Serial0/0 DLCI 300) -> x.x.x.254(515), 1 packet
Jun 28 18:36:50 nsfbrd 20586: 1d08h: %SEC-6-IPACCESSLOGP: list 101 denied tcp 211.250.97.130(2701) (Serial0/0 DLCI 300) -> x.x.x.254(515), 1 packet
Jun 28 18:36:53 nsfbrd 20587: 1d08h: %SEC-6-IPACCESSLOGP: list 101 denied tcp 211.250.97.130(4610) (Serial0/0 DLCI 300) -> x.x.x.128(515), 1 packet
Jun 28 18:36:56 nsfbrd 20589: 1d08h: %SEC-6-IPACCESSLOGP: list 101 denied tcp 211.250.97.130(4611) (Serial0/0 DLCI 300) -> x.x.x.129(515), 1 packet
Jun 28 20:50:25 nsfbrd 21312: 1d10h: %SEC-6-IPACCESSLOGP: list 101 denied tcp 193.219.185.11(3790) (Serial0/0 DLCI 300) -> x.x.x.254(515), 1 packet
Jun 29 02:20:35 nsfbrd 22693: 1d16h: %SEC-6-IPACCESSLOGP: list 101 denied tcp 217.80.77.237(1087) (Serial0/0 DLCI 300) -> x.x.x.150(515), 1 packet
Jun 29 02:20:38 nsfbrd 22694: 1d16h: %SEC-6-IPACCESSLOGP: list 101 denied tcp 217.80.77.237(1067) (Serial0/0 DLCI 300) -> x.x.x.130(515), 1 packet
Jun 29 04:39:45 nsfbrd 23214: 1d18h: %SEC-6-IPACCESSLOGP: list 101 denied tcp 209.0.219.12(1706) (Serial0/0 DLCI 300) -> x.x.x.254(515), 1 packet
Jun 29 04:40:04 nsfbrd 23217: 1d18h: %SEC-6-IPACCESSLOGP: list 101 denied tcp 209.0.219.12(3116) (Serial0/0 DLCI 300) -> x.x.x.128(515), 1 packet

Jeremy Sanders, CCNP CNE
Advanced Systems Engineer
New South Federal Savings Bank

>>> Vangelis Haniotakis <haniotakat_private> 06/28/01 10:56AM >>>
On 28 Jun 2001, John Leach wrote:

> We've noticed a sudden influx of tcp 515 printer port scans over the
> last month on nearly all of our boxes (different sites, different isps)
>
> We *do* have a *really* good HP colour laserjet, I guess the word got
> out.

 Hmm, guess our printers must look tasty as well.

 We got hit by 3 different attackers today, all looking for port 515 on
random IP's. A total of about 60,000 probes launched towards all of our
class B network.

 Is this beginning to look a bit worrying?


--
Vangelis Haniotakis - Network & Communications Centre, University of Crete



----------------------------------------------------------------------------


This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see:

http://aris.securityfocus.com 




----------------------------------------------------------------------------


This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see:

http://aris.securityfocus.com

    This archive was generated by hypermail 2b30 : Fri Jun 29 2001 - 08:09:26 PDT