RE: IKE /HTTP exploit???

From: Dean Cunningham (Dean.Cunninghamat_private)
Date: Sun Aug 12 2001 - 17:46:52 PDT

Next message: Jay D. Dyson: "RE: [klmtfsat_private: Your Online Greeting Awaits You!]"

Previous message: corecode: "for all those wondering - CRII has a bug!"
Maybe in reply to: Dean Cunningham: "IKE /HTTP exploit???"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Can that request, I did a further search of the archives and found


"I couldn't find it now, but i think last week someone mentioned that if the
default setting on a W2k server is to attempt a secure connection, it will
send out this 500/udp probe to try contact the other code and negotiate IKE.
If you review your logs, you'll probably see this udp/500 probe quickly
followed by attempted connection from the same host to port 80/tcp."

This looks like the sig.

cheers
Dean

-----Original Message-----
From: Dean Cunningham [mailto:Dean.Cunninghamat_private]
Sent: Monday, 13 August 2001 11:49 a.m.
To: 'incidentsat_private'
Subject: IKE /HTTP exploit???


I am getting a few (300 in the last week) scans showing up in the firewall
logs.
These existed pre CR , but I am interested as to what the exploit is.
Any pointers?

regards
Dean


Summary:
Source:     	202.98.196.18
Destination:	202.36.123.140
Time NZST:  	13 Aug 2001 10:57 to 10:58 (+1200)
Time GMT:   	12 Aug 2001 22:57 to 22:58
Protocols:  	IKE HTTP
***************************************************
This e-mail is  not an  official  statement of  the
Waikato  Regional  Council unless otherwise stated.
Visit our website http://www.ew.govt.nz
***************************************************

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
***************************************************
This e-mail is  not an  official  statement of  the
Waikato  Regional  Council unless otherwise stated.
Visit our website http://www.ew.govt.nz
***************************************************

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Jay D. Dyson: "RE: [klmtfsat_private: Your Online Greeting Awaits You!]"
Previous message: corecode: "for all those wondering - CRII has a bug!"
Maybe in reply to: Dean Cunningham: "IKE /HTTP exploit???"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Aug 13 2001 - 07:17:42 PDT