Odd probes from Cisco equipment...

From: Mike (mnvat_private)
Date: Mon Oct 22 2001 - 15:30:48 PDT

  • Next message: vernat_private: "Re: Strange tcpdump file"

    I've received the following sequence of probes from several different IP's
    in the last few hours.  I haven't seen this series of probes before. All
    probes are exactly 2 hours and 55 minutes apart, to the minute.
    Initially the attacker pings my IP, which this box is set to ignore.
    Following the ping, scans probe ports 53, 22, and 123.
    The attackers have ports 21, 22, 23 and 5001 open.  An ftp session to port
    21 sends the following banner:
    Connected to xxx.xxx.xxx.xxx
    220 ArrowPoint (5.3.1) FTP
    User (xxx.xxx.xxx.xxx:(none))
    Arrowpoint is Cisco: further research on my part couldn't find any history
    of an automated attack/vulnerability along these lines, and I didn't locate
    any information regarding this series of probes.  Thoughts, anyone?
    Mike Vasquez
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com

    This archive was generated by hypermail 2b30 : Mon Oct 22 2001 - 15:36:55 PDT