Check the archives. I think someone else had a similar issue a couple weeks ago. The Content Switches should not do this by default. Although, it could be part of some metric gathering by the CSS's. The OS is a FreeBSD variant and one can write shell scripts and execute code just as you might on any other UNIX flavor OS. rich "Mike" <mnvat_private> 10/22/2001 06:30 PM To: "Incidents List" <incidentsat_private> cc: Subject: Odd probes from Cisco equipment... I've received the following sequence of probes from several different IP's in the last few hours. I haven't seen this series of probes before. All probes are exactly 2 hours and 55 minutes apart, to the minute. Initially the attacker pings my IP, which this box is set to ignore. Following the ping, scans probe ports 53, 22, and 123. The attackers have ports 21, 22, 23 and 5001 open. An ftp session to port 21 sends the following banner: Connected to xxx.xxx.xxx.xxx 220 ArrowPoint (5.3.1) FTP User (xxx.xxx.xxx.xxx:(none)) Arrowpoint is Cisco: further research on my part couldn't find any history of an automated attack/vulnerability along these lines, and I didn't locate any information regarding this series of probes. Thoughts, anyone? Thanks, Mike Vasquez ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Oct 23 2001 - 08:22:53 PDT