Re: Odd probes from Cisco equipment...

From: Richard.Smithat_private
Date: Tue Oct 23 2001 - 06:39:01 PDT

  • Next message: Rob Keown: "/BurstingScript/WriteParametersPipe.asp"

    Check the archives. I think someone else had a similar issue a couple 
    weeks ago. 
    
    The Content Switches should not do this by default. Although, it could be 
    part of some metric gathering by the CSS's. The OS is a FreeBSD variant 
    and one can write shell scripts and execute code just as you might on any 
    other UNIX flavor OS.
    
    rich
    
    
    
    
    
    
    "Mike" <mnvat_private>
    10/22/2001 06:30 PM
    
     
            To:     "Incidents List" <incidentsat_private>
            cc: 
            Subject:        Odd probes from Cisco equipment...
    
    
    I've received the following sequence of probes from several different IP's
    in the last few hours.  I haven't seen this series of probes before. All
    probes are exactly 2 hours and 55 minutes apart, to the minute.
    
    Initially the attacker pings my IP, which this box is set to ignore.
    Following the ping, scans probe ports 53, 22, and 123.
    
    The attackers have ports 21, 22, 23 and 5001 open.  An ftp session to port
    21 sends the following banner:
    Connected to xxx.xxx.xxx.xxx
    220 ArrowPoint (5.3.1) FTP
    User (xxx.xxx.xxx.xxx:(none))
    
    Arrowpoint is Cisco: further research on my part couldn't find any history
    of an automated attack/vulnerability along these lines, and I didn't 
    locate
    any information regarding this series of probes.  Thoughts, anyone?
    
    Thanks,
    Mike Vasquez
    
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    
    
    
    
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Tue Oct 23 2001 - 08:22:53 PDT