On Saturday 16 February 2002 03:55, you wrote: > We had one that started on 10 February at 1524 PST and didn't end > until 2055 PST on 13 February: > > First two: > > Feb 10 15:24:03 195.77.170.25(2079) -> 192.52.153.1(161) > Feb 10 15:45:08 195.77.170.25(2079) -> 192.52.153.2(161) > > Last two: > > Feb 13 20:55:39 195.77.170.25(2079) -> 192.52.153.240(161) > Feb 13 21:14:56 195.77.170.25(2079) -> 192.52.153.241(161) I am detecting them, too. I have contacted them by phone, and they say that their mail server has a Jetadmin program that detects printers automatically and about two weeks ago "it started to detect lots of printers all over the world". It might be a misconfigured program doing a "discover" to all 192. addresses, (our AS has 194 and 212 address space but have seen only probes to 192) but I am not sure (I don't know the program they are using). Anyway, I have told them that their server may be compromised and perhaps it is being used to launch attacks (the 20 minute delay looks like a stealth scan). They are going to disable the "discover" feature and we will check if the scans cease. I will get back to the list with the result Borja Marcos. -- __________________________________________________________________ Borja Marcos * borjamat_private Responsable de seguridad * Tel: +34 944209470 SARENET S.A. * Fax: +34 944209465 Parque Tecnologico, 103 * 48170 - Zamudio (Bizkaia) SPAIN * __________________________________________________________________ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Feb 18 2002 - 23:45:28 PST