NTP scan ????

From: Russell Fulton (R.FULTONat_private)
Date: Tue Feb 26 2002 - 13:43:19 PST

Next message: james: "Re: hack that changes root to Root"

Previous message: Brian Mooney: "RE: Wave of Nimda-like hits this morning?"
Next in thread: Paul Gear: "Re: NTP scan ????"
Reply: Paul Gear: "Re: NTP scan ????"
Reply: Will Aoki: "Re: NTP scan ????"
Reply: John Kristoff: "Re: NTP scan ????"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Just picked up a SYN scan for NTP.  There were problems with xntp a
while back, I wonder if there is now an exploit out there...

Report from my scan detector:


We saw adsl-63-199-26-228.dsl.snfc21.pacbell.net[63.199.26.228] talk to
48 ports/addresses(s)
on Tue 26 Feb 2002 at 17:00 (UTC)

-- Wed 27 Feb 2002 at 05:00 (NZDT)

Connection rate approx 48 per second

130.216.2.10-31.tcp - 123             130.216.4.5.tcp - 123
130.216.2.105.tcp - 123               130.216.4.90.tcp - 123
130.216.2.138-148.tcp - 123           130.216.4.133.tcp - 123
130.216.2.220-225.tcp - 123           130.216.4.206.tcp - 123
130.216.3.18.tcp - 123                130.216.5.36.tcp - 123
130.216.4.0-1.tcp - 123


Some sample packet traces were:  Times UTC +1300 GPS synchronized
2002-02-27-05:00:08  tcp   63.199.26.228:4908     -> 130.216.2.30:123
S_
2002-02-27-05:00:08  tcp   63.199.26.228:4909     -> 130.216.2.31:123
S_
2002-02-27-05:00:08  tcp   63.199.26.228:1260     -> 130.216.2.105:123
S_
2002-02-27-05:00:08  tcp   63.199.26.228:1302     -> 130.216.2.138:123
S_
2002-02-27-05:00:08  tcp   63.199.26.228:1306     -> 130.216.2.139:123
S_
2002-02-27-05:00:08  tcp   63.199.26.228:1307     -> 130.216.2.140:123
S_
2002-02-27-05:00:08  tcp   63.199.26.228:1308     -> 130.216.2.141:123
S_
2002-02-27-05:00:08  tcp   63.199.26.228:1310     -> 130.216.2.142:123
S_
2002-02-27-05:00:08  tcp   63.199.26.228:1311     -> 130.216.2.143:123
S_
2002-02-27-05:00:08  tcp   63.199.26.228:1312     -> 130.216.2.144:123
S_
2002-02-27-05:00:08  tcp   63.199.26.228:1313     -> 130.216.2.145:123
S_
2002-02-27-05:00:10  tcp   63.199.26.228:1923     -> 130.216.4.0:123
S_
2002-02-27-05:00:10  tcp   63.199.26.228:1925     -> 130.216.4.1:123
S_
2002-02-27-05:00:10  tcp   63.199.26.228:1929     -> 130.216.4.5:123
S_
2002-02-27-05:00:10  tcp   63.199.26.228:2739     -> 130.216.4.90:123
S_
2002-02-27-05:00:10  tcp   63.199.26.228:3876     -> 130.216.4.133:123
S_
2002-02-27-05:00:10  tcp   63.199.26.228:4036     -> 130.216.4.206:123
S_
2002-02-27-05:00:10  tcp   63.199.26.228:4337     -> 130.216.5.36:123
S_
2002-02-27-05:00:08  tcp   63.199.26.228:1314     -> 130.216.2.146:123
S_
2002-02-27-05:00:08  tcp   63.199.26.228:1316     -> 130.216.2.147:123
S_




-- 
Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: james: "Re: hack that changes root to Root"
Previous message: Brian Mooney: "RE: Wave of Nimda-like hits this morning?"
Next in thread: Paul Gear: "Re: NTP scan ????"
Reply: Paul Gear: "Re: NTP scan ????"
Reply: Will Aoki: "Re: NTP scan ????"
Reply: John Kristoff: "Re: NTP scan ????"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Feb 26 2002 - 17:02:49 PST