Just picked up a SYN scan for NTP. There were problems with xntp a while back, I wonder if there is now an exploit out there... Report from my scan detector: We saw adsl-63-199-26-228.dsl.snfc21.pacbell.net[63.199.26.228] talk to 48 ports/addresses(s) on Tue 26 Feb 2002 at 17:00 (UTC) -- Wed 27 Feb 2002 at 05:00 (NZDT) Connection rate approx 48 per second 130.216.2.10-31.tcp - 123 130.216.4.5.tcp - 123 130.216.2.105.tcp - 123 130.216.4.90.tcp - 123 130.216.2.138-148.tcp - 123 130.216.4.133.tcp - 123 130.216.2.220-225.tcp - 123 130.216.4.206.tcp - 123 130.216.3.18.tcp - 123 130.216.5.36.tcp - 123 130.216.4.0-1.tcp - 123 Some sample packet traces were: Times UTC +1300 GPS synchronized 2002-02-27-05:00:08 tcp 63.199.26.228:4908 -> 130.216.2.30:123 S_ 2002-02-27-05:00:08 tcp 63.199.26.228:4909 -> 130.216.2.31:123 S_ 2002-02-27-05:00:08 tcp 63.199.26.228:1260 -> 130.216.2.105:123 S_ 2002-02-27-05:00:08 tcp 63.199.26.228:1302 -> 130.216.2.138:123 S_ 2002-02-27-05:00:08 tcp 63.199.26.228:1306 -> 130.216.2.139:123 S_ 2002-02-27-05:00:08 tcp 63.199.26.228:1307 -> 130.216.2.140:123 S_ 2002-02-27-05:00:08 tcp 63.199.26.228:1308 -> 130.216.2.141:123 S_ 2002-02-27-05:00:08 tcp 63.199.26.228:1310 -> 130.216.2.142:123 S_ 2002-02-27-05:00:08 tcp 63.199.26.228:1311 -> 130.216.2.143:123 S_ 2002-02-27-05:00:08 tcp 63.199.26.228:1312 -> 130.216.2.144:123 S_ 2002-02-27-05:00:08 tcp 63.199.26.228:1313 -> 130.216.2.145:123 S_ 2002-02-27-05:00:10 tcp 63.199.26.228:1923 -> 130.216.4.0:123 S_ 2002-02-27-05:00:10 tcp 63.199.26.228:1925 -> 130.216.4.1:123 S_ 2002-02-27-05:00:10 tcp 63.199.26.228:1929 -> 130.216.4.5:123 S_ 2002-02-27-05:00:10 tcp 63.199.26.228:2739 -> 130.216.4.90:123 S_ 2002-02-27-05:00:10 tcp 63.199.26.228:3876 -> 130.216.4.133:123 S_ 2002-02-27-05:00:10 tcp 63.199.26.228:4036 -> 130.216.4.206:123 S_ 2002-02-27-05:00:10 tcp 63.199.26.228:4337 -> 130.216.5.36:123 S_ 2002-02-27-05:00:08 tcp 63.199.26.228:1314 -> 130.216.2.146:123 S_ 2002-02-27-05:00:08 tcp 63.199.26.228:1316 -> 130.216.2.147:123 S_ -- Russell Fulton, Computer and Network Security Officer The University of Auckland, New Zealand ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Feb 26 2002 - 17:02:49 PST