Russell Fulton wrote: > Just picked up a SYN scan for NTP. There were problems with xntp a > while back, I wonder if there is now an exploit out there... > > Report from my scan detector: > > We saw adsl-63-199-26-228.dsl.snfc21.pacbell.net[63.199.26.228] talk to > 48 ports/addresses(s) > on Tue 26 Feb 2002 at 17:00 (UTC) All of the NTP problems were UDP-based, to my knowledge. (See http://www.kb.cert.org/vuls/id/970472 and links therefrom.) Could it be that this is a tool trying to get through poorly-defined firewall rules? I got a few probes the other day that were UDP, from port 80, to a random high port. I assume they were trying to probe firewalls that define the return path for http requests without specifying the protocol. Here's a sample: Feb 19 17:55:03 host kernel: Shorewall:net2all:DROP:IN=eth1 OUT= MAC=00:c0:26:25:14:57:00:04:28:23:e0:70:08:00 SRC=64.152.70.68 DST=a.b.c.d LEN=38 TOS=0x00 PREC=0x00 TTL=40 ID=12866 PROTO=UDP SPT=80 DPT=37852 LEN=18 Feb 19 17:49:10 host kernel: Shorewall:net2all:DROP:IN=eth1 OUT= MAC=00:c0:26:25:14:57:00:04:28:23:e0:70:08:00 SRC=63.211.17.228 DST=a.b.c.d LEN=38 TOS=0x00 PREC=0x00 TTL=40 ID=26558 PROTO=UDP SPT=80 DPT=37852 LEN=18 Perhaps you're seeing something similar: people looking for poor filtering rules. Paul http://paulgear.webhop.net ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Feb 27 2002 - 09:28:53 PST