In the last couple of days I've started seeing connection attempts for ports 1900 and 5000. I'm wondering if this is related to the UPNP vuln discovered last December by eEye Digital Security... (http://www.eeye.com/html/Research/Advisories/AD20011220.html). I have just started seeing these in the last week. Is there a known exploit for this now? Or is there an innocent explanation? None of the connecting IP addresses are anywhere close to my own net address. One is a register.com nameserver. It appears to be an attempt to connect to specific machines rather than a network scan. Mar 21 20:35:54 ws1 178: Mar 21 20:35:54: %SEC-6-IPACCESSLOGP: list 101 denied tcp 166.102.67.98(3074) -> x.x.x.33(1900), 1 packet Mar 21 20:39:22 ws1 179: Mar 21 20:39:22: %SEC-6-IPACCESSLOGP: list 101 denied tcp 166.102.67.98(1384) -> x.x.x.33(1900), 1 packet Mar 21 20:41:04 ws1 180: Mar 21 20:41:04: %SEC-6-IPACCESSLOGP: list 101 denied tcp 166.102.67.98(4495) -> x.x.x.33(5000), 1 packet Mar 21 20:41:30 ws1 181: Mar 21 20:41:30: %SEC-6-IPACCESSLOGP: list 101 denied tcp 166.102.67.98(3074) -> x.x.x.33(1900), 1 packet Mar 21 20:44:30 ws1 182: Mar 21 20:44:30: %SEC-6-IPACCESSLOGP: list 101 denied tcp 166.102.67.98(1384) -> x.x.x.33(1900), 1 packet Mar 21 20:46:30 ws1 183: Mar 21 20:46:30: %SEC-6-IPACCESSLOGP: list 101 denied tcp 166.102.67.98(4495) -> x.x.x.33(5000), 1 packet Mar 21 21:23:18 ws1 184: Mar 21 21:23:18: %SEC-6-IPACCESSLOGP: list 101 denied tcp 166.102.67.98(3450) -> x.x.x.33(1900), 1 packet Mar 21 21:27:40 ws1 185: Mar 21 21:27:40: %SEC-6-IPACCESSLOGP: list 101 denied tcp 66.188.151.113(1025) -> x.x.x.33(1900), 1 packet Mar 21 21:28:31 ws1 186: Mar 21 21:28:31: %SEC-6-IPACCESSLOGP: list 101 denied tcp 166.102.67.98(3450) -> x.x.x.33(1900), 1 packet Mar 21 21:33:31 ws1 187: Mar 21 21:33:31: %SEC-6-IPACCESSLOGP: list 101 denied tcp 66.188.151.113(1025) -> x.x.x.33(1900), 2 packets Mar 22 01:08:08 ws1 189: Mar 22 01:08:08: %SEC-6-IPACCESSLOGP: list 101 denied udp 216.21.234.88(53) -> x.x.x.76(1900), 1 packet Mar 22 01:13:38 ws1 190: Mar 22 01:13:38: %SEC-6-IPACCESSLOGP: list 101 denied udp 216.21.234.88(53) -> x.x.x.76(1900), 2 packets ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Mar 22 2002 - 08:33:43 PST