Full Disclosure mailing list archives
Re: Probes on port 389
From: John Sage <jsage () finchhaven com>
Date: Tue, 24 Feb 2004 14:16:08 -0800
Paul: On Tue, Feb 24, 2004 at 11:06:50AM -0600, Schmehl, Paul L wrote:
From: "Schmehl, Paul L" <pauls () utdallas edu> To: <intrusion () sans org>, <full-disclosure () lists netsys com> Subject: [Full-disclosure] Probes on port 389 Date: Tue, 24 Feb 2004 11:06:50 -0600 I threw up a quick rule on snort to monitor probes on port 389 because I have been seeing entries in /var/log/messages on some boxes that I am responsible for. This morning we had a probe that hit 26205 different IPs on that port in about 7 minutes (SYN scan only - no payload.) The source IP was a mailserver in England. (They've been notified.
Two only for the last +48 hours: ngrep_port: dst port 389, host 24.19.147.xxx in snort211.log-Feb.24.06:57 Generated 14:09:28 (TZ -08:00) 02/24/2004 input: snort211.log-Feb.24.06:57 filter: ip and ( host 24.19.147.xxx and dst port 389 ) # T 2004/02/22 18:48:33.763939 217.218.252.195:3062 -> 24.19.147.xxx:389 [S] exit [jsage@sparky /home] $ host 217.218.252.195 Host 195.252.218.217.in-addr.arpa not found: 3(NXDOMAIN) ngrep_port: dst port 389, host 24.19.147.xxx in snort.log.1077636344 Generated 14:05:54 (TZ -08:00) 02/24/2004 input: snort.log.1077636344 filter: ip and ( host 24.19.147.xxx and dst port 389 ) # T 2004/02/24 08:34:33.786569 66.60.194.153:3351 -> 24.19.147.xxx:389 [S] exit [jsage@sparky /home] $ host 66.60.194.153 153.194.60.66.in-addr.arpa domain name pointer 66-60-194-153.newulmtel.net. - John -- "Mad cow? You'd be mad too, if someone was trying to eat you." _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Probes on port 389 Schmehl, Paul L (Feb 24)
- Re: Probes on port 389 John Sage (Feb 24)
- Re: Probes on port 389 John Sage (Feb 25)
- RE: Probes on port 389 Aditya, ALD [Aditya Lalit Deshmukh] (Feb 27)
- <Possible follow-ups>
- RE: Probes on port 389 Lee Fisher (Feb 24)
- RE: Probes on port 389 Schmehl, Paul L (Feb 25)
- Re: Probes on port 389 Frank Boldewin (Feb 25)