Security Incidents mailing list archives

FW: Increased traffic to tcp port 524

From: Suzanne.Hernandez () GUNTER AF MIL
Date: Wed, 25 Oct 2000 15:30:41 -0500

Check it out...this is just half of yesterday and most of today...These are
to non-existent subnets on our network.

10/24-14:43:26 TCP  : 155.58.107.40:1124  -> A.B.205.219:524  FLAGS :
**S*****
10/24-14:43:29 TCP  : 155.58.107.40:1124  -> A.B.205.219:524  FLAGS :
**S*****
10/24-14:44:42 TCP  : 134.7.147.30:3972  -> A.B.178.17:524  FLAGS : **S*****
10/24-14:44:45 TCP  : 134.7.147.30:3972  -> A.B.178.17:524  FLAGS : **S*****
10/24-14:44:51 TCP  : 134.7.147.30:3972  -> A.B.178.17:524  FLAGS : **S*****
10/24-16:09:46 TCP  : 64.31.230.169:1266 64-31-230-169.pdq.net ->
A.B.22.144:524 FLAGS : **S*****
10/24-16:09:49 TCP  : 64.31.230.169:1266 64-31-230-169.pdq.net ->
A.B.22.144:524 FLAGS : **S*****
10/24-16:09:55 TCP  : 64.31.230.169:1266 64-31-230-169.pdq.net ->
A.B.22.144:524 FLAGS : **S*****
10/24-16:15:58 TCP  : 209.52.140.12:3272 ws12.acl.com -> A.B.147.166:524
FLAGS : **S*****
10/24-16:16:01 TCP  : 209.52.140.12:3272 ws12.acl.com -> A.B.147.166:524
FLAGS : **S*****
10/24-16:16:07 TCP  : 209.52.140.12:3272 ws12.acl.com -> A.B.147.166:524
FLAGS : **S*****
10/24-17:37:15 TCP  : 208.19.227.190:4340 sys61.aaimstl.org -> A.B.52.31:524
FLAGS : **S*****
10/24-17:37:18 TCP  : 208.19.227.190:4340 sys61.aaimstl.org -> A.B.52.31:524
FLAGS : **S*****
10/24-18:53:06 TCP  : 131.178.162.50:1118 pto-162-50.mty.itesm.mx ->
A.B.110.28:524  FLAGS : **S*****
10/24-19:20:23 TCP  : 216.138.20.44:4590 pc44.adams.net -> A.B.114.226:524
FLAGS : **S*****
10/24-19:20:26 TCP  : 216.138.20.44:4590 pc44.adams.net -> A.B.114.226:524
FLAGS : **S*****
10/24-19:20:32 TCP  : 216.138.20.44:4590 pc44.adams.net -> A.B.114.226:524
FLAGS : **S*****
10/24-22:35:15 TCP  : 165.124.47.50:4130 labpc50.arthritis.nwu.edu ->
A.B.28.166:524  FLAGS : **S*****
10/24-22:35:18 TCP  : 165.124.47.50:4130 labpc50.arthritis.nwu.edu ->
A.B.28.166:524  FLAGS : **S*****
10/24-22:35:24 TCP  : 165.124.47.50:4130 labpc50.arthritis.nwu.edu ->
A.B.28.166:524  FLAGS : **S*****
10/25-00:27:27 TCP  : 209.41.197.115:1659  -> A.B.116.250:524  FLAGS :
**S*****
10/25-00:27:36 TCP  : 209.41.197.115:1659  -> A.B.116.250:524  FLAGS :
**S*****
10/25-01:37:01 TCP  : 204.144.208.211:3619 host211.ranelson.com ->
A.B.73.151:524  FLAGS : **S*****
10/25-01:37:04 TCP  : 204.144.208.211:3619 host211.ranelson.com ->
A.B.73.151:524  FLAGS : **S*****
10/25-01:45:09 TCP  : 38.197.102.240:3989  -> A.B.234.119:524  FLAGS :
**S*****
10/25-01:45:12 TCP  : 38.197.102.240:3989  -> A.B.234.119:524  FLAGS :
**S*****
10/25-01:45:18 TCP  : 38.197.102.240:3989  -> A.B.234.119:524  FLAGS :
**S*****
10/25-05:27:27 TCP  : 193.78.29.122:2898  -> A.B.223.226:524  FLAGS :
**S*****
10/25-05:27:30 TCP  : 193.78.29.122:2898  -> A.B.223.226:524  FLAGS :
**S*****
10/25-05:27:36 TCP  : 193.78.29.122:2898  -> A.B.223.226:524  FLAGS :
**S*****
10/25-05:54:52 TCP  : 204.210.103.153:2063
a204b210n103client153.hawaii.rr.com -> A.B.43.14:524  FLAGS : **S*****
10/25-05:54:54 TCP  : 204.210.103.153:2063
a204b210n103client153.hawaii.rr.com -> A.B.43.14:524  FLAGS : **S*****
10/25-05:55:00 TCP  : 204.210.103.153:2063
a204b210n103client153.hawaii.rr.com -> A.B.43.14:524  FLAGS : **S*****
10/25-07:29:35 TCP  : 198.17.176.171:1060  -> A.B.173.43:524  FLAGS :
**S*****
10/25-07:29:44 TCP  : 198.17.176.171:1060  -> A.B.173.43:524  FLAGS :
**S*****
10/25-11:18:13 TCP  : 35.10.201.42:52473 ariasdav-2.user.msu.edu ->
A.B.54.101:47137  FLAGS : ****R***
10/25-12:21:11 TCP  : 207.125.0.91:3305  -> A.B.8.146:524  FLAGS : **S*****
10/25-12:21:13 TCP  : 207.125.0.91:3305  -> A.B.8.146:524  FLAGS : **S*****
10/25-12:24:29 TCP  : 207.125.0.91:3337  -> A.B.8.146:524  FLAGS : **S*****
10/25-12:24:35 TCP  : 207.125.0.91:3337  -> A.B.8.146:524  FLAGS : **S*****
10/25-14:53:23 TCP  : 207.28.121.222:2385  -> A.B.110.181:524  FLAGS :
**S*****
10/25-14:53:25 TCP  : 207.28.121.222:2385  -> A.B.110.181:524  FLAGS :
**S*****
10/25-15:01:06 TCP  : 209.246.57.9:3536 ded-office-eth-9.jaske.com ->
A.B.48.174:524  FLAGS : **S*****
10/25-15:01:09 TCP  : 209.246.57.9:3536 ded-office-eth-9.jaske.com ->
A.B.48.174:524  FLAGS : **S*****
10/25-15:01:15 TCP  : 209.246.57.9:3536 ded-office-eth-9.jaske.com ->
A.B.48.174:524  FLAGS : **S*****

-----Original Message-----
From: Andrew Frith [SMTP:AndrewF () gateway bm]
Sent: Wednesday, October 25, 2000 3:10 PM
To:   Suzanne.Hernandez () GUNTER AF MIL; INCIDENTS () SECURITYFOCUS COM
Subject:      Re: Increased traffic to tcp port 524

Port 524 is registered as NCP.

It is used by Netware 5.x server & clients (anything else?).  These
shouldn't be straying outside of the local networks though.

Now that I've looked we've had a couple of connections to 524 the past few
days.  Nothing of note though (and no captures).

<Suzanne.Hernandez () GUNTER AF MIL> 10/24/00 04:28PM >>>

What's with the increased attempts on tcp port 524?

These are coming from networks all over the place....

Current thread:

Increased traffic to tcp port 524 Suzanne . Hernandez (Oct 26)
- <Possible follow-ups>
- FW: Increased traffic to tcp port 524 Suzanne . Hernandez (Oct 27)
- Re: Increased traffic to tcp port 524 Andrew Frith (Oct 27)
- Re: Increased traffic to tcp port 524 David Knapp (Oct 28)