Security Incidents mailing list archives
FW: Increased traffic to tcp port 524
From: Suzanne.Hernandez () GUNTER AF MIL
Date: Wed, 25 Oct 2000 15:30:41 -0500
Check it out...this is just half of yesterday and most of today...These are to non-existent subnets on our network. 10/24-14:43:26 TCP : 155.58.107.40:1124 -> A.B.205.219:524 FLAGS : **S***** 10/24-14:43:29 TCP : 155.58.107.40:1124 -> A.B.205.219:524 FLAGS : **S***** 10/24-14:44:42 TCP : 134.7.147.30:3972 -> A.B.178.17:524 FLAGS : **S***** 10/24-14:44:45 TCP : 134.7.147.30:3972 -> A.B.178.17:524 FLAGS : **S***** 10/24-14:44:51 TCP : 134.7.147.30:3972 -> A.B.178.17:524 FLAGS : **S***** 10/24-16:09:46 TCP : 64.31.230.169:1266 64-31-230-169.pdq.net -> A.B.22.144:524 FLAGS : **S***** 10/24-16:09:49 TCP : 64.31.230.169:1266 64-31-230-169.pdq.net -> A.B.22.144:524 FLAGS : **S***** 10/24-16:09:55 TCP : 64.31.230.169:1266 64-31-230-169.pdq.net -> A.B.22.144:524 FLAGS : **S***** 10/24-16:15:58 TCP : 209.52.140.12:3272 ws12.acl.com -> A.B.147.166:524 FLAGS : **S***** 10/24-16:16:01 TCP : 209.52.140.12:3272 ws12.acl.com -> A.B.147.166:524 FLAGS : **S***** 10/24-16:16:07 TCP : 209.52.140.12:3272 ws12.acl.com -> A.B.147.166:524 FLAGS : **S***** 10/24-17:37:15 TCP : 208.19.227.190:4340 sys61.aaimstl.org -> A.B.52.31:524 FLAGS : **S***** 10/24-17:37:18 TCP : 208.19.227.190:4340 sys61.aaimstl.org -> A.B.52.31:524 FLAGS : **S***** 10/24-18:53:06 TCP : 131.178.162.50:1118 pto-162-50.mty.itesm.mx -> A.B.110.28:524 FLAGS : **S***** 10/24-19:20:23 TCP : 216.138.20.44:4590 pc44.adams.net -> A.B.114.226:524 FLAGS : **S***** 10/24-19:20:26 TCP : 216.138.20.44:4590 pc44.adams.net -> A.B.114.226:524 FLAGS : **S***** 10/24-19:20:32 TCP : 216.138.20.44:4590 pc44.adams.net -> A.B.114.226:524 FLAGS : **S***** 10/24-22:35:15 TCP : 165.124.47.50:4130 labpc50.arthritis.nwu.edu -> A.B.28.166:524 FLAGS : **S***** 10/24-22:35:18 TCP : 165.124.47.50:4130 labpc50.arthritis.nwu.edu -> A.B.28.166:524 FLAGS : **S***** 10/24-22:35:24 TCP : 165.124.47.50:4130 labpc50.arthritis.nwu.edu -> A.B.28.166:524 FLAGS : **S***** 10/25-00:27:27 TCP : 209.41.197.115:1659 -> A.B.116.250:524 FLAGS : **S***** 10/25-00:27:36 TCP : 209.41.197.115:1659 -> A.B.116.250:524 FLAGS : **S***** 10/25-01:37:01 TCP : 204.144.208.211:3619 host211.ranelson.com -> A.B.73.151:524 FLAGS : **S***** 10/25-01:37:04 TCP : 204.144.208.211:3619 host211.ranelson.com -> A.B.73.151:524 FLAGS : **S***** 10/25-01:45:09 TCP : 38.197.102.240:3989 -> A.B.234.119:524 FLAGS : **S***** 10/25-01:45:12 TCP : 38.197.102.240:3989 -> A.B.234.119:524 FLAGS : **S***** 10/25-01:45:18 TCP : 38.197.102.240:3989 -> A.B.234.119:524 FLAGS : **S***** 10/25-05:27:27 TCP : 193.78.29.122:2898 -> A.B.223.226:524 FLAGS : **S***** 10/25-05:27:30 TCP : 193.78.29.122:2898 -> A.B.223.226:524 FLAGS : **S***** 10/25-05:27:36 TCP : 193.78.29.122:2898 -> A.B.223.226:524 FLAGS : **S***** 10/25-05:54:52 TCP : 204.210.103.153:2063 a204b210n103client153.hawaii.rr.com -> A.B.43.14:524 FLAGS : **S***** 10/25-05:54:54 TCP : 204.210.103.153:2063 a204b210n103client153.hawaii.rr.com -> A.B.43.14:524 FLAGS : **S***** 10/25-05:55:00 TCP : 204.210.103.153:2063 a204b210n103client153.hawaii.rr.com -> A.B.43.14:524 FLAGS : **S***** 10/25-07:29:35 TCP : 198.17.176.171:1060 -> A.B.173.43:524 FLAGS : **S***** 10/25-07:29:44 TCP : 198.17.176.171:1060 -> A.B.173.43:524 FLAGS : **S***** 10/25-11:18:13 TCP : 35.10.201.42:52473 ariasdav-2.user.msu.edu -> A.B.54.101:47137 FLAGS : ****R*** 10/25-12:21:11 TCP : 207.125.0.91:3305 -> A.B.8.146:524 FLAGS : **S***** 10/25-12:21:13 TCP : 207.125.0.91:3305 -> A.B.8.146:524 FLAGS : **S***** 10/25-12:24:29 TCP : 207.125.0.91:3337 -> A.B.8.146:524 FLAGS : **S***** 10/25-12:24:35 TCP : 207.125.0.91:3337 -> A.B.8.146:524 FLAGS : **S***** 10/25-14:53:23 TCP : 207.28.121.222:2385 -> A.B.110.181:524 FLAGS : **S***** 10/25-14:53:25 TCP : 207.28.121.222:2385 -> A.B.110.181:524 FLAGS : **S***** 10/25-15:01:06 TCP : 209.246.57.9:3536 ded-office-eth-9.jaske.com -> A.B.48.174:524 FLAGS : **S***** 10/25-15:01:09 TCP : 209.246.57.9:3536 ded-office-eth-9.jaske.com -> A.B.48.174:524 FLAGS : **S***** 10/25-15:01:15 TCP : 209.246.57.9:3536 ded-office-eth-9.jaske.com -> A.B.48.174:524 FLAGS : **S*****
-----Original Message----- From: Andrew Frith [SMTP:AndrewF () gateway bm] Sent: Wednesday, October 25, 2000 3:10 PM To: Suzanne.Hernandez () GUNTER AF MIL; INCIDENTS () SECURITYFOCUS COM Subject: Re: Increased traffic to tcp port 524 Port 524 is registered as NCP. It is used by Netware 5.x server & clients (anything else?). These shouldn't be straying outside of the local networks though. Now that I've looked we've had a couple of connections to 524 the past few days. Nothing of note though (and no captures).<Suzanne.Hernandez () GUNTER AF MIL> 10/24/00 04:28PM >>>What's with the increased attempts on tcp port 524? These are coming from networks all over the place....
Current thread:
- Increased traffic to tcp port 524 Suzanne . Hernandez (Oct 26)
- <Possible follow-ups>
- FW: Increased traffic to tcp port 524 Suzanne . Hernandez (Oct 27)
- Re: Increased traffic to tcp port 524 Andrew Frith (Oct 27)
- Re: Increased traffic to tcp port 524 David Knapp (Oct 28)