Security Incidents mailing list archives

Re: Increased traffic to tcp port 524

From: David Knapp <dknapp () CALPOLY EDU>
Date: Thu, 26 Oct 2000 13:48:44 -0700

Could be this worm.
http://www.sans.org/y2k/102000.htm



David Knapp
Network Analyst
Cal Poly State University
805-756-7161

-----Original Message-----
From: Suzanne.Hernandez [mailto:Suzanne.Hernandez () GUNTER AF MIL]
Sent: Wednesday, October 25, 2000 1:31 PM
To: INCIDENTS
Subject: FW: Increased traffic to tcp port 524


Check it out...this is just half of yesterday and most of
today...These are
to non-existent subnets on our network.

10/24-14:43:26 TCP  : 155.58.107.40:1124  -> A.B.205.219:524  FLAGS :
**S*****
10/24-14:43:29 TCP  : 155.58.107.40:1124  -> A.B.205.219:524  FLAGS :
**S*****
10/24-14:44:42 TCP  : 134.7.147.30:3972  -> A.B.178.17:524
FLAGS : **S*****
10/24-14:44:45 TCP  : 134.7.147.30:3972  -> A.B.178.17:524
FLAGS : **S*****
10/24-14:44:51 TCP  : 134.7.147.30:3972  -> A.B.178.17:524
FLAGS : **S*****
10/24-16:09:46 TCP  : 64.31.230.169:1266 64-31-230-169.pdq.net ->
A.B.22.144:524 FLAGS : **S*****
10/24-16:09:49 TCP  : 64.31.230.169:1266 64-31-230-169.pdq.net ->
A.B.22.144:524 FLAGS : **S*****
10/24-16:09:55 TCP  : 64.31.230.169:1266 64-31-230-169.pdq.net ->

Current thread:

Increased traffic to tcp port 524 Suzanne . Hernandez (Oct 26)
- <Possible follow-ups>
- FW: Increased traffic to tcp port 524 Suzanne . Hernandez (Oct 27)
- Re: Increased traffic to tcp port 524 Andrew Frith (Oct 27)
- Re: Increased traffic to tcp port 524 David Knapp (Oct 28)