Security Incidents mailing list archives
Re: Scans(?) 500->500 from China
From: TJ Jablonowski <t.jablonowski () MAIL-2-GO COM>
Date: Mon, 9 Oct 2000 19:52:41 -0400
More on the port 500 scans with this thread and others Got the latest PGP Dekstop Client v7.0 . It has a feature built into the PGPnet to automatically attempt a secure connection. The three options are "attemp, allow, require" secure communications. From the log (sample below ) it appears to use IKE to initiate the secure connection. It attempted to create an association with every IP I contacted irregardless of the type of service (http,imap). It is turned on by default installation but can be turned off unless its locked by an corporate adminitrators kit (laptops). Could be an explanation to the sudden increase in port 500 detections PGPnet Log Monday, October 09, 2000 7:28:52 PM Time Event Address Message 10/9/2000 6:54:15 PM IKE xxx.131.1.27 No Proposals 10/9/2000 6:54:15 PM Service xxx.131.1.27 Unable to establish Security Association 10/9/2000 6:56:17 PM IKE xxx.46.230.125 No Proposals 10/9/2000 6:56:17 PM Service xxx.46.230.125 Unable to establish Security Association 10/9/2000 6:56:17 PM IKE xxx.46.176.150 No Proposals 10/9/2000 6:56:17 PM Service xxx.46.176.150 Unable to establish Security Association 10/9/2000 6:56:17 PM IKE xxx.46.185.140 No Proposals 10/9/2000 6:56:17 PM Service xxx.46.185.140 Unable to establish Security Association 10/9/2000 6:56:18 PM IKE xxx.46.188.86 No Proposals 10/9/2000 6:56:18 PM Service xxx.46.188.86 Unable to establish Security Association 10/9/2000 6:56:18 PM IKE xxx.46.199.253 No Proposals 10/9/2000 6:56:18 PM Service xxx.46.199.253 Unable to establish Security Association 10/9/2000 6:56:19 PM IKE xxx.46.179.138 No Proposals 10/9/2000 6:56:19 PM Service xxx.46.179.138 Unable to establish Security Association 10/9/2000 6:56:20 PM IKE xxx.46.133.14 No Proposals 10/9/2000 6:56:20 PM Service xxx.46.133.14 Unable to establish Security Association 10/9/2000 6:56:20 PM IKE xxx.46.131.71 No Proposals 10/9/2000 6:56:20 PM Service xxx.46.131.71 Unable to establish Security Association ----- Original Message ----- From: "azimuth" <lozah () IO COM> To: <INCIDENTS () SECURITYFOCUS COM> Sent: Saturday, September 02, 2000 2:20 AM Subject: Re: Scans(?) 500->500 from China
Howdy Ralf, Isakmp is a standard that outlines how two peers can establish and conduct secure communications over an insecure transport. http://www.ietf.org/rfc/rfc2408.txt It's used in IPSec & VPNs, and probably elsewhere. I have no idea why someone would be banging away at a single IP (I assume the log entries reflect traffic directed to one host), unless they were trying to connect to their VPN and got confused about their server IP. There's a recent vulnerability for Rapidstream VPN boxes: http://www.securityfocus.com/vdb/bottom.html?vid=1574
---cut for brevity----------
Current thread:
- Re: Scans(?) 500->500 from China TJ Jablonowski (Oct 10)
- <Possible follow-ups>
- Re: Scans(?) 500->500 from China TJ Jablonowski (Oct 15)