Re: massive lpr exploit attempt

[Galitz <galitz () uclink berkeley edu>]

> > From: r.fulton () auckland ac nz [mailto:r.fulton () auckland ac nz]
> > Sent: Sunday, June 24, 2001 6:42 PM
> > To: incidents () securityfocus com
> > Subject: massive lpr exploit attempt
> >
> >
> > Yesterday (Sunday 24th) we were attacked from several different IP
> > using an iterated X86 lpr exploit against any machine that response on
> > port 515.  Even though we block 515 for the vast bulk of our addresses
> > I logged over 80,000 probes to the 20 or so addresses that responded!
> >
> > These attacks are the same as I saw a few months ago (hmm...  I'm sure
> > I posted something about them then but I can't find anything in the
> > archives). One feature of these attacks is that while the attacker is
> > trying exploits on port 515 they are also making connection attempts on
> > port 3897 (presumably looking for a root shell that signals that one of
> > the exploits succeeded).  Thus if you run argus then you can pick up
> > any successful exploits by dumping all established tcp sessions to port
> > 3897.

Out of the blue, we just registered a dramatic upsurge 
in lpr scans over the past two days.  Please don't tell
me there is another lpd exploit making the rounds.

-geoff

-- 
-----------------------------------------------------------------------
Geoff Galitz                     |  "Beer is proof that God loves us."
Research Computing, UC Berkeley  |     Theodore Roosevelt
galitz () uclink berkeley edu       |
-----------------------------------------------------------------------


----------------------------------------------------------------------------


This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see:

http://aris.securityfocus.com