Security Incidents mailing list archives
Re: massive lpr exploit attempt
From: Galitz <galitz () uclink berkeley edu>
Date: Tue, 26 Jun 2001 18:24:47 -0700
From: r.fulton () auckland ac nz [mailto:r.fulton () auckland ac nz] Sent: Sunday, June 24, 2001 6:42 PM To: incidents () securityfocus com Subject: massive lpr exploit attempt Yesterday (Sunday 24th) we were attacked from several different IP using an iterated X86 lpr exploit against any machine that response on port 515. Even though we block 515 for the vast bulk of our addresses I logged over 80,000 probes to the 20 or so addresses that responded! These attacks are the same as I saw a few months ago (hmm... I'm sure I posted something about them then but I can't find anything in the archives). One feature of these attacks is that while the attacker is trying exploits on port 515 they are also making connection attempts on port 3897 (presumably looking for a root shell that signals that one of the exploits succeeded). Thus if you run argus then you can pick up any successful exploits by dumping all established tcp sessions to port 3897.
Out of the blue, we just registered a dramatic upsurge in lpr scans over the past two days. Please don't tell me there is another lpd exploit making the rounds. -geoff -- ----------------------------------------------------------------------- Geoff Galitz | "Beer is proof that God loves us." Research Computing, UC Berkeley | Theodore Roosevelt galitz () uclink berkeley edu | ----------------------------------------------------------------------- ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- massive lpr exploit attempt Russell Fulton (Jun 24)
- Re: massive lpr exploit attempt Kevin van Haaren (Jun 24)
- RE: massive lpr exploit attempt Tony Lambiris (Jun 26)
- RE: massive lpr exploit attempt Andrew Doran (Jun 26)
- Re: massive lpr exploit attempt Galitz (Jun 27)
- Re: massive lpr exploit attempt Pavel Lozhkin (Jun 27)
- RE: massive lpr exploit attempt Andrew Doran (Jun 26)
- <Possible follow-ups>
- Re: massive lpr exploit attempt E Kelly Bond (Jun 27)
- RE: massive lpr exploit attempt Andy Duncan (Jun 27)