Security Incidents mailing list archives

Odd probes from Cisco equipment...

From: "Mike" <mnv () alumni princeton edu>
Date: Mon, 22 Oct 2001 15:30:48 -0700

I've received the following sequence of probes from several different IP's
in the last few hours.  I haven't seen this series of probes before. All
probes are exactly 2 hours and 55 minutes apart, to the minute.

Initially the attacker pings my IP, which this box is set to ignore.
Following the ping, scans probe ports 53, 22, and 123.

The attackers have ports 21, 22, 23 and 5001 open.  An ftp session to port
21 sends the following banner:
Connected to xxx.xxx.xxx.xxx
220 ArrowPoint (5.3.1) FTP
User (xxx.xxx.xxx.xxx:(none))

Arrowpoint is Cisco: further research on my part couldn't find any history
of an automated attack/vulnerability along these lines, and I didn't locate
any information regarding this series of probes.  Thoughts, anyone?

Thanks,
Mike Vasquez



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Scans for SSHd via RIPE netblocks, anyone? Jay D. Dyson (Oct 22)
- Re: Scans for SSHd via RIPE netblocks, anyone? daniel uriah clemens (Oct 22)
- RE: Scans for SSHd via RIPE netblocks, anyone? Fernando Cardoso (Oct 22)
  - RE: Scans for SSHd via RIPE netblocks, anyone? Sean Kelly (Oct 22)
    - Re: Scans for SSHd via RIPE netblocks, anyone? Valdis . Kletnieks (Oct 22)
    - Odd probes from Cisco equipment... Mike (Oct 22)