Security Incidents mailing list archives
Re: NTP scan ????
From: Paul Gear <paulgear () bigfoot com>
Date: Wed, 27 Feb 2002 22:05:24 +1000
Russell Fulton wrote:
Just picked up a SYN scan for NTP. There were problems with xntp a while back, I wonder if there is now an exploit out there... Report from my scan detector: We saw adsl-63-199-26-228.dsl.snfc21.pacbell.net[63.199.26.228] talk to 48 ports/addresses(s) on Tue 26 Feb 2002 at 17:00 (UTC)
All of the NTP problems were UDP-based, to my knowledge. (See http://www.kb.cert.org/vuls/id/970472 and links therefrom.) Could it be that this is a tool trying to get through poorly-defined firewall rules? I got a few probes the other day that were UDP, from port 80, to a random high port. I assume they were trying to probe firewalls that define the return path for http requests without specifying the protocol. Here's a sample: Feb 19 17:55:03 host kernel: Shorewall:net2all:DROP:IN=eth1 OUT= MAC=00:c0:26:25:14:57:00:04:28:23:e0:70:08:00 SRC=64.152.70.68 DST=a.b.c.d LEN=38 TOS=0x00 PREC=0x00 TTL=40 ID=12866 PROTO=UDP SPT=80 DPT=37852 LEN=18 Feb 19 17:49:10 host kernel: Shorewall:net2all:DROP:IN=eth1 OUT= MAC=00:c0:26:25:14:57:00:04:28:23:e0:70:08:00 SRC=63.211.17.228 DST=a.b.c.d LEN=38 TOS=0x00 PREC=0x00 TTL=40 ID=26558 PROTO=UDP SPT=80 DPT=37852 LEN=18 Perhaps you're seeing something similar: people looking for poor filtering rules. Paul http://paulgear.webhop.net ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- NTP scan ???? Russell Fulton (Feb 26)
- Re: NTP scan ???? Paul Gear (Feb 27)
- Re: NTP scan ???? Will Aoki (Feb 27)
- Re: NTP scan ???? Russell Fulton (Feb 27)
- Re: NTP scan ???? Paul Gear (Feb 28)
- Re: NTP scan ???? Russell Fulton (Feb 27)
- Re: NTP scan ???? John Kristoff (Feb 28)