Re: Probes on port 389

[John Sage <jsage () finchhaven com>]

Paul:

On Tue, Feb 24, 2004 at 11:06:50AM -0600, Schmehl, Paul L wrote:
> From: "Schmehl, Paul L" <pauls () utdallas edu>
> To: <intrusion () sans org>, <full-disclosure () lists netsys com>
> Subject: [Full-disclosure] Probes on port 389
> Date: Tue, 24 Feb 2004 11:06:50 -0600
>
> I threw up a quick rule on snort to monitor probes on port 389 because I
> have been seeing entries in /var/log/messages on some boxes that I am
> responsible for.  This morning we had a probe that hit 26205 different
> IPs on that port in about 7 minutes (SYN scan only - no payload.)  The
> source IP was a mailserver in England.  (They've been notified.

Two only for the last +48 hours:

ngrep_port: dst port 389, host 24.19.147.xxx in snort211.log-Feb.24.06:57
Generated 14:09:28 (TZ -08:00) 02/24/2004

input: snort211.log-Feb.24.06:57
filter: ip and ( host 24.19.147.xxx and dst port 389 )
#
T 2004/02/22 18:48:33.763939 217.218.252.195:3062 -> 24.19.147.xxx:389 [S]
exit

[jsage@sparky /home] $ host 217.218.252.195
Host 195.252.218.217.in-addr.arpa not found: 3(NXDOMAIN)



ngrep_port: dst port 389, host 24.19.147.xxx in snort.log.1077636344
Generated 14:05:54 (TZ -08:00) 02/24/2004

input: snort.log.1077636344
filter: ip and ( host 24.19.147.xxx and dst port 389 )
#
T 2004/02/24 08:34:33.786569 66.60.194.153:3351 -> 24.19.147.xxx:389 [S]
exit


[jsage@sparky /home] $ host 66.60.194.153
153.194.60.66.in-addr.arpa domain name pointer 66-60-194-153.newulmtel.net.




- John
-- 
"Mad cow? You'd be mad too, if someone was trying to eat you."

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html