Security Incidents mailing list archives

Re: Scans(?) 500->500 from China

From: TJ Jablonowski <t.jablonowski () MAIL-2-GO COM>
Date: Mon, 9 Oct 2000 19:52:41 -0400

  More on the port 500 scans with this thread and others

Got the latest PGP Dekstop Client v7.0 . It has a feature built into the
PGPnet to automatically attempt a secure connection. The three options are
"attemp, allow, require" secure communications.  From the log (sample
below ) it appears to use IKE to initiate the secure connection. It
attempted to create an association with every IP I contacted irregardless of
the type of service (http,imap). It is turned on by default installation but
can be turned off unless its locked by an corporate adminitrators kit
(laptops).  Could be an explanation to the sudden increase in port 500
detections

PGPnet Log
Monday, October 09, 2000 7:28:52 PM

Time Event Address Message

10/9/2000 6:54:15 PM IKE         xxx.131.1.27 No Proposals
10/9/2000 6:54:15 PM Service     xxx.131.1.27 Unable to establish Security
Association
10/9/2000 6:56:17 PM IKE         xxx.46.230.125 No Proposals
10/9/2000 6:56:17 PM Service     xxx.46.230.125 Unable to establish Security
Association
10/9/2000 6:56:17 PM IKE         xxx.46.176.150 No Proposals
10/9/2000 6:56:17 PM Service     xxx.46.176.150 Unable to establish Security
Association
10/9/2000 6:56:17 PM IKE         xxx.46.185.140 No Proposals
10/9/2000 6:56:17 PM Service     xxx.46.185.140 Unable to establish Security
Association
10/9/2000 6:56:18 PM IKE         xxx.46.188.86 No Proposals
10/9/2000 6:56:18 PM Service     xxx.46.188.86 Unable to establish Security
Association
10/9/2000 6:56:18 PM IKE         xxx.46.199.253 No Proposals
10/9/2000 6:56:18 PM Service     xxx.46.199.253 Unable to establish Security
Association
10/9/2000 6:56:19 PM IKE         xxx.46.179.138 No Proposals
10/9/2000 6:56:19 PM Service     xxx.46.179.138 Unable to establish Security
Association
10/9/2000 6:56:20 PM IKE         xxx.46.133.14 No Proposals
10/9/2000 6:56:20 PM Service     xxx.46.133.14 Unable to establish Security
Association
10/9/2000 6:56:20 PM IKE         xxx.46.131.71 No Proposals
10/9/2000 6:56:20 PM Service     xxx.46.131.71 Unable to establish Security
Association



----- Original Message -----
From: "azimuth" <lozah () IO COM>
To: <INCIDENTS () SECURITYFOCUS COM>
Sent: Saturday, September 02, 2000 2:20 AM
Subject: Re: Scans(?) 500->500 from China

Howdy Ralf,

Isakmp is a standard that outlines how two peers can establish and
conduct secure communications over an insecure transport.

http://www.ietf.org/rfc/rfc2408.txt

It's used in IPSec & VPNs, and probably elsewhere.  I have no idea why
someone would be banging away at a single IP (I assume the log entries
reflect traffic directed to one host), unless they were trying to
connect to their VPN and got confused about their server IP.

There's a recent vulnerability for Rapidstream VPN boxes:

http://www.securityfocus.com/vdb/bottom.html?vid=1574

---cut for brevity----------

Current thread:

Re: Scans(?) 500->500 from China TJ Jablonowski (Oct 10)
- <Possible follow-ups>
- Re: Scans(?) 500->500 from China TJ Jablonowski (Oct 15)