Security Incidents mailing list archives
Re: Strange broadcasts to printer port
From: Dan Riley <dsr () mail lns cornell edu>
Date: 29 Jun 2001 11:21:17 -0400
I have been seeing syn packets from src 255.255.255.255:31337 to random ip-numbers port 515 in our nets for months. Does anyone kow what could cause this?
We've also been seeing these with real IP src addresses, as well as 255.255.255.255. The best speculation I've heard is that it is an exploit scanning for LPR/LPRng holes, and the ones from the broadcast address are from unconfigured but live interfaces on (most likely) Linux boxes. -- Dan Riley dsr () mail lns cornell edu Wilson Lab, Cornell University <URL:http://www.lns.cornell.edu/~dsr/> "History teaches us that days like this are best spent in bed" ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Strange broadcasts to printer port Patrick Oonk (Jun 28)
- <Possible follow-ups>
- Re: Strange broadcasts to printer port Mike Patchen (Jun 28)
- Re: Strange broadcasts to printer port Dan Riley (Jun 29)
- Re: Strange broadcasts to printer port Crist Clark (Jun 30)