Security Incidents mailing list archives

Re: Strange broadcasts to printer port

From: Dan Riley <dsr () mail lns cornell edu>
Date: 29 Jun 2001 11:21:17 -0400

I have been seeing syn packets from src 255.255.255.255:31337 to
random ip-numbers port 515 in our nets for months.  Does anyone kow
what could cause this?


We've also been seeing these with real IP src addresses, as well
as 255.255.255.255.  The best speculation I've heard is that it
is an exploit scanning for LPR/LPRng holes, and the ones from
the broadcast address are from unconfigured but live interfaces
on (most likely) Linux boxes.
-- 
Dan Riley                                         dsr () mail lns cornell edu
Wilson Lab, Cornell University      <URL:http://www.lns.cornell.edu/~dsr/>
    "History teaches us that days like this are best spent in bed"


----------------------------------------------------------------------------


This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see:

http://aris.securityfocus.com

Current thread:

Strange broadcasts to printer port Patrick Oonk (Jun 28)
- <Possible follow-ups>
- Re: Strange broadcasts to printer port Mike Patchen (Jun 28)
  - Re: Strange broadcasts to printer port Dan Riley (Jun 29)
  - Re: Strange broadcasts to printer port Crist Clark (Jun 30)