Re: Odd probes from Cisco equipment...

[Richard.Smith () predictive com]

Check the archives. I think someone else had a similar issue a couple 
weeks ago. 

The Content Switches should not do this by default. Although, it could be 
part of some metric gathering by the CSS's. The OS is a FreeBSD variant 
and one can write shell scripts and execute code just as you might on any 
other UNIX flavor OS.

rich






"Mike" <mnv () alumni princeton edu>
10/22/2001 06:30 PM

 
        To:     "Incidents List" <incidents () securityfocus com>
        cc: 
        Subject:        Odd probes from Cisco equipment...


I've received the following sequence of probes from several different IP's
in the last few hours.  I haven't seen this series of probes before. All
probes are exactly 2 hours and 55 minutes apart, to the minute.

Initially the attacker pings my IP, which this box is set to ignore.
Following the ping, scans probe ports 53, 22, and 123.

The attackers have ports 21, 22, 23 and 5001 open.  An ftp session to port
21 sends the following banner:
Connected to xxx.xxx.xxx.xxx
220 ArrowPoint (5.3.1) FTP
User (xxx.xxx.xxx.xxx:(none))

Arrowpoint is Cisco: further research on my part couldn't find any history
of an automated attack/vulnerability along these lines, and I didn't 
locate
any information regarding this series of probes.  Thoughts, anyone?

Thanks,
Mike Vasquez



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com






----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com