lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
From: pauls at utdallas.edu (Schmehl, Paul L)
Subject: Probes on port 389

I threw up a quick rule on snort to monitor probes on port 389 because I
have been seeing entries in /var/log/messages on some boxes that I am
responsible for.  This morning we had a probe that hit 26205 different
IPs on that port in about 7 minutes (SYN scan only - no payload.)  The
source IP was a mailserver in England.  (They've been notified.)

Shortly afterwards we had a probe from one IP to one IP.  The source IP
is a Sprint PCS address.  The dest IP is one of our Win2k3 DCs.

I looked at the Internet Storm Center, and port 389 probes aren't
showing up there.  I checked Securityfocus for any LDAP exploits, and
the most recent one is the Ipswitch LDAP daemon overflow.  I checked for
Active Directory exploits and the most recent one is back in July of
last year.

I suspect this could be probes for Ipswitch Imail servers, but the
focused probe to one DC makes me wonder if this might be something else.

Is anyone else seeing SYN scans on port 389?  Is anyone aware of any
recent exploits for Active Directory?  Perhaps using the ASN.1 overflow?

Paul Schmehl (pauls@...allas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ