| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: jsage at finchhaven.com (John Sage) Subject: Probes on port 389 Paul: On Tue, Feb 24, 2004 at 11:06:50AM -0600, Schmehl, Paul L wrote: > From: "Schmehl, Paul L" <pauls@...allas.edu> > To: <intrusion@...s.org>, <full-disclosure@...ts.netsys.com> > Subject: [Full-Disclosure] Probes on port 389 > Date: Tue, 24 Feb 2004 11:06:50 -0600 > > I threw up a quick rule on snort to monitor probes on port 389 because I > have been seeing entries in /var/log/messages on some boxes that I am > responsible for. This morning we had a probe that hit 26205 different > IPs on that port in about 7 minutes (SYN scan only - no payload.) The > source IP was a mailserver in England. (They've been notified. Two only for the last +48 hours: ngrep_port: dst port 389, host 24.19.147.xxx in snort211.log-Feb.24.06:57 Generated 14:09:28 (TZ -08:00) 02/24/2004 input: snort211.log-Feb.24.06:57 filter: ip and ( host 24.19.147.xxx and dst port 389 ) # T 2004/02/22 18:48:33.763939 217.218.252.195:3062 -> 24.19.147.xxx:389 [S] exit [jsage@...rky /home] $ host 217.218.252.195 Host 195.252.218.217.in-addr.arpa not found: 3(NXDOMAIN) ngrep_port: dst port 389, host 24.19.147.xxx in snort.log.1077636344 Generated 14:05:54 (TZ -08:00) 02/24/2004 input: snort.log.1077636344 filter: ip and ( host 24.19.147.xxx and dst port 389 ) # T 2004/02/24 08:34:33.786569 66.60.194.153:3351 -> 24.19.147.xxx:389 [S] exit [jsage@...rky /home] $ host 66.60.194.153 153.194.60.66.in-addr.arpa domain name pointer 66-60-194-153.newulmtel.net. - John -- "Mad cow? You'd be mad too, if someone was trying to eat you."
Powered by blists - more mailing lists