could be the numda virus, have you scaned the machines in question. --- Michael Janke <[EMAIL PROTECTED]> wrote: > We've been seeing and increasing number of probes on > port 524 > starting about a week ago. > > The probes appear to be coming from ordinary PC's, > both internal and > external to our network. The probes follow a regular > pattern of 3 > probes followed by DNS and Netbios lookups. The > probes appear to > scan their own class 'A' and 'B' more often than > other networks, > but will jump randomly a percentage of the time. The > time between > packets and the packet lengths are very consistent > across many > scans. > > Port 524 is normally used for Netware 5.x file > services, but has > also been associated with an old Linux > vulnerability. > > I've isolated a single scan using Netflow data. > > Time SrcIPaddre SrcP DstIPaddress DstP Pr > Pkts Octets > > 09:24:18 A1.29.208.155 1088 A1.29.237.94 524 > TCP 3 144 > 09:24:28 A1.29.208.155 1089 A1.29.237.94 524 > TCP 3 144 > 09:24:39 A1.29.208.155 1090 A1.29.237.94 524 > TCP 3 144 > 09:24:52 A1.29.208.155 137 <nameserver1> 53 > UDP 6 360 > 09:24:57 A1.29.208.155 137 <nameserver2> 53 > UDP 6 360 > 09:25:01 A1.29.208.155 137 A1.29.237.94 137 > UDP 3 234 > > 09:25:12 A1.29.208.155 1093 A1.201.92.88 524 > TCP 3 144 > 09:25:22 A1.29.208.155 1094 A1.201.92.88 524 > TCP 3 144 > 09:25:33 A1.29.208.155 1095 A1.201.92.88 524 > TCP 3 144 > 09:25:46 A1.29.208.155 137 <nameserver1> 53 > UDP 6 360 > 09:25:51 A1.29.208.155 137 <nameserver2> 53 > UDP 6 360 > 09:25:55 A1.29.208.155 137 A1.201.92.88 137 > UDP 3 234 > > 09:26:06 A1.29.208.155 1098 A1.29.241.245 524 > TCP 3 144 > 09:26:16 A1.29.208.155 1099 A1.29.241.245 524 > TCP 3 144 > 09:26:27 A1.29.208.155 1100 A1.29.241.245 524 > TCP 3 144 > 09:26:40 A1.29.208.155 137 <nameserver1> 53 > UDP 6 366 > 09:26:45 A1.29.208.155 137 <nameserver2> 53 > UDP 6 366 > 09:26:49 A1.29.208.155 137 A1.29.241.245 137 > UDP 3 234 > > 09:27:00 A1.29.208.155 1103 A2.242.13.97 524 TCP > 3 144 > 09:27:10 A1.29.208.155 1104 A2.242.13.97 524 TCP > 3 144 > 09:27:21 A1.29.208.155 1105 A2.242.13.97 524 TCP > 3 144 > > This is a new pattern to us. Has anybody seen > anthing like it? > > --Mike > > ----------------------------------------- > Michael Janke > Director, Network Services > Minnesota State Colleges and Universities > ----------------------------------------- > > _______________________________________________ > Firewalls mailing list > [EMAIL PROTECTED] > http://lists.gnac.net/mailman/listinfo/firewalls
__________________________________________________ Do You Yahoo!? Listen to your Yahoo! Mail messages from any phone. http://phone.yahoo.com _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls