Re: Interesting pattern of port 524 probes.

bob bobing Mon, 01 Oct 2001 14:38:55 -0700

could be the numda virus, have you scaned the machines
in question.
--- Michael Janke <[EMAIL PROTECTED]> wrote:
> We've been seeing and increasing number of probes on
> port 524
> starting about a week ago.
> 
> The probes appear to be coming from ordinary PC's,
> both internal and
> external to our network. The probes follow a regular
> pattern of 3
> probes followed by DNS and Netbios lookups. The
> probes appear to
> scan their own class 'A' and 'B' more often than
> other networks,
> but will jump randomly a percentage of the time. The
> time between
> packets and the packet lengths are very consistent
> across many
> scans.
> 
> Port 524 is normally used for Netware 5.x file
> services, but has
> also been associated with an old Linux
> vulnerability.
> 
> I've isolated a single scan using Netflow data.
> 
> Time     SrcIPaddre     SrcP  DstIPaddress   DstP Pr
> Pkts Octets
> 
> 09:24:18 A1.29.208.155  1088  A1.29.237.94   524 
> TCP  3  144
> 09:24:28 A1.29.208.155  1089  A1.29.237.94   524 
> TCP  3  144
> 09:24:39 A1.29.208.155  1090  A1.29.237.94   524 
> TCP  3  144
> 09:24:52 A1.29.208.155  137   <nameserver1>   53 
> UDP  6  360
> 09:24:57 A1.29.208.155  137   <nameserver2>   53 
> UDP  6  360
> 09:25:01 A1.29.208.155  137   A1.29.237.94   137 
> UDP  3  234
> 
> 09:25:12 A1.29.208.155  1093  A1.201.92.88   524 
> TCP  3  144
> 09:25:22 A1.29.208.155  1094  A1.201.92.88   524 
> TCP  3  144
> 09:25:33 A1.29.208.155  1095  A1.201.92.88   524 
> TCP  3  144
> 09:25:46 A1.29.208.155  137   <nameserver1>   53 
> UDP  6  360
> 09:25:51 A1.29.208.155  137   <nameserver2>   53 
> UDP  6  360
> 09:25:55 A1.29.208.155  137   A1.201.92.88   137 
> UDP  3  234
> 
> 09:26:06 A1.29.208.155  1098  A1.29.241.245  524 
> TCP  3  144
> 09:26:16 A1.29.208.155  1099  A1.29.241.245  524 
> TCP  3  144
> 09:26:27 A1.29.208.155  1100  A1.29.241.245  524 
> TCP  3  144
> 09:26:40 A1.29.208.155  137   <nameserver1>   53 
> UDP  6  366
> 09:26:45 A1.29.208.155  137   <nameserver2>   53 
> UDP  6  366
> 09:26:49 A1.29.208.155  137   A1.29.241.245  137 
> UDP  3  234
> 
> 09:27:00 A1.29.208.155  1103  A2.242.13.97  524  TCP
>  3  144
> 09:27:10 A1.29.208.155  1104  A2.242.13.97  524  TCP
>  3  144
> 09:27:21 A1.29.208.155  1105  A2.242.13.97  524  TCP
>  3  144
> 
> This is a new pattern to us. Has anybody seen
> anthing like it?
> 
> --Mike
> 
> -----------------------------------------
> Michael Janke
> Director, Network Services
> Minnesota State Colleges and Universities
> -----------------------------------------
> 
> _______________________________________________
> Firewalls mailing list
> [EMAIL PROTECTED]
> http://lists.gnac.net/mailman/listinfo/firewalls



__________________________________________________
Do You Yahoo!?
Listen to your Yahoo! Mail messages from any phone.
http://phone.yahoo.com
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls

Re: Interesting pattern of port 524 probes.

Reply via email to