I threw up a quick rule on snort to monitor probes on port 389 because I have been seeing entries in /var/log/messages on some boxes that I am responsible for. This morning we had a probe that hit 26205 different IPs on that port in about 7 minutes (SYN scan only - no payload.) The source IP was a mailserver in England. (They've been notified.)
Shortly afterwards we had a probe from one IP to one IP. The source IP is a Sprint PCS address. The dest IP is one of our Win2k3 DCs. I looked at the Internet Storm Center, and port 389 probes aren't showing up there. I checked Securityfocus for any LDAP exploits, and the most recent one is the Ipswitch LDAP daemon overflow. I checked for Active Directory exploits and the most recent one is back in July of last year. I suspect this could be probes for Ipswitch Imail servers, but the focused probe to one DC makes me wonder if this might be something else. Is anyone else seeing SYN scans on port 389? Is anyone aware of any recent exploits for Active Directory? Perhaps using the ASN.1 overflow? Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu/~pauls/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
