Lee Fisher McAfee
-Paul wrote-
I threw up a quick rule on snort to monitor probes on port 389 because I have been seeing entries in /var/log/messages on some boxes that I am responsible for. This morning we had a probe that hit 26205 different IPs on that port in about 7 minutes (SYN scan only - no payload.) The source IP was a mailserver in England. (They've been notified.)
Shortly afterwards we had a probe from one IP to one IP. The source IP is a Sprint PCS address. The dest IP is one of our Win2k3 DCs.
I looked at the Internet Storm Center, and port 389 probes aren't showing up there. I checked Securityfocus for any LDAP exploits, and the most recent one is the Ipswitch LDAP daemon overflow. I checked for Active Directory exploits and the most recent one is back in July of last year.
_________________________________________________________________
Tired of 56k? Get a FREE BT Broadband connection http://www.msn.co.uk/specials/btbroadband
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
