new exploit?

Kevin Holmquist Fri, 17 Nov 2000 09:06:36 -0800

Hey All;

Twice in the last three days I've had boxen hitting port 500:

Nov 15 12:21:05 linux1 kernel: Packet log: input DENY eth1 PROTO=17 216.148.246.6:500 64.217.160.145:500 L=740 S=0x00 I=54366 F=0x0000 T=111 (#37)
Nov 15 12:21:06 linux1 kernel: Packet log: input DENY eth1 PROTO=17 216.148.246.6:500 64.217.160.145:500 L=740 S=0x00 I=54537 F=0x0000 T=111 (#37)
Nov 15 12:21:08 linux1 kernel: Packet log: input DENY eth1 PROTO=17 216.148.246.6:500 64.217.160.145:500 L=740 S=0x00 I=54858 F=0x0000 T=111 (#37)
Nov 15 12:21:08 linux1 kernel: Packet log: input DENY eth1 PROTO=17 216.148.246.9:500 64.217.160.145:500 L=772 S=0x00 I=19585 F=0x0000 T=111 (#37)
Nov 15 12:21:08 linux1 kernel: Packet log: input DENY eth1 PROTO=17 216.148.246.7:500 64.217.160.145:500 L=772 S=0x00 I=48247 F=0x0000 T=111 (#37)
Nov 15 12:21:12 linux1 kernel: Packet log: input DENY eth1 PROTO=17 216.148.246.6:500 64.217.160.145:500 L=740 S=0x00 I=55812 F=0x0000 T=111 (#37)
Nov 15 12:21:21 linux1 kernel: Packet log: input DENY eth1 PROTO=17 216.148.246.6:500 64.217.160.145:500 L=740 S=0x00 I=57220 F=0x0000 T=111 (#37)
Nov 15 12:21:27 linux1 kernel: Packet log: input DENY eth1 PROTO=17 216.148.246.9:500 64.217.160.145:500 L=772 S=0x00 I=32789 F=0x0000 T=111 (#37)
Nov 15 12:21:27 linux1 kernel: Packet log: input DENY eth1 PROTO=17 216.148.246.9:500 64.217.160.145:500 L=84 S=0x00 I=33643 F=0x0000 T=111 (#37)
Nov 15 12:21:37 linux1 kernel: Packet log: input DENY eth1 PROTO=17 216.148.246.7:500 64.217.160.145:500 L=772 S=0x00 I=61855 F=0x0000 T=111 (#37)
Nov 15 12:21:39 linux1 kernel: Packet log: input DENY eth1 PROTO=17 216.148.246.6:500 64.217.160.145:500 L=740 S=0x00 I=60744 F=0x0000 T=111 (#37)
Nov 15 12:22:13 linux1 kernel: Packet log: input DENY eth1 PROTO=17 216.148.246.6:500 64.217.160.145:500 L=84 S=0x00 I=4181 F=0x0000 T=111 (#37)

Nov 17 00:23:44 linux1 kernel: Packet log: input DENY eth1 PROTO=17 193.45.3.199:500 64.217.160.145:500 L=740 S=0x00 I=48647 F=0x0000 T=111 (#37)
Nov 17 00:23:45 linux1 kernel: Packet log: input DENY eth1 PROTO=17 193.45.3.199:500 64.217.160.145:500 L=740 S=0x00 I=48792 F=0x0000 T=111 (#37)
Nov 17 00:23:47 linux1 kernel: Packet log: input DENY eth1 PROTO=17 193.45.3.199:500 64.217.160.145:500 L=740 S=0x00 I=49098 F=0x0000 T=111 (#37)
Nov 17 00:23:52 linux1 kernel: Packet log: input DENY eth1 PROTO=17 193.45.3.199:500 64.217.160.145:500 L=740 S=0x00 I=49718 F=0x0000 T=111 (#37)
Nov 17 00:24:00 linux1 kernel: Packet log: input DENY eth1 PROTO=17 193.45.3.199:500 64.217.160.145:500 L=740 S=0x00 I=51005 F=0x0000 T=111 (#37)
Nov 17 00:24:17 linux1 kernel: Packet log: input DENY eth1 PROTO=17 193.45.3.199:500 64.217.160.145:500 L=740 S=0x00 I=53899 F=0x0000 T=111 (#37)
Nov 17 00:24:51 linux1 kernel: Packet log: input DENY eth1 PROTO=17 193.45.3.199:500 64.217.160.145:500 L=84 S=0x00 I=59414 F=0x0000 T=111 (#37)

I know that port 500 is for isakmp, but I haven't seen any alerts on cert.org or sans.org. Is this a new exploit?

Anyone else seeing this kind of activity?

Kevin Holmquist

new exploit?

Reply via email to