[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Full-Disclosure] Probes on port 389

To: pauls@utdallas.edu, intrusion@sans.org, full-disclosure@lists.netsys.com
Subject: RE: [Full-Disclosure] Probes on port 389
From: "Lee Fisher" <itsleefisher@hotmail.com>
Date: Tue, 24 Feb 2004 22:58:17 +0000

This was noted on the ISC diary page yesterday Paul.

Lee Fisher
McAfee

-Paul wrote-

I threw up a quick rule on snort to monitor probes on port 389 because I
have been seeing entries in /var/log/messages on some boxes that I am
responsible for.  This morning we had a probe that hit 26205 different
IPs on that port in about 7 minutes (SYN scan only - no payload.)  The
source IP was a mailserver in England.  (They've been notified.)

Shortly afterwards we had a probe from one IP to one IP.  The source IP
is a Sprint PCS address.  The dest IP is one of our Win2k3 DCs.

I looked at the Internet Storm Center, and port 389 probes aren't
showing up there.  I checked Securityfocus for any LDAP exploits, and
the most recent one is the Ipswitch LDAP daemon overflow.  I checked for
Active Directory exploits and the most recent one is back in July of
last year.

_________________________________________________________________ Tired of 56k? Get a FREE BT Broadband connection http://www.msn.co.uk/specials/btbroadband

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Prev by Date: Re: [Full-Disclosure] Probes on port 389
Next by Date: Re: [Full-Disclosure] SHOUTcast Server 1.8.x remote heap overrun exploit binary version
Previous by thread: RE: [Full-Disclosure] Probes on port 389
Next by thread: RE: [Full-Disclosure] Probes on port 389
Index(es):
- Date
- Thread