[Snort-users] RE: 515/tcp scans on the rise

Patrick Prue PatrickP at ...820...
Mon Nov 20 12:27:39 EST 2000

I had been showing a bunch of these scans also.
But upon further inspection it seems to be the looking for this
WinCom LPD Dos attack for some of the machines I have shown scans for.

-----Original Message-----
From: bel1 at ...358... [mailto:bel1 at ...358...]
Sent: Monday, November 20, 2000 12:15 PM
To: cec at ...68...; snort-users at lists.sourceforge.net; dr at ...381...
Subject: Re: [Snort-users] RE: 515/tcp scans on the rise

hi all

about 4 or 5 months ago there was a couple of printer 
buffer overflow reported for Solaris 2.6, 7 & 
I think 8, which required a printer server on
the network of the box to be exploited.  Named
lpset & netpr.  They give root priveledge.

I downloaded the c code and tested.  It works
against 2.6 with kernel patch levels less than
105181-21, and 2.7 below 106541-12.  Don't know
the patch level for 2.8 but if you have the latest
patch level you are safe from those 2 exploits.

They work by bouncing a packet off of the print 
server back to the system to be exploited.

Could be a new one tho.

Snort-users mailing list
Snort-users at lists.sourceforge.net

More information about the Snort-users mailing list