[Snort-users] port 515

Fyodor fygrave at ...121...
Tue Apr 3 09:33:57 EDT 2001


On Tue, Apr 03, 2001 at 01:08:40PM -0000, Ball, Darryl wrote:
> Over the past 24 hours SNORT has indicated that I have recieved 1000
> overflow-noop-x86 attempts. Here is the is the packet data.  Any ideas whats
> running here? 
> 
>  [**] OVERFLOW-NOOP-X86 [**]
> 04/03-04:27:46.244348 211.243.70.143:1026 -> xxx.xxx.xxx.xxx:515
> TCP TTL:49 TOS:0x0 ID:32958  DF
> *****PA* Seq: 0xF07D1843   Ack: 0x8A2B001   Win: 0x7D78
> BBD...E...F...G...XXXXXXXXXXXXXXXXXXsecu%300$n%.184u%301$n%.254u
> %302$n%.192u%303$n..............................................

Smells like someone is trying to exploit format-string vulnerability
in linux lpd daemon. Are you running a vulnerable version? :) (the vulnerability
was on bugtraq quite a while ago :))




More information about the Snort-users mailing list