[Snort-users] port 515

shawn . moyer shawn at ...1184...
Tue Apr 3 12:26:11 EDT 2001


"Ball, Darryl" wrote:
 
> Over the past 24 hours SNORT has indicated that I have recieved 1000
> overflow-noop-x86 attempts. Here is the is the packet data.  Any ideas whats
> running here?
 
>  [**] OVERFLOW-NOOP-X86 [**]
> 04/03-04:27:46.244348 211.243.70.143:1026 -> xxx.xxx.xxx.xxx:515
> TCP TTL:49 TOS:0x0 ID:32958  DF
> *****PA* Seq: 0xF07D1843   Ack: 0x8A2B001   Win: 0x7D78
> BBD...E...F...G...XXXXXXXXXXXXXXXXXXsecu%300$n%.184u%301$n%.254u
> %302$n%.192u%303$n..............................................
> ................................................................
> ................................................................
> ..........................1.1.1..F....1..f..1...C.].C.].K.M..M..
> .1..E.Cf.].f.E..'.M..E..E..E.....M.....CC....C....1..?......A...
> .^.u.1..F..E......M..U......../bin/sh.
> =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+


My personal guess would be the Ramen worm, or some other automated
attack -- If it's the same IP and it keeps hitting you, it's probably
finding the port open and trying an LPD exploit, possibly failing and
then trying again. Any reason why you're listening to the world on port
515?

The netblock doesn't surprise me either -- I'm seeing a *ton* of stuff
from KRNic IP's. In fact, checking my logs, I've got 277 alerts from
211.x.x.x netblocks right now.


--shawn

-- 

s h a w n   m o y e r
shawn at ...1184...

"Nuclear war would really set back cable."
	                     -- Ted Turner




More information about the Snort-users mailing list