[Snort-users] Suspicious DNS query, et al.

Fernando Cardoso fernando.cardoso at ...965...
Tue Apr 3 13:42:08 EDT 2001


[...]
> Ports attacked have been 53 ( DNS ), 111 ( rpcbind ), 515 ( line
> printer ), 21 ( FTP ), and 3879 ( ??? ).  The source machines appear
> to have been located in Korea, China, Japan, the Phillippines, Hong
> Kong, and Australia.  In this country, Arizona State University
> appears to have been a source.

Port 3879 seems to be almost a standard for Linux exploits. All of them make
use of lammys bind shell code which binds a shell to that port. Didn't
check, but I guess you can find it at www.hack.co.za.

Things seem to be calm round here. Only one scan for sunrpc and a couple
searching for trojans (Deep Throat and Subseven)...

Cheers

Fernando

--
Fernando Cardoso - Security Consultant       WhatEverNet Computing, S.A.
Phone : +351 21 7994200                      Praca de Alvalade, 6 - Piso 6
Fax   : +351 21 7994242                      1700-036 Lisboa - Portugal
email : fernando.cardoso at ...965...     http://www.whatevernet.com/



_____________________________________________________________________
                      INTERNET MAIL FOOTER 
A presente mensagem pode conter informação considerada confidencial.
Se o receptor desta mensagem não for o destinatário indicado, fica
expressamente proibido de copiar ou endereçar a mensagem a terceiros.
Em tal situação, o receptor deverá destruir a presente mensagem e por
gentileza informar o emissor de tal facto.
---------------------------------------------------------------------
Privileged or confidential information may be contained in this
message. If you are not the addressee indicated in this message, you
may not copy or deliver this message to anyone. In such case, you
should destroy this message and kindly notify the sender by reply
email.
---------------------------------------------------------------------





More information about the Snort-users mailing list