[Snort-users] port 515

Jason Boyer jason at ...418...
Wed Apr 4 00:21:29 EDT 2001


http://www.sans.org/y2k/adore.htm

I have seen over 6000+ in the last 3 days.

Seems we are not alone. The joys of auto scanning script kiddie tools.

Cheers,
J

"shawn . moyer" wrote:

> "Ball, Darryl" wrote:
>
> > Over the past 24 hours SNORT has indicated that I have recieved 1000
> > overflow-noop-x86 attempts. Here is the is the packet data.  Any ideas whats
> > running here?
>
> >  [**] OVERFLOW-NOOP-X86 [**]
> > 04/03-04:27:46.244348 211.243.70.143:1026 -> xxx.xxx.xxx.xxx:515
> > TCP TTL:49 TOS:0x0 ID:32958  DF
> > *****PA* Seq: 0xF07D1843   Ack: 0x8A2B001   Win: 0x7D78
> > BBD...E...F...G...XXXXXXXXXXXXXXXXXXsecu%300$n%.184u%301$n%.254u
> > %302$n%.192u%303$n..............................................
> > ................................................................
> > ................................................................
> > ..........................1.1.1..F....1..f..1...C.].C.].K.M..M..
> > .1..E.Cf.].f.E..'.M..E..E..E.....M.....CC....C....1..?......A...
> > .^.u.1..F..E......M..U......../bin/sh.
> > =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
>
> My personal guess would be the Ramen worm, or some other automated
> attack -- If it's the same IP and it keeps hitting you, it's probably
> finding the port open and trying an LPD exploit, possibly failing and
> then trying again. Any reason why you're listening to the world on port
> 515?
>
> The netblock doesn't surprise me either -- I'm seeing a *ton* of stuff
> from KRNic IP's. In fact, checking my logs, I've got 277 alerts from
> 211.x.x.x netblocks right now.
>
> --shawn
>
> --
>
> s h a w n   m o y e r
> shawn at ...1184...
>
> "Nuclear war would really set back cable."
>                              -- Ted Turner
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> http://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://www.geocrawler.com/redir-sf.php3?list=snort-users





More information about the Snort-users mailing list