OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Re: [Full-Disclosure] Probes on port 389

From: John Sage (jsagefinchhaven.com)
Date: Tue Feb 24 2004 - 16:16:08 CST


Paul:

On Tue, Feb 24, 2004 at 11:06:50AM -0600, Schmehl, Paul L wrote:
> From: "Schmehl, Paul L" <paulsutdallas.edu>
> To: <intrusionsans.org>, <full-disclosurelists.netsys.com>
> Subject: [Full-Disclosure] Probes on port 389
> Date: Tue, 24 Feb 2004 11:06:50 -0600
>
> I threw up a quick rule on snort to monitor probes on port 389 because I
> have been seeing entries in /var/log/messages on some boxes that I am
> responsible for. This morning we had a probe that hit 26205 different
> IPs on that port in about 7 minutes (SYN scan only - no payload.) The
> source IP was a mailserver in England. (They've been notified.

Two only for the last +48 hours:

ngrep_port: dst port 389, host 24.19.147.xxx in snort211.log-Feb.24.06:57
Generated 14:09:28 (TZ -08:00) 02/24/2004

input: snort211.log-Feb.24.06:57
filter: ip and ( host 24.19.147.xxx and dst port 389 )
#
T 2004/02/22 18:48:33.763939 217.218.252.195:3062 -> 24.19.147.xxx:389 [S]
exit

[jsagesparky /home] $ host 217.218.252.195
Host 195.252.218.217.in-addr.arpa not found: 3(NXDOMAIN)

ngrep_port: dst port 389, host 24.19.147.xxx in snort.log.1077636344
Generated 14:05:54 (TZ -08:00) 02/24/2004

input: snort.log.1077636344
filter: ip and ( host 24.19.147.xxx and dst port 389 )
#
T 2004/02/24 08:34:33.786569 66.60.194.153:3351 -> 24.19.147.xxx:389 [S]
exit

[jsagesparky /home] $ host 66.60.194.153
153.194.60.66.in-addr.arpa domain name pointer 66-60-194-153.newulmtel.net.

- John
--
"Mad cow? You'd be mad too, if someone was trying to eat you."

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html