NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > Incidents> 2000-10

Subject: FW: Increased traffic to tcp port 524
From: Suzanne.HernandezGUNTER.AF.MIL
Date: Wed Oct 25 2000 - 15:30:41 CDT

Next message: Mike Lee: "Re: 6666/tcp ??"
Previous message: Mike Lewinski: "(no subject)"
Maybe in reply to: Suzanne.HernandezGUNTER.AF.MIL: "Increased traffic to tcp port 524"
Next in thread: David Knapp: "Re: Increased traffic to tcp port 524"
Maybe reply: Suzanne.HernandezGUNTER.AF.MIL: "FW: Increased traffic to tcp port 524"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Check it out...this is just half of yesterday and most of today...These are
to non-existent subnets on our network.

10/24-14:43:26 TCP : 155.58.107.40:1124 -> A.B.205.219:524 FLAGS :
**S*****
10/24-14:43:29 TCP : 155.58.107.40:1124 -> A.B.205.219:524 FLAGS :
**S*****
10/24-14:44:42 TCP : 134.7.147.30:3972 -> A.B.178.17:524 FLAGS : **S*****
10/24-14:44:45 TCP : 134.7.147.30:3972 -> A.B.178.17:524 FLAGS : **S*****
10/24-14:44:51 TCP : 134.7.147.30:3972 -> A.B.178.17:524 FLAGS : **S*****
10/24-16:09:46 TCP : 64.31.230.169:1266 64-31-230-169.pdq.net ->
A.B.22.144:524 FLAGS : **S*****
10/24-16:09:49 TCP : 64.31.230.169:1266 64-31-230-169.pdq.net ->
A.B.22.144:524 FLAGS : **S*****
10/24-16:09:55 TCP : 64.31.230.169:1266 64-31-230-169.pdq.net ->
A.B.22.144:524 FLAGS : **S*****
10/24-16:15:58 TCP : 209.52.140.12:3272 ws12.acl.com -> A.B.147.166:524
FLAGS : **S*****
10/24-16:16:01 TCP : 209.52.140.12:3272 ws12.acl.com -> A.B.147.166:524
FLAGS : **S*****
10/24-16:16:07 TCP : 209.52.140.12:3272 ws12.acl.com -> A.B.147.166:524
FLAGS : **S*****
10/24-17:37:15 TCP : 208.19.227.190:4340 sys61.aaimstl.org -> A.B.52.31:524
FLAGS : **S*****
10/24-17:37:18 TCP : 208.19.227.190:4340 sys61.aaimstl.org -> A.B.52.31:524
FLAGS : **S*****
10/24-18:53:06 TCP : 131.178.162.50:1118 pto-162-50.mty.itesm.mx ->
A.B.110.28:524 FLAGS : **S*****
10/24-19:20:23 TCP : 216.138.20.44:4590 pc44.adams.net -> A.B.114.226:524
FLAGS : **S*****
10/24-19:20:26 TCP : 216.138.20.44:4590 pc44.adams.net -> A.B.114.226:524
FLAGS : **S*****
10/24-19:20:32 TCP : 216.138.20.44:4590 pc44.adams.net -> A.B.114.226:524
FLAGS : **S*****
10/24-22:35:15 TCP : 165.124.47.50:4130 labpc50.arthritis.nwu.edu ->
A.B.28.166:524 FLAGS : **S*****
10/24-22:35:18 TCP : 165.124.47.50:4130 labpc50.arthritis.nwu.edu ->
A.B.28.166:524 FLAGS : **S*****
10/24-22:35:24 TCP : 165.124.47.50:4130 labpc50.arthritis.nwu.edu ->
A.B.28.166:524 FLAGS : **S*****
10/25-00:27:27 TCP : 209.41.197.115:1659 -> A.B.116.250:524 FLAGS :
**S*****
10/25-00:27:36 TCP : 209.41.197.115:1659 -> A.B.116.250:524 FLAGS :
**S*****
10/25-01:37:01 TCP : 204.144.208.211:3619 host211.ranelson.com ->
A.B.73.151:524 FLAGS : **S*****
10/25-01:37:04 TCP : 204.144.208.211:3619 host211.ranelson.com ->
A.B.73.151:524 FLAGS : **S*****
10/25-01:45:09 TCP : 38.197.102.240:3989 -> A.B.234.119:524 FLAGS :
**S*****
10/25-01:45:12 TCP : 38.197.102.240:3989 -> A.B.234.119:524 FLAGS :
**S*****
10/25-01:45:18 TCP : 38.197.102.240:3989 -> A.B.234.119:524 FLAGS :
**S*****
10/25-05:27:27 TCP : 193.78.29.122:2898 -> A.B.223.226:524 FLAGS :
**S*****
10/25-05:27:30 TCP : 193.78.29.122:2898 -> A.B.223.226:524 FLAGS :
**S*****
10/25-05:27:36 TCP : 193.78.29.122:2898 -> A.B.223.226:524 FLAGS :
**S*****
10/25-05:54:52 TCP : 204.210.103.153:2063
a204b210n103client153.hawaii.rr.com -> A.B.43.14:524 FLAGS : **S*****
10/25-05:54:54 TCP : 204.210.103.153:2063
a204b210n103client153.hawaii.rr.com -> A.B.43.14:524 FLAGS : **S*****
10/25-05:55:00 TCP : 204.210.103.153:2063
a204b210n103client153.hawaii.rr.com -> A.B.43.14:524 FLAGS : **S*****
10/25-07:29:35 TCP : 198.17.176.171:1060 -> A.B.173.43:524 FLAGS :
**S*****
10/25-07:29:44 TCP : 198.17.176.171:1060 -> A.B.173.43:524 FLAGS :
**S*****
10/25-11:18:13 TCP : 35.10.201.42:52473 ariasdav-2.user.msu.edu ->
A.B.54.101:47137 FLAGS : ****R***
10/25-12:21:11 TCP : 207.125.0.91:3305 -> A.B.8.146:524 FLAGS : **S*****
10/25-12:21:13 TCP : 207.125.0.91:3305 -> A.B.8.146:524 FLAGS : **S*****
10/25-12:24:29 TCP : 207.125.0.91:3337 -> A.B.8.146:524 FLAGS : **S*****
10/25-12:24:35 TCP : 207.125.0.91:3337 -> A.B.8.146:524 FLAGS : **S*****
10/25-14:53:23 TCP : 207.28.121.222:2385 -> A.B.110.181:524 FLAGS :
**S*****
10/25-14:53:25 TCP : 207.28.121.222:2385 -> A.B.110.181:524 FLAGS :
**S*****
10/25-15:01:06 TCP : 209.246.57.9:3536 ded-office-eth-9.jaske.com ->
A.B.48.174:524 FLAGS : **S*****
10/25-15:01:09 TCP : 209.246.57.9:3536 ded-office-eth-9.jaske.com ->
A.B.48.174:524 FLAGS : **S*****
10/25-15:01:15 TCP : 209.246.57.9:3536 ded-office-eth-9.jaske.com ->
A.B.48.174:524 FLAGS : **S*****

> -----Original Message-----
> From: Andrew Frith [SMTP:AndrewFgateway.bm]
> Sent: Wednesday, October 25, 2000 3:10 PM
> To: Suzanne.HernandezGUNTER.AF.MIL; INCIDENTSSECURITYFOCUS.COM
> Subject: Re: Increased traffic to tcp port 524
>
> Port 524 is registered as NCP.
>
> It is used by Netware 5.x server & clients (anything else?). These
> shouldn't be straying outside of the local networks though.
>
> Now that I've looked we've had a couple of connections to 524 the past few
> days. Nothing of note though (and no captures).
>
> >>> <Suzanne.HernandezGUNTER.AF.MIL> 10/24/00 04:28PM >>>
> What's with the increased attempts on tcp port 524?
>
> These are coming from networks all over the place....

Next message: Mike Lee: "Re: 6666/tcp ??"
Previous message: Mike Lewinski: "(no subject)"
Maybe in reply to: Suzanne.HernandezGUNTER.AF.MIL: "Increased traffic to tcp port 524"
Next in thread: David Knapp: "Re: Increased traffic to tcp port 524"
Maybe reply: Suzanne.HernandezGUNTER.AF.MIL: "FW: Increased traffic to tcp port 524"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]