OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Rajiv Dighe (rdigheSANDVINE.com)
Date: Tue Apr 16 2002 - 12:09:30 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Port 1067 is also used by Installation Bootstrap Protocol Server. Apparently
    on default win2k server install this port is utilized. details are available
    at http://support.microsoft.com/default.aspx?scid=kb;EN-US;q289241

    This could be an attempt to map out hosts running win2k servers in default
    install. This is apparently also used by HP boxes. i.e. you can setup one
    box to act as software installation server. So looks like this is not
    limited to windows world.

    Rajiv Dighe
    Senior Software Engineer
    Sandvine Inc.

    -----Original Message-----
    From: LAVELLE,MICHAEL (HP-PaloAlto,ex1) [mailto:mlavellehp.com]
    Sent: Tuesday, April 16, 2002 11:36 AM
    To: incidentssecurityfocus.com
    Subject: Strange UDP Activity

    Greetings to the List,

    I recently started seeing strange UDP traffic to my home DSL, which is
    included below. It has been active for the last 4 days at all hours. None of
    these IPs are DNS servers that I use, and much of the activity is when all
    of my computers are off. Google led me to port 1067 as being an SNMP port,
    but I have SNMP disabled on all devices at home, and the ACL blocks it
    anyway.

    Is there a new vulnerability going around that I missed? So far I have not
    read anything on the list that looks like this...any ideas?

    Thanks for listening,

    Mike
    ___________________________

    Apr 14 22:44:42: %SEC-6-IPACCESSLOGP: list 100 denied udp 192.36.148.17(53)
    -> X.X.55.121(1067), 4 packets
    Apr 14 22:44:42: %SEC-6-IPACCESSLOGP: list 100 denied udp 202.12.27.33(53)
    -> X.X.55.121(1067), 4 packets
    Apr 14 22:44:42: %SEC-6-IPACCESSLOGP: list 100 denied udp 192.112.36.4(53)
    -> X.X.55.121(1067), 3 packets
    Apr 14 22:44:42: %SEC-6-IPACCESSLOGP: list 100 denied udp 198.32.64.12(53)
    -> X.X.55.121(1067), 5 packets
    Apr 14 22:46:43: %SEC-6-IPACCESSLOGP: list 100 denied udp 192.33.4.12(53) ->
    X.X.55.121(1067), 1 packet
    Apr 14 22:46:43: %SEC-6-IPACCESSLOGP: list 100 denied udp 192.5.5.241(53) ->
    X.X.55.121(1067), 7 packets
    Apr 14 22:48:43: %SEC-6-IPACCESSLOGP: list 100 denied udp 128.9.0.107(53) ->
    X.X.55.121(1067), 7 packets
    Apr 14 22:48:43: %SEC-6-IPACCESSLOGP: list 100 denied udp 193.0.14.129(53)
    -> X.X.55.121(1067), 7 packets
    Apr 14 22:49:43: %SEC-6-IPACCESSLOGP: list 100 denied udp 128.8.10.90(53) ->
    X.X.55.121(1067), 4 packets
    Apr 14 22:49:43: %SEC-6-IPACCESSLOGP: list 100 denied udp 128.63.2.53(53) ->
    X.X.55.121(1067), 3 packets
    Apr 14 22:49:43: %SEC-6-IPACCESSLOGP: list 100 denied udp 192.203.230.10(53)
    -> X.X.55.121(1067), 6 packets
    Apr 14 22:49:43: %SEC-6-IPACCESSLOGP: list 100 denied udp 198.41.0.4(53) ->
    X.X.55.121(1067), 3 packets
    Apr 14 22:49:43: %SEC-6-IPACCESSLOGP: list 100 denied udp 198.41.0.10(53) ->
    X.X.55.121(1067), 3 packets
    Apr 14 22:49:43: %SEC-6-IPACCESSLOGP: list 100 denied udp 192.36.148.17(53)
    -> X.X.55.121(1067), 3 packets

    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management
    and tracking system please see: http://aris.securityfocus.com

    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management
    and tracking system please see: http://aris.securityfocus.com