|
Security Incidents
mailing list archives
Re: Scans(?) 500->500 from China
From: H D Moore <hdm () SECUREAUSTIN COM>
Date: Sat, 2 Sep 2000 13:47:42 -0500
Hi,
It looks like someone was trying to access the key negotiation daemon
for IPSEC. Since you obviously aren't using this software (or isakmp
might ring a bell ;) then it leaves three possiblities:
1. New IPSEC Implementation Hole (Old FreeSWAN has some really crappy
code in it...)
2. They are looking for another service entirely (some root backdoor
port...)
3. You have a dynamic IP, they used to have a n IPSEC tunnell going to
who had your IP address last. Their peer changed addresses but they
never updated their configuration files. This could also be a user of
PGPNET mistyping the remote peer address or even a misconfigured routing
device with VPN capabilities.
-HD
http://www.digitaloffense.net
"Ralf G. R. Bergs" wrote:
Hi there,
can anybody shed some light on what appears to be a scan to me?
Sep 1 11:13:55 <my host> kernel: Packet log: input DENY atm0 PROTO=17
61.141.79.3:500 <my ip>:500 L=708 S=0x00 I=30431 F=0x0000 T=105 (#53)
Sep 1 11:13:56 <my host> kernel: Packet log: input DENY atm0 PROTO=17
[ snip ]
61.141.79.3:500 <my ip>:500 L=708 S=0x00 I=30603 F=0x0000 T=105 (#53)
Sep 1 11:14:53 <my host> kernel: Packet log: input DENY atm0 PROTO=17
61.141.79.3:500 <my ip>:500 L=84 S=0x00 I=30719 F=0x0000 T=105 (#53)
I couldn't find any meaningful info about port 500 (meaningful to me, that
is, since "isakmp" doesn't ring a bell...)
 By Date 
By Thread
Current thread:
| 
Intro
