Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Probes on port 389

From: "Lee Fisher" <itsleefisher () hotmail com>
Date: Tue, 24 Feb 2004 22:58:17 +0000
This was noted on the ISC diary page yesterday Paul.

Lee Fisher
McAfee

-Paul wrote-


I threw up a quick rule on snort to monitor probes on port 389 because I
have been seeing entries in /var/log/messages on some boxes that I am
responsible for.  This morning we had a probe that hit 26205 different
IPs on that port in about 7 minutes (SYN scan only - no payload.)  The
source IP was a mailserver in England.  (They've been notified.)

Shortly afterwards we had a probe from one IP to one IP.  The source IP
is a Sprint PCS address.  The dest IP is one of our Win2k3 DCs.

I looked at the Internet Storm Center, and port 389 probes aren't
showing up there.  I checked Securityfocus for any LDAP exploits, and
the most recent one is the Ipswitch LDAP daemon overflow.  I checked for
Active Directory exploits and the most recent one is back in July of
last year.


_________________________________________________________________
Tired of 56k? Get a FREE BT Broadband connection http://www.msn.co.uk/specials/btbroadband 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: