Re: massive lpr exploit attempt

[Kevin van Haaren <kevinv () hockey net>]

At 10:42 AM +1200 6/25/01, Russell Fulton wrote:
> Yesterday (Sunday 24th) we were attacked from several different IP
> using an iterated X86 lpr exploit against any machine that response on
> port 515.  Even though we block 515 for the vast bulk of our addresses
> I logged over 80,000 probes to the 20 or so addresses that responded!

I went back through my logs.  I was getting probed on port 515, 
usually 2 tests per probe (the port is blocked completely) starting 
on June 19.  One probe a day, each from a different IP.

Starting June 23 7:22am (central daylight time), possibly still 
ongoing, I've had probes from 7 different IP's.  The whois lookup of 
the IP's is what you'd expect for a worm spreading from already 
infected machines -- a RoadRunner machine, couple of university 
machines (New Orleans, and Florida State), somebody called BroadBand 
Now.

Last probe was at 19:54 (CDT) but they've been at least 5 hours apart 
so I may still be getting probed.

Kevin