Well the scanning of local class A network, plus the fact that the src seems to be pc's (is this a fact?), and the number keeps increasing (assuming more sources), and its close to the time nimda started. Also i thought nimda also did netbios scans, or does it just open shares all over the place.
Can't really explain 524... just a thought. --- Ron DuFresne <[EMAIL PROTECTED]> wrote: > > What makes you think nimda here? Are there any > reports of nimda using > other then e-mail and the web to pollinate? > > Thanks, > > Ron DuFresne > > On Mon, 1 Oct 2001, bob bobing wrote: > > > could be the numda virus, have you scaned the > machines > > in question. > > --- Michael Janke <[EMAIL PROTECTED]> wrote: > > > We've been seeing and increasing number of > probes on > > > port 524 > > > starting about a week ago. > > > > > > The probes appear to be coming from ordinary > PC's, > > > both internal and > > > external to our network. The probes follow a > regular > > > pattern of 3 > > > probes followed by DNS and Netbios lookups. The > > > probes appear to > > > scan their own class 'A' and 'B' more often than > > > other networks, > > > but will jump randomly a percentage of the time. > The > > > time between > > > packets and the packet lengths are very > consistent > > > across many > > > scans. > > > > > > Port 524 is normally used for Netware 5.x file > > > services, but has > > > also been associated with an old Linux > > > vulnerability. > > > > > > I've isolated a single scan using Netflow data. > > > > > > Time SrcIPaddre SrcP DstIPaddress > DstP Pr > > > Pkts Octets > > > > > > 09:24:18 A1.29.208.155 1088 A1.29.237.94 524 > > > > TCP 3 144 > > > 09:24:28 A1.29.208.155 1089 A1.29.237.94 524 > > > > TCP 3 144 > > > 09:24:39 A1.29.208.155 1090 A1.29.237.94 524 > > > > TCP 3 144 > > > 09:24:52 A1.29.208.155 137 <nameserver1> 53 > > > > UDP 6 360 > > > 09:24:57 A1.29.208.155 137 <nameserver2> 53 > > > > UDP 6 360 > > > 09:25:01 A1.29.208.155 137 A1.29.237.94 137 > > > > UDP 3 234 > > > > > > 09:25:12 A1.29.208.155 1093 A1.201.92.88 524 > > > > TCP 3 144 > > > 09:25:22 A1.29.208.155 1094 A1.201.92.88 524 > > > > TCP 3 144 > > > 09:25:33 A1.29.208.155 1095 A1.201.92.88 524 > > > > TCP 3 144 > > > 09:25:46 A1.29.208.155 137 <nameserver1> 53 > > > > UDP 6 360 > > > 09:25:51 A1.29.208.155 137 <nameserver2> 53 > > > > UDP 6 360 > > > 09:25:55 A1.29.208.155 137 A1.201.92.88 137 > > > > UDP 3 234 > > > > > > 09:26:06 A1.29.208.155 1098 A1.29.241.245 524 > > > > TCP 3 144 > > > 09:26:16 A1.29.208.155 1099 A1.29.241.245 524 > > > > TCP 3 144 > > > 09:26:27 A1.29.208.155 1100 A1.29.241.245 524 > > > > TCP 3 144 > > > 09:26:40 A1.29.208.155 137 <nameserver1> 53 > > > > UDP 6 366 > > > 09:26:45 A1.29.208.155 137 <nameserver2> 53 > > > > UDP 6 366 > > > 09:26:49 A1.29.208.155 137 A1.29.241.245 137 > > > > UDP 3 234 > > > > > > 09:27:00 A1.29.208.155 1103 A2.242.13.97 524 > TCP > > > 3 144 > > > 09:27:10 A1.29.208.155 1104 A2.242.13.97 524 > TCP > > > 3 144 > > > 09:27:21 A1.29.208.155 1105 A2.242.13.97 524 > TCP > > > 3 144 > > > > > > This is a new pattern to us. Has anybody seen > > > anthing like it? > > > > > > --Mike > > > > > > ----------------------------------------- > > > Michael Janke > > > Director, Network Services > > > Minnesota State Colleges and Universities > > > ----------------------------------------- > > > > > > _______________________________________________ > > > Firewalls mailing list > > > [EMAIL PROTECTED] > > > http://lists.gnac.net/mailman/listinfo/firewalls > > > > > > __________________________________________________ > > Do You Yahoo!? > > Listen to your Yahoo! Mail messages from any > phone. > > http://phone.yahoo.com > > _______________________________________________ > > Firewalls mailing list > > [EMAIL PROTECTED] > > http://lists.gnac.net/mailman/listinfo/firewalls > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > "Cutting the space budget really restores my faith > in humanity. It > eliminates dreams, goals, and ideals and lets us get > straight to the > business of hate, debauchery, and > self-annihilation." -- Johnny Hart > ***testing, only testing, and damn good at it > too!*** > > OK, so you're a Ph.D. Just don't touch anything. > __________________________________________________ Do You Yahoo!? Listen to your Yahoo! Mail messages from any phone. http://phone.yahoo.com _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
