Interesting pattern of port 524 probes.

Sat, 29 Sep 2001 14:17:17 -0700 

We've been seeing and increasing number of probes on port 524
starting about a week ago.

The probes appear to be coming from ordinary PC's, both internal and
external to our network. The probes follow a regular pattern of 3
probes followed by DNS and Netbios lookups. The probes appear to
scan their own class 'A' and 'B' more often than other networks,
but will jump randomly a percentage of the time. The time between
packets and the packet lengths are very consistent across many
scans.

Port 524 is normally used for Netware 5.x file services, but has
also been associated with an old Linux vulnerability.

I've isolated a single scan using Netflow data.

Time     SrcIPaddre     SrcP  DstIPaddress   DstP Pr Pkts Octets

09:24:18 A1.29.208.155  1088  A1.29.237.94   524  TCP  3  144
09:24:28 A1.29.208.155  1089  A1.29.237.94   524  TCP  3  144
09:24:39 A1.29.208.155  1090  A1.29.237.94   524  TCP  3  144
09:24:52 A1.29.208.155  137   <nameserver1>   53  UDP  6  360
09:24:57 A1.29.208.155  137   <nameserver2>   53  UDP  6  360
09:25:01 A1.29.208.155  137   A1.29.237.94   137  UDP  3  234

09:25:12 A1.29.208.155  1093  A1.201.92.88   524  TCP  3  144
09:25:22 A1.29.208.155  1094  A1.201.92.88   524  TCP  3  144
09:25:33 A1.29.208.155  1095  A1.201.92.88   524  TCP  3  144
09:25:46 A1.29.208.155  137   <nameserver1>   53  UDP  6  360
09:25:51 A1.29.208.155  137   <nameserver2>   53  UDP  6  360
09:25:55 A1.29.208.155  137   A1.201.92.88   137  UDP  3  234

09:26:06 A1.29.208.155  1098  A1.29.241.245  524  TCP  3  144
09:26:16 A1.29.208.155  1099  A1.29.241.245  524  TCP  3  144
09:26:27 A1.29.208.155  1100  A1.29.241.245  524  TCP  3  144
09:26:40 A1.29.208.155  137   <nameserver1>   53  UDP  6  366
09:26:45 A1.29.208.155  137   <nameserver2>   53  UDP  6  366
09:26:49 A1.29.208.155  137   A1.29.241.245  137  UDP  3  234

09:27:00 A1.29.208.155  1103  A2.242.13.97  524  TCP  3  144
09:27:10 A1.29.208.155  1104  A2.242.13.97  524  TCP  3  144
09:27:21 A1.29.208.155  1105  A2.242.13.97  524  TCP  3  144

This is a new pattern to us. Has anybody seen anthing like it?

--Mike

-----------------------------------------
Michael Janke
Director, Network Services
Minnesota State Colleges and Universities
-----------------------------------------

_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls

Reply via email to