The more you describe this, the more it appears to be merely a secondary affect from those systems with the mis-installed <the novell client stacks should not be there, right?>, systems infested with nimda worm code. What might be interesting and of concern is the external replies echoing back from those misconfigured systems initial probes for an NDS server. Sounds like there well might be open novell servers responding, which may open a new attack vector for future worm code to also attempt to abuse.
AFAIK, nimda was not coded to utilize novell protocols as an attack vector, and the analysis of the code was pretty intensive. On a compromised unix system, it is not key that the system might have been setup with an illegit irc server after compromise, what is key is how the system was compromised and how to prevent future compromises. The illegit irc server is merely a secondary affect of the former. Thanks, Ron DuFresne On Tue, 2 Oct 2001, Michael Janke wrote: > Jim Watt wrote: > > On Tue, 2 Oct 2001, Ron DuFresne wrote: > > > > } > > } I suspect this has nothing at all to do with nimda, and has all to do with > > } someone trying to tunnel IPX through yer firewall, unless there is a new > > } nimda variant and there has been no news of that. What seems to place the > > } icing on the cake, is the netware client on the machines in question. > > } That and the fact that 524 is NOT a standard known TCP/IP port. > > } > > } Thanks, > > } > > } Ron DuFresne > > } > > > > See... > > > > http://www.novell.com/coolsolutions/netware/features/a_ports_nw5_nw.html > > > > It's listed as "ncp" in some systems' /etc/services, probably for "Netware > > Core Protocol". > > > > Jim > > > That is correct. Netware clients >=v4.8 will automatically connect to Netware > servers >=v5.0 on TCP port 524. > If it is IPX tunnel related, then 28 non-mnscu.edu IP addresses are currently > trying to tunnel through our firewalls. > > Hmmm... > > I'm still betting that this is nimda on desktops with Netware Clients. We > de-wormed a couple of desktops yesterday & they stopped scanning us. > > -- > ----------------------------------------- > Michael Janke > Minnesota State Colleges and Universities > Saint Paul MN 55108 > > > --------From real Server 7.0 startup------ > Starting RealServer 7.0 Core... > Loading RealServer License Files... > Detecting Number of CPUs... > Testing 1 CPU(s): 1 CPU Detected, Phew... > > ----------------------------------------- > > > _______________________________________________ > Firewalls mailing list > [EMAIL PROTECTED] > http://lists.gnac.net/mailman/listinfo/firewalls > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart ***testing, only testing, and damn good at it too!*** OK, so you're a Ph.D. Just don't touch anything. _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
