I have been seeing the same thing as of late. Just went through my
email reports, and it seems like I am getting hit mostly from the
following addresses on ports 111 and 515:
(sorted / uniq-ed)
24.93.164.129:2555 ---> my.ip.add.ress:111
61.129.68.18:2913 ---> my.ip.add.ress:111
61.159.62.12:51511 ---> my.ip.add.ress:111
64.123.230.249:35479 ---> my.ip.add.ress:515
64.148.162.98:3717 ---> my.ip.add.ress:111
195.184.229.251:1857 ---> my.ip.add.ress:515
203.81.32.127:3145 ---> my.ip.add.ress:515
206.136.197.156:2448 ---> my.ip.add.ress:515
211.216.48.93:4513 ---> my.ip.add.ress:111
211.54.94.250:4192 ---> my.ip.add.ress:111
216.98.128.83:1026 ---> my.ip.add.ress:111
During these reports my lease on my eth0 (WAN) card was renewed with a
new IP, so its more obvious now that its some kind of scan, and not a
targetted attack.
I also got a strange attack yesterday, couldn't find anything on it on
securityfocus. It was about 40 packets per second at peak, lasting
about 5-10 minutes from a (I guess) spoofed address:
192.168.0.251:5 ---> my.ip.add.ress:1
Source port and destination port remained 5 and 1 (respectively)
throughout the entire scan. Anyone know what kind of probe/attack this
might be?
Billy
--- Stefaan Van Dooren <[EMAIL PROTECTED]> wrote:
> I get those since I installed my LRP & cablemodem some months ago.
> Always
> wanted to ask what they (?) are trying to do, never found myself
> actually
> sending the message out :-). Besides those ports 515 & 111, I also
> have
> people trying out port 21 at about the same frequenty as the other
> two
> ports.
>
> Stefaan
>
> > -----Original Message-----
> > From: [EMAIL PROTECTED]
> > [mailto:[EMAIL PROTECTED]]On Behalf Of
> > [EMAIL PROTECTED]
> > Sent: donderdag 28 juni 2001 7:38
> > To: [EMAIL PROTECTED]
> > Subject: [Leaf-user] [chatter] Flurry of probes to ports 111 and
> 515?
> >
> >
> > I have been noticing an unusual number of probes to these ports
> recently.
> > I am guessing the 515 target is a solaris printer service overflow
> bug
> > mentioned on www.securityfocus.com last week, but I am not sure
> what is
> > attracting so many to the 111 (sunrpc) port.
> >
> > ------------------------------------------------------------------
> > ---------
> > Jeff Newmiller The ..... .....
> > Go Live...
> > DCN:<[EMAIL PROTECTED]> Basics: ##.#. ##.#.
> > Live Go...
> > Live: OO#.. Dead: OO#..
> Playing
> > Research Engineer (Solar/Batteries O.O#. #.O#.
> with
> > /Software/Embedded Controllers) .OO#. .OO#.
> > rocks...2k
> > ------------------------------------------------------------------
> > ---------
> >
> >
> >
> > _______________________________________________
> > Leaf-user mailing list
> > [EMAIL PROTECTED]
> > http://lists.sourceforge.net/lists/listinfo/leaf-user
> >
>
>
> _______________________________________________
> Leaf-user mailing list
> [EMAIL PROTECTED]
> http://lists.sourceforge.net/lists/listinfo/leaf-user
__________________________________________________
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail
http://personal.mail.yahoo.com/
_______________________________________________
Leaf-user mailing list
[EMAIL PROTECTED]
http://lists.sourceforge.net/lists/listinfo/leaf-user
