IPP (631/tcp) Scans

From: Crist Clark (crist.clark@globalstar.com)
Date: 07/24/01

Message-ID: <3B5CC096.DDA0C201@globalstar.com>
Date: Mon, 23 Jul 2001 17:25:58 -0700
From: "Crist Clark" <crist.clark@globalstar.com>
To: incidents@securityfocus.com
Subject: IPP (631/tcp) Scans

OK, what's up with all of the attention on port 631/tcp from the k1dd33z?
We've seen an increase from zero to a couple of scans (walks across several
class C nets) per day,

  Jul01 0
  Jul02 0
  Jul03 0
  Jul14 0
  Jul15 0
  Jul16 1
  Jul17 2
  Jul18 3
  Jul19 3
  Jul20 2
  Jul21 1
  Jul22 1
  Jul23 3

I don't recall any new problems with port 631/tcp. One of the IIS issues
was print related, but I thought it was expoited via an HTTP (80/tcp)
interface to the IPP services, not via 631/tcp. Some kiddies have a 0-day?
Or is one of those things where someone starts looking for some ancient
hole (e.g. occasional flurries of activity looking for old POP exploits)?

Crist J. Clark                                Network Security Engineer
crist.clark@globalstar.com                    Globalstar, L.P.
(408) 933-4387                                FAX: (408) 933-4926

The information contained in this e-mail message is confidential, intended only for the use of the individual or entity named above. If the reader of this e-mail is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this e-mail in error, please contact postmaster@globalstar.com

---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com