IPP (631/tcp) Scans

From: Crist Clark (crist.clark@globalstar.com)
Date: 07/24/01 

Message-ID: <3B5CC096.DDA0C201@globalstar.com>
Date: Mon, 23 Jul 2001 17:25:58 -0700
From: "Crist Clark" <crist.clark@globalstar.com>
To: incidents@securityfocus.com
Subject: IPP (631/tcp) Scans

OK, what's up with all of the attention on port 631/tcp from the k1dd33z?
We've seen an increase from zero to a couple of scans (walks across several
class C nets) per day,

  Jul01 0
  Jul02 0
  Jul03 0
  ..
  Jul14 0
  Jul15 0
  Jul16 1
  Jul17 2
  Jul18 3
  Jul19 3
  Jul20 2
  Jul21 1
  Jul22 1
  Jul23 3

I don't recall any new problems with port 631/tcp. One of the IIS issues
was print related, but I thought it was expoited via an HTTP (80/tcp)
interface to the IPP services, not via 631/tcp. Some kiddies have a 0-day?
Or is one of those things where someone starts looking for some ancient
hole (e.g. occasional flurries of activity looking for old POP exploits)? 

-- 
Crist J. Clark                                Network Security Engineer
crist.clark@globalstar.com                    Globalstar, L.P.
(408) 933-4387                                FAX: (408) 933-4926

The information contained in this e-mail message is confidential,
intended only for the use of the individual or entity named above.  If
the reader of this e-mail is not the intended recipient, or the employee
or agent responsible to deliver it to the intended recipient, you are
hereby notified that any review, dissemination, distribution or copying
of this communication is strictly prohibited.  If you have received this
e-mail in error, please contact postmaster@globalstar.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Relevant Pages

  • Re: IPFW almost works now -> stateful rules
    ... >> there is no rule for the port 21. ... > This has been discussed before: his FTP server is listening on a high port. ... The information contained in this e-mail message is confidential, ... the reader of this e-mail is not the intended recipient, ...
    (FreeBSD-Security)
  • Oracle XDB FTP
    ... Regarding Oracle XDB FTP & HTTP Service Buffer Overflows, ... I do not see any service on port 2100. ... This e-mail message, including any attachments, ... intended recipient, please contact the sender by reply e-mail and destroy ...
    (Focus-IDS)
  • Re: FreeBSD 4.7 Syslogs
    ... Something is listening already on port 514 and syslogd is complaining about ... log device so syslog can see kernel messages. ... This e-mail message, including any attachments, is ... If you are not the intended recipient, ...
    (freebsd-questions)
  • Re: "Another" Newbie IDS Question
    ... of your 3com switch, but a usually nice way to set this up is to enable ... from any ports on your switch is replicated to one port. ... > The information contained in this e-mail message is confidential, ... > employee or agent responsible to deliver it to the intended recipient, ...
    (Focus-IDS)
  • Re: nc help needed.
    ... Try to use a different port and see if it is working. ... An example is the NETBIOS Session Service ... the reader of this message is not the intended recipient, ...
    (Security-Basics)