ports being scanned 515

ports being scanned 515

Post by Stephen Lohnin » Mon, 02 Jul 2001 22:50:53



Should I worry if I find ports being scanned , my firewall stops them (
I think ?)
Should I drop all connection from ip addresses that scan my ports, or my
network range?
 
 
 

ports being scanned 515

Post by Gandalf Parke » Mon, 02 Jul 2001 23:37:01



> Should I worry if I find ports being scanned , my firewall stops them (
> I think ?)
> Should I drop all connection from ip addresses that scan my ports, or my
> network range?

Depends on what you mean by scanned. Many perfectly legal and
internet-standard port connects are reported by firewalls. Many other hits
represent drive-by scannings by people who are scanning from 0 to 254 the
entire IP group you happen to be in.

IMHO I would only pay extra attention to ones that come back for a second
look. Scanning every port you have or trying the same port in different
combinations.

Think of it in real life as if you were in a crowd. The way you treat casual
looks from strangers, vs a double-take or extended attention.

Gandalf  Parker

 
 
 

ports being scanned 515

Post by Tim Hayne » Tue, 03 Jul 2001 01:39:35


[snip]

Quote:> > Depends on what you mean by scanned. Many perfectly legal and
> > internet-standard port connects are reported by firewalls. Many other
> > hits represent drive-by scannings by people who are scanning from 0 to
> > 254 the entire IP group you happen to be in.

> Possibly a dumb question, but are there any legitimate reasons for
> someone to attempt to connect to port 515 on an apparently random
> machine?

I'd say not. If you don't advertise printer services, they've got no reason
to be looking for them other than honest mistake. (That much is obvious to
spot, too - you'd see a connection attempt with about 3 SYN packets, at
increasing intervals - you'd not expect to see a `SYN stealth' scan of just
one packet.)

Quote:> > IMHO I would only pay extra attention to ones that come back for a
> > second look. Scanning every port you have or trying the same port in
> > different combinations.

> What would you think about something like this?

> Jul  1 12:43:54 UDP: dgram to port 1032 from xxx.xxx.xxx.x:2567 (8 data bytes)
> Jul  1 12:44:55 UDP: dgram to port 1032 from xxx.xxx.xxx.x:2568 (8 data bytes)
[snip]
> Jul  1 12:53:03 UDP: dgram to port 1032 from xxx.xxx.xxx.x:2577 (8 data bytes)
> Jul  1 12:54:04 UDP: dgram to port 1032 from xxx.xxx.xxx.x:2578 (8 data bytes)

> (IP mangled because the apparent source is a school that probably doesn't
> have any legitimate users on a sunday).

> To my untrained eye, it looks a bit like some kind of inversed traceroute.

Traceroute? I think not. UDP-using traceroute uses ports way up in the
32000s and odds.

Rather more interesting that it's something happening every minute, is it
not? I'd suggest a timeout of some sort, where the source port is going up
with the number of retries, and the destination is the same. I'd ask if
you're on dynamic IP#s, in which case, maybe the previous incumbent had a
UDP client/server session[i] going with that school, and you've got the dregs.

~Tim

Footnotes:
[i]  given that you can't have a `connection', this will have to suffice :)

--

And you watch the ripples flow              |http://spodzone.org.uk/

 
 
 

ports being scanned 515

Post by Phil » Tue, 03 Jul 2001 02:12:07


Pertaining to the following, posibly you should research the adore worm.
Among others, it ran rampant on port 515, So yes, there is a legit reason
for people to randomly scan 515.

> > Possibly a dumb question, but are there any legitimate reasons for
> > someone to attempt to connect to port 515 on an apparently random
> > machine?> I'd say not. If you don't advertise printer services, they've
got no reason
> to be looking for them other than honest mistake. (That much is obvious to
> spot, too - you'd see a connection attempt with about 3 SYN packets, at
> increasing intervals - you'd not expect to see a `SYN stealth' scan of
just
> one packet.)




> [snip]
> > > Depends on what you mean by scanned. Many perfectly legal and
> > > internet-standard port connects are reported by firewalls. Many other
> > > hits represent drive-by scannings by people who are scanning from 0 to
> > > 254 the entire IP group you happen to be in.

> > Possibly a dumb question, but are there any legitimate reasons for
> > someone to attempt to connect to port 515 on an apparently random
> > machine?

> I'd say not. If you don't advertise printer services, they've got no
reason
> to be looking for them other than honest mistake. (That much is obvious to
> spot, too - you'd see a connection attempt with about 3 SYN packets, at
> increasing intervals - you'd not expect to see a `SYN stealth' scan of
just
> one packet.)

> > > IMHO I would only pay extra attention to ones that come back for a
> > > second look. Scanning every port you have or trying the same port in
> > > different combinations.

> > What would you think about something like this?

> > Jul  1 12:43:54 UDP: dgram to port 1032 from xxx.xxx.xxx.x:2567 (8 data
bytes)
> > Jul  1 12:44:55 UDP: dgram to port 1032 from xxx.xxx.xxx.x:2568 (8 data
bytes)
> [snip]
> > Jul  1 12:53:03 UDP: dgram to port 1032 from xxx.xxx.xxx.x:2577 (8 data
bytes)
> > Jul  1 12:54:04 UDP: dgram to port 1032 from xxx.xxx.xxx.x:2578 (8 data
bytes)

> > (IP mangled because the apparent source is a school that probably
doesn't
> > have any legitimate users on a sunday).

> > To my untrained eye, it looks a bit like some kind of inversed
traceroute.

> Traceroute? I think not. UDP-using traceroute uses ports way up in the
> 32000s and odds.

> Rather more interesting that it's something happening every minute, is it
> not? I'd suggest a timeout of some sort, where the source port is going up
> with the number of retries, and the destination is the same. I'd ask if
> you're on dynamic IP#s, in which case, maybe the previous incumbent had a
> UDP client/server session[i] going with that school, and you've got the
dregs.

> ~Tim

> Footnotes:
> [i]  given that you can't have a `connection', this will have to suffice
:)

> --
> You take your message to the waters,


- Show quoted text -

Quote:> And you watch the ripples flow              |http://spodzone.org.uk/

 
 
 

ports being scanned 515

Post by Ian Jone » Tue, 03 Jul 2001 02:56:16


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


> Pertaining to the following, posibly you should research the adore worm.
> Among others, it ran rampant on port 515, So yes, there is a legit reason
> for people to randomly scan 515.


There was also a recently released exploit for Solaris involving a format
string. It has been mentioned that HP NetJetThingie might be vulnerable as
well ... don't know anything about this one.

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
Comment: Making the world safe for geeks.

iQA/AwUBOz9kPsAVSpfzXItKEQJOPgCdHW9i6uLYyucZX0zNDmp6gQwLZ3QAoN7v
R/TdIdiS9gpP+qpw8N43AAs7
=1WvZ
-----END PGP SIGNATURE-----

 
 
 

ports being scanned 515

Post by Rudolf Polz » Tue, 03 Jul 2001 03:58:48



>  -----BEGIN PGP SIGNED MESSAGE-----
>  Hash: SHA1


> > Pertaining to the following, posibly you should research the adore worm.
> > Among others, it ran rampant on port 515, So yes, there is a legit reason
> > for people to randomly scan 515.

>  There was also a recently released exploit for Solaris involving a format
>  string. It has been mentioned that HP NetJetThingie might be vulnerable as

                                      ^^^^^^^^^^^^^^^^

Quote:>  well ... don't know anything about this one.

Do you mean a printer? What does an exploit in a printer mean? Switchoff/
switchon? Or more?

--
Your password must be at least 18770 characters and cannot repeat any of
your previous 30689 passwords. Please type a different password. Type a
password that meets these requirements in both text boxes. [M$]
(Fix: http://support.microsoft.com/support/kb/articles/q276/3/04.ASP)

 
 
 

ports being scanned 515

Post by Ian Jone » Tue, 03 Jul 2001 04:33:25


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


> > > Pertaining to the following, posibly you should research the adore
> > > worm. Among others, it ran rampant on port 515, So yes, there is a
> > > legit reason for people to randomly scan 515.

> >  There was also a recently released exploit for Solaris involving a
> > format
> >  string. It has been mentioned that HP NetJetThingie might be
> > vulnerable as
>                                       ^^^^^^^^^^^^^^^^
> >  well ... don't know anything about this one.

> Do you mean a printer? What does an exploit in a printer mean? Switchoff/
> switchon? Or more?

I will reiterate that I don't know anything about this one...call it
hearsay and ignore it. Perhaps I should limit my posts to something I *do*
know at least *something* about ... NAH!

Just a rememberance of half read posts to an incidents list recently is why
I mentioned it at all. Since I don't have one I didn't pay that much
attention.

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
Comment: Making the world safe for geeks.

iQA/AwUBOz97A8AVSpfzXItKEQKa8gCg1h45X35639dP9e5UutkRSyKBxZoAn0Z2
Gz7xzRvdIWlC0fVn5Q791VzI
=pN5Z
-----END PGP SIGNATURE-----

 
 
 

ports being scanned 515

Post by . » Tue, 03 Jul 2001 05:29:58



Quote:>What does an exploit in a printer mean?

In this case, it means the software that handles printer services (lprng) is
vulnerable to an exploit that can lead to a remote user/worm gaining root
access
to your host without a having a local account on said host.
 
 
 

ports being scanned 515

Post by Rudolf Polz » Tue, 03 Jul 2001 05:56:30





> > >  string. It has been mentioned that HP NetJetThingie might be vulnerable as

                                          ^^^^^^^^^^^^^^^^

Quote:> > >  well ... don't know anything about this one.
> >What does an exploit in a printer mean?

>  In this case, it means the software that handles printer services (lprng) is
>  vulnerable to an exploit that can lead to a remote user/worm gaining root
>  access
>  to your host without a having a local account on said host.

You snipped the part I was commenting on. I thought he means the internal
software (which is something like a lpd) of the NetJet printers.

I did know about the lprng holes; I was asking about holes in the printer
firmware.

--
2.4.5 in arch/mips/kernel/irixelf.c(759):
  #if 0 /* XXX No *ing way dude... */

 
 
 

ports being scanned 515

Post by Harry Putna » Tue, 03 Jul 2001 06:30:13



> Pertaining to the following, posibly you should research the adore worm.
> Among others, it ran rampant on port 515, So yes, there is a legit reason
> for people to randomly scan 515.


There is a somewhat dated detailed report about adore and 515 here:
(April 04 01)
 http://www.sans.org/y2k/040401.htm

It claims there is a two part slam dunk to this operation.

It hits on port 3879 and establishes some kind of cmd channel that is
related to an attempt to stuff a buffer overflow down LPRngs throat.
The end result for the hacker is supposed to be a root shell.

One that unsuccessfully tried me out looked like this in linux syslog output:

  Jun 26 14:17:37 reader SERVER[12951]: Dispatch_input: bad request line
  'BB?????????XXXXXXXXXXXXXXXXXX%.168u%300$nsecurity.%301\
  $nsecurity%302$n%.192u%303$n^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^\
  P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^\
  P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P\
  ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P\
  ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P\
  ^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P^P
  ^P^P^P^P^P^P^P^P^P^P^P^P^P^P

The SERVER part is the tipoff of LPRng taking the connection I'm told.
The glossalalia looking stuff is the crud that is supposed to cause
the buffer overflow.  LPRng logging facility stupidly does *NOT*
record the address of a connection.  At least not by default.

 
 
 

ports being scanned 515

Post by Tim Hayne » Tue, 03 Jul 2001 08:16:06



Quote:> Pertaining to the following, posibly you should research the adore worm.
> Among others, it ran rampant on port 515, So yes, there is a legit reason
> for people to randomly scan 515.

Er... y'know, that just doesn't hold self-consistency. `Adore exists,
therefore 515/tcp scans are legit'? Pull the other ones, they haveth bells
on.

~Tim
--

and settled down to sleep.                  |http://spodzone.org.uk/

 
 
 

ports being scanned 515

Post by Jessica Luedtk » Tue, 03 Jul 2001 09:49:37


: You snipped the part I was commenting on. I thought he means the internal
: software (which is something like a lpd) of the NetJet printers.

: I did know about the lprng holes; I was asking about holes in the printer
: firmware.

When the exploit attempt is sent to HP printers with a JetDirect card (as
often happens when someone attempts the exploit against an entire
network), the printer starts spitting out trays full of printouts with
gobbledygook on them.

It's not the the exploit is aimed at these printer's - it's just an
unfortunate side effect.

jessica

 
 
 

ports being scanned 515

Post by cartman prob » Tue, 03 Jul 2001 11:48:11


 kinda off subject but I closed 515 the other day and got 6 hits on 515 the
second I closed the port. But no adore ... so what gives?
rh7.1

 
 
 

ports being scanned 515

Post by Ian Jone » Tue, 03 Jul 2001 12:25:52


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


> kinda off subject but I closed 515 the other day and got 6 hits on 515
> the  second I closed the port. But no adore ... so what gives?
> rh7.1


The Lprng exploit was simply one of the many tools used in the adore worm.
One does not mean the other.

-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.8 for non-commercial use <http://www.pgp.com>
Comment: Making the world safe for geeks.

iQA/AwUBOz/pvsAVSpfzXItKEQKpzgCfeixw034v+frjoP4JYKwlfSUJmuYAn3kF
AYVi7J78B1dqTYSURpi55Ccx
=kSqK
-----END PGP SIGNATURE-----

 
 
 

1. Lots of scanning of port 515

My firewall is showing a lot of attempts to break in to port 515 on
some of my RedHat machines.  Looks like an attempt is being made to
bypass the firewall by trying from multiple source ports on the same
remote machine.

Is there a Ramen variant in the wild?

2. maillist

3. LPD and port 515

4. How do I get the current time?

5. Port 515

6. New European language domain name land grab??

7. Lpr: can't bind to port 515 problem

8. Biocontrol

9. How do I prevent process from binding to printer port (515)?

10. lpd: Fatal error - Cannot bind to lpd port '515'

11. port 515 open - how to filter?

12. Attack attempt on port 515?

13. FAQ Requested: Help I am Being Scanned on Non-Standard Ports