Security Incidents mailing list archives

RE: IKE /HTTP exploit???

From: Dean Cunningham <Dean.Cunningham () ew govt nz>
Date: Mon, 13 Aug 2001 12:46:52 +1200

Can that request, I did a further search of the archives and found


"I couldn't find it now, but i think last week someone mentioned that if the
default setting on a W2k server is to attempt a secure connection, it will
send out this 500/udp probe to try contact the other code and negotiate IKE.
If you review your logs, you'll probably see this udp/500 probe quickly
followed by attempted connection from the same host to port 80/tcp."

This looks like the sig.

cheers
Dean

-----Original Message-----
From: Dean Cunningham [mailto:Dean.Cunningham () ew govt nz]
Sent: Monday, 13 August 2001 11:49 a.m.
To: 'incidents () securityfocus com'
Subject: IKE /HTTP exploit???


I am getting a few (300 in the last week) scans showing up in the firewall
logs.
These existed pre CR , but I am interested as to what the exploit is.
Any pointers?

regards
Dean


Summary:
Source:         202.98.196.18
Destination:    202.36.123.140
Time NZST:      13 Aug 2001 10:57 to 10:58 (+1200)
Time GMT:       12 Aug 2001 22:57 to 22:58
Protocols:      IKE HTTP
***************************************************
This e-mail is  not an  official  statement of  the
Waikato  Regional  Council unless otherwise stated.
Visit our website http://www.ew.govt.nz
***************************************************

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
***************************************************
This e-mail is  not an  official  statement of  the
Waikato  Regional  Council unless otherwise stated.
Visit our website http://www.ew.govt.nz
***************************************************

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

IKE /HTTP exploit??? Dean Cunningham (Aug 12)
- <Possible follow-ups>
- RE: IKE /HTTP exploit??? Dean Cunningham (Aug 13)