Security Incidents mailing list archives

NTP scan ????

From: Russell Fulton <R.FULTON () auckland ac nz>
Date: 27 Feb 2002 10:43:19 +1300

Just picked up a SYN scan for NTP.  There were problems with xntp a
while back, I wonder if there is now an exploit out there...

Report from my scan detector:


We saw adsl-63-199-26-228.dsl.snfc21.pacbell.net[63.199.26.228] talk to
48 ports/addresses(s)
on Tue 26 Feb 2002 at 17:00 (UTC)

-- Wed 27 Feb 2002 at 05:00 (NZDT)

Connection rate approx 48 per second

130.216.2.10-31.tcp - 123             130.216.4.5.tcp - 123
130.216.2.105.tcp - 123               130.216.4.90.tcp - 123
130.216.2.138-148.tcp - 123           130.216.4.133.tcp - 123
130.216.2.220-225.tcp - 123           130.216.4.206.tcp - 123
130.216.3.18.tcp - 123                130.216.5.36.tcp - 123
130.216.4.0-1.tcp - 123


Some sample packet traces were:  Times UTC +1300 GPS synchronized
2002-02-27-05:00:08  tcp   63.199.26.228:4908     -> 130.216.2.30:123
S_
2002-02-27-05:00:08  tcp   63.199.26.228:4909     -> 130.216.2.31:123
S_
2002-02-27-05:00:08  tcp   63.199.26.228:1260     -> 130.216.2.105:123
S_
2002-02-27-05:00:08  tcp   63.199.26.228:1302     -> 130.216.2.138:123
S_
2002-02-27-05:00:08  tcp   63.199.26.228:1306     -> 130.216.2.139:123
S_
2002-02-27-05:00:08  tcp   63.199.26.228:1307     -> 130.216.2.140:123
S_
2002-02-27-05:00:08  tcp   63.199.26.228:1308     -> 130.216.2.141:123
S_
2002-02-27-05:00:08  tcp   63.199.26.228:1310     -> 130.216.2.142:123
S_
2002-02-27-05:00:08  tcp   63.199.26.228:1311     -> 130.216.2.143:123
S_
2002-02-27-05:00:08  tcp   63.199.26.228:1312     -> 130.216.2.144:123
S_
2002-02-27-05:00:08  tcp   63.199.26.228:1313     -> 130.216.2.145:123
S_
2002-02-27-05:00:10  tcp   63.199.26.228:1923     -> 130.216.4.0:123
S_
2002-02-27-05:00:10  tcp   63.199.26.228:1925     -> 130.216.4.1:123
S_
2002-02-27-05:00:10  tcp   63.199.26.228:1929     -> 130.216.4.5:123
S_
2002-02-27-05:00:10  tcp   63.199.26.228:2739     -> 130.216.4.90:123
S_
2002-02-27-05:00:10  tcp   63.199.26.228:3876     -> 130.216.4.133:123
S_
2002-02-27-05:00:10  tcp   63.199.26.228:4036     -> 130.216.4.206:123
S_
2002-02-27-05:00:10  tcp   63.199.26.228:4337     -> 130.216.5.36:123
S_
2002-02-27-05:00:08  tcp   63.199.26.228:1314     -> 130.216.2.146:123
S_
2002-02-27-05:00:08  tcp   63.199.26.228:1316     -> 130.216.2.147:123
S_




-- 
Russell Fulton, Computer and Network Security Officer
The University of Auckland,  New Zealand


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

NTP scan ???? Russell Fulton (Feb 26)
- Re: NTP scan ???? Paul Gear (Feb 27)
- Re: NTP scan ???? Will Aoki (Feb 27)
  - Re: NTP scan ???? Russell Fulton (Feb 27)
    - Re: NTP scan ???? Paul Gear (Feb 28)
- Re: NTP scan ???? John Kristoff (Feb 28)