[Dshield] port 515 surge

Clint Byrum cbyrum at erp.com
Thu Oct 25 19:12:25 GMT 2001


I noticed in myreports.php that port 515 is not given a "danger" icon. 
It appears as benign as RealPlayer port 6970. These seem to be quite 
"evil" scans.. so shouldn't they at least get a status of "Medium"(A 
yellow dot)?

BTW, I also got scanned "top to bottom"(a whole 64 IP's) for 515 a 
couple of times recently. So its not just that big submitter.

Johannes B. Ullrich wrote:

>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>
>Just a quick note. There is a big surge in port 515 scans if you look at 
>the top 10 port page.
>
>I am currently investigating. But so far, it does not look like anything 
>too exiting. It is just that a very large submitter got scanned 'top to 
>bottom' for port 515.
>
>Port 515 is used for the printer service in Unix. It is commonly 'scanned 
>for' as it is vulnerable up to including RedHat 7.0. Make sure you got it
>switched off or patched. But if you are still running the original 7.0 
>install, it is probably already too late.
>
>Here some details:
>
>+------------------------+------------+
>| Number of Targets      | date       |
>+------------------------+------------+
>|                   1543 | 2001-09-23 |
>|                   1909 | 2001-09-24 |
>|                    979 | 2001-09-25 |
>|                    766 | 2001-09-26 |
>|                    912 | 2001-09-27 |
>|                   1228 | 2001-09-28 |
>|                   1330 | 2001-09-29 |
>|                    879 | 2001-09-30 |
>|                   1194 | 2001-10-01 |
>|                   1169 | 2001-10-02 |
>|                   1183 | 2001-10-03 |
>|                   1217 | 2001-10-04 |
>|                   6291 | 2001-10-05 |
>|                   1396 | 2001-10-06 |
>|                  37982 | 2001-10-07 |
>|                   1661 | 2001-10-08 |
>|                   7276 | 2001-10-09 |
>|                   1160 | 2001-10-10 |
>|                   2111 | 2001-10-11 |
>|                    682 | 2001-10-12 |
>|                    949 | 2001-10-13 |
>|                   1680 | 2001-10-14 |
>|                   1580 | 2001-10-15 |
>|                   1302 | 2001-10-16 |
>|                    490 | 2001-10-17 |
>|                    951 | 2001-10-18 |
>|                   1163 | 2001-10-19 |
>|                    622 | 2001-10-20 |
>|                   1621 | 2001-10-21 |
>|                   1083 | 2001-10-22 |
>|                   1389 | 2001-10-23 |
>|                  29580 | 2001-10-24 |
>|                  49398 | 2001-10-25 |
>+------------------------+------------+
>
>
>+------------------------+------------+
>| Number of users        | date       |
>+------------------------+------------+
>|                    177 | 2001-09-23 |
>|                    141 | 2001-09-24 |
>|                    132 | 2001-09-25 |
>|                    150 | 2001-09-26 |
>|                    141 | 2001-09-27 |
>|                    154 | 2001-09-28 |
>|                    169 | 2001-09-29 |
>|                    156 | 2001-09-30 |
>|                    155 | 2001-10-01 |
>|                    117 | 2001-10-02 |
>|                    141 | 2001-10-03 |
>|                    117 | 2001-10-04 |
>|                    148 | 2001-10-05 |
>|                    189 | 2001-10-06 |
>|                    176 | 2001-10-07 |
>|                    166 | 2001-10-08 |
>|                    130 | 2001-10-09 |
>|                    142 | 2001-10-10 |
>|                    143 | 2001-10-11 |
>|                    135 | 2001-10-12 |
>|                    160 | 2001-10-13 |
>|                    182 | 2001-10-14 |
>|                    153 | 2001-10-15 |
>|                    143 | 2001-10-16 |
>|                    129 | 2001-10-17 |
>|                    113 | 2001-10-18 |
>|                    116 | 2001-10-19 |
>|                    145 | 2001-10-20 |
>|                    108 | 2001-10-21 |
>|                    115 | 2001-10-22 |
>|                    133 | 2001-10-23 |
>|                    125 | 2001-10-24 |
>|                     25 | 2001-10-25 |
>+------------------------+------------+
>
>
>- -- 
>- -------
>jullrich at sans.org                    Join http://www.DShield.org
>                          Distributed Intrusion Detection System
>
>-----BEGIN PGP SIGNATURE-----
>Version: GnuPG v1.0.6 (GNU/Linux)
>Comment: For info see http://www.gnupg.org
>
>iD8DBQE72FeCVOIizK5pIDMRAujEAJ0WCMQdCdmyou0OCmmkoOHMhkHQ8wCfQjER
>TqHmLFSaATTEKoSrhVYB07s=
>=D7LW
>-----END PGP SIGNATURE-----
>
>_______________________________________________
>Dshield mailing list
>Dshield at dshield.org
>To change your subscription options (or unsubscribe), see: http://www1.dshield.org/mailman/listinfo/dshield
>





More information about the list mailing list