[Dshield] Strange activity..

Ed Truitt ed.truitt at etee2k.net
Thu Jun 26 14:17:58 GMT 2003


Did you notice any probes against port 3268?  I had one day about a
month ago when someone hit both 389 and 3268, which indicates to me they
were looking for Win2K Domain Controllers (3268 is the Global Catalog
port).  The day that happened, DShield reported a spike in the number of
targets/probes, though the # of sources stayed about the same.  I
haven't seen that combination since.  Unfortunately, I had my tarpit
shut down Monday, as I left town on a short vacation


-- 
---
Cheers,
Ed Truitt
PGP fingerprint:  5368 D25E 468C A250 9833  CCD6 DBAE 9C25 02F9 0AB9
http://www.etee2k.net
http://www.bsatroop148.org

"Note to spammers:  my 'delete' key is connected to YOUR ISP.
 Also, if you send me UCE, I reserve the right to post your spew
on my Web site, with the appropriate color commentary, so that
others may have a good laugh at your expense."

On Tue, 2003-06-24 at 09:44, Mark Warner wrote:
> strange is right.... the only 389 traffic i get is my Apples trying to 
> connect to the PGP keyserver.  All internal tho.
> Nothing unusual today
> Mark
> 
> At 04:15 PM 6/23/2003 -0500, you wrote:
> >Is anyone else noticing unusual hits on udp port 389 (LDAP)? Within the last
> >2 hours I've had over 300 different sources attempt to scan my entire /24.
> >
> >--
> >
> >Micheal Patterson
> >TSG Network Administration
> >405-917-0600
> >
> >
> >_______________________________________________
> >list mailing list
> >list at dshield.org
> >To change your subscription options (or unsubscribe), see: 
> >http://www.dshield.org/mailman/listinfo/list
> 
> 
> 
> _______________________________________________
> list mailing list
> list at dshield.org
> To change your subscription options (or unsubscribe), see: http://www.dshield.org/mailman/listinfo/list




More information about the list mailing list