[Dshield] EXPLOIT ISAKMP Attack

jmulkerin jmulkerin at comcast.net
Sat Jun 25 19:41:27 GMT 2005


All of a sudden, I'm seeing regular Port 500 attacks   This is an older 
Check Point VPN-1/SecuRemote ISAKMP Large Certificate Request Payload 
Buffer Overflow attempt.   Any one know of any trojans, or viruses that 
might be trying this.   I'm seeing it from several IPs: 
71.109.123.242:500 , 206.72.72.29:500, & 24.23.161.111:500

Here is an example:  Sorry no payloads, yet.:

[**] [1:2376:3] EXPLOIT ISAKMP first payload certificate request length 
overflow attempt [**]
[Classification: Attempted Administrator Privilege Gain] [Priority: 1]
06/24-16:46:06.359154 206.72.72.29:500 -> Mygateway.IP.address::500
UDP TTL:109 TOS:0x0 ID:22593 IpLen:20 DgmLen:128
Len: 100
[Xref => http://cve.mitre.org/cgi-bin/cvename.cgi?name=2004-0040][Xref 
=> http://www.securityfocus.com/bid/9582]




More information about the list mailing list