[nsp-sec] Increased in HP OV NMM scanning (tcp/2954)
Rolf Gartmann
rolf.gartmann at switch.ch
Tue Apr 15 11:29:02 EDT 2008
from the fingers of jose nazario on 15.4.2008 17:14 Uhr:
> ----------- nsp-security Confidential --------
>
> Following publication of the exploit code for the HP OV NMM buffer overflow
> on TCP/2954, we're seeing a spike in attackers now for this port. This
> follows a smaller bump last week when the code was a) not working well and
> b) possibly working exploit code was not so public. Via ATLAS, here are the
> top hosts scanning:
>
> Host Bytes per subnet Percentage
> 85.25.146.193 2.09 kB 84.6%
> 80.233.240.24 186.94 B 7.6%
> 62.77.76.167 60.20 B 2.4%
> 195.246.222.16 53.74 B 2.2%
> 193.93.27.17 37.02 B 1.5%
> 89.146.16.26 28.20 B 1.1%
> 80.123.116.21 7.26 B 0.3%
> 62.244.213.210 5.34 B 0.2%
> 212.241.176.186 0.33 B 0.0%
> 85.196.83.12 0.16 B 0.0%
> Other 0 B 0.0%
> This is all since 01:50 UTC today.
I can throw in some stats from our Darkspace:
2008-04-10 11:10 29658
2008-04-10 11:15 37669
2008-04-10 11:20 27340
2008-04-11 00:45 7706
2008-04-11 00:50 11555
2008-04-11 01:00 10340
2008-04-11 02:10 78
2008-04-15 07:40 11262
2008-04-15 07:45 18584
checking from 2008-04-08 till now, numbers are pkts/5min
(timestamps UTC+2)
-
Rolf
> Exploit code is here:
>
> http://www.milw0rm.com/exploits/5445
>
> - jose
>
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
--
SWITCH
Serving Swiss Universities
--------------------------
Rolf Gartmann, Security Engineer, Member of SWITCH-CERT
PGP fingerprint: 4602 9CC2 6C04 5DF0 3A05 7609 BC09 45A2 2E0E CA35
SWITCH, Werdstrasse 2, P.O. Box, CH-8021 Zurich, Switzerland
http://www.switch.ch/cert/
More information about the nsp-security
mailing list