[nsp-sec] Increased in HP OV NMM scanning (tcp/2954)
Rob Thomas
robt at cymru.com
Tue Apr 15 11:29:16 EDT 2008
Hey, Jose.
Thanks! We saw this hitting our Darknets starting at 2008-04-10
09:14:07 UTC. The first culprit was 12.21.167.70, but there were plenty
of others, most notably in 69/8.
Thanks,
Rob.
jose nazario wrote:
> ----------- nsp-security Confidential --------
>
> Following publication of the exploit code for the HP OV NMM buffer overflow
> on TCP/2954, we're seeing a spike in attackers now for this port. This
> follows a smaller bump last week when the code was a) not working well and
> b) possibly working exploit code was not so public. Via ATLAS, here are the
> top hosts scanning:
>
> Host Bytes per subnet Percentage
> 85.25.146.193 2.09 kB 84.6%
> 80.233.240.24 186.94 B 7.6%
> 62.77.76.167 60.20 B 2.4%
> 195.246.222.16 53.74 B 2.2%
> 193.93.27.17 37.02 B 1.5%
> 89.146.16.26 28.20 B 1.1%
> 80.123.116.21 7.26 B 0.3%
> 62.244.213.210 5.34 B 0.2%
> 212.241.176.186 0.33 B 0.0%
> 85.196.83.12 0.16 B 0.0%
> Other 0 B 0.0%
>
> This is all since 01:50 UTC today.
>
> Exploit code is here:
>
> http://www.milw0rm.com/exploits/5445
>
> - jose
>
>
>
>
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
>
> Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
> community. Confidentiality is essential for effective Internet security counter-measures.
> _______________________________________________
--
Rob Thomas
Team Cymru
The WHO and WHY team
http://www.team-cymru.org/
More information about the nsp-security
mailing list