Re: new exploit - ping/137/27374 ?

["Lamer" <perlamer@netfront.net>]

If you would like to do them, why not
enabling those kernel option (rp_filter, syn_cookie, whatever)
and play it with iptables?
--
k h a o s * lamer
new name, new look, new ftp:
linuxxxxx.dyn.dhs.org (change FOUR letter)
upload something before downloading, or your class C IP banned.
----- Original Message -----
From: "Moe Harley" <moeser@airswitch.net>
To: <debian-firewall@lists.debian.org>
Sent: Sunday, July 01, 2001 10:39 AM
Subject: Re: new exploit - ping/137/27374 ?


> What do the ping/syn packets look like?  Perhaps
> a specific IDS rule can be thrown together for them?
>
> -Moeser
>
> ----- Original Message -----
> From: JonesMB <jonesmb@arthem.com>
> To: <debian-firewall@lists.debian.org>
> Sent: Friday, June 29, 2001 1:30 PM
> Subject: new exploit - ping/137/27374 ?
>
>
> > is there a new exploit script that starts with a ping, followed by
> attempts
> > at connecting to port 137, followed by 27374.  I have seen a big
increase
> > in this in my ipchains logs this week.  I have also noticed that
attempts
> > at port 111 have almost disappeared.
> >
> > jmb
> >
> > PS - before any educates me on the port numbers being used in the
> attempts,
> > I know that 111 is for RPC exploits, 137 is for Netbios SMB and 27374 is
> > for SubSeven.
> >
> >
> > --
> > To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
> > with a subject of "unsubscribe". Trouble? Contact
> listmaster@lists.debian.org
> >
> >
>
>
> --
> To UNSUBSCRIBE, email to debian-firewall-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact
listmaster@lists.debian.org
>
>