LDAP scan increase
We are seeing a significant increase in scans for port 389. This port is associated with LDAP. LDAP is used by a variety of different systems, in particular Windows active directory. At this point, it is not clear what these scans are attempting to accomplish. If you have any information, in particular FULL PACKET CAPTURES (not just firewall logs), let us know. http://www.dshield.org/port_report.php?port=389 Update The increase in port 389 scans is believed to be due to a new exploit against the iMail LDAP server. The exploit has been posted here: http://www.coromputer.net/files/ldaped.c Windows 98 ASN.1 Patch Readers reported to our handlers team that Microsoft is distributing a patch for the ASN.1 issue to Windows 98 users per request. If you are running Windows 98, contact your Microsoft representative for the location of the patch. As reported earlier, the ASN.1 advisory MS04-007 only covers newer versions of Windows. Windows 98 is however still vulnerable. Workaround: you may want to consider renaming or removing msasn1.dll. However, please test this fix carefully as it may break some software. Careful! Do not trust any patches sent via e-mail. MyDoom Remover release via Windows Update Currently, Microsoft is offering a MyDoom virus remover via its Windows Update service. Free Windows Patch CD Microsoft offers a free patch CD for all currently supported versions of windows. You can order a CD here: http://www.microsoft.com/security/protect/cd/order.asp ------------ Johannes Ullrich, SANS Institute jullrich_AT_sans.org http://isc.sans.org/contact.html I will be teaching next: Defending Web Applications Security Essentials - SANS Cyber Security West: March 2021 |
Johannes 4068 Posts ISC Handler Feb 23rd 2004 |
Thread locked Subscribe |
Feb 23rd 2004 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!