[Klug-general] SNORTing the rabbit hole
Alan @ COMM-TECH
alan at communitytechnology.org.uk
Wed Feb 24 10:57:04 UTC 2010
MacGyveR wrote:
>> This one is 10.1.1.10 a Laserjet 4300 - what is that weird destination
>> address?
>>
>> EVENTS SOURCE DEST METHOD
>> 1180 10.1.1.10 239.255.255.250 MISC UPnP malformed advertisement
>>
>> This is an ordinary Linux box - running nothing special with regards to
>> services... what is that method?
>>
>> EVENTS SOURCE DEST METHOD
>> 974 10.1.1.182 212.49.203.231 COMMUNITY WEB-MISC mod_jrun
>> overflow attempt
>>
>> Any ideas?
>>
>
> the first one is just upnp announcements, you should be able to turn it off on
> the printer if you dont use it. (auto discover devices etc.)
>
> the second would be a web server attack, are you running mod_jrun on apache?
>
Your right - it appears that the UPnP advertisement is made by some
malconfigured devices (ie most them by default). One has turned out to
be an iPhone!
As for the mod_jrun - it looks like it's related to webmail -
squirrelmail in particular.
Thanks for the pointers!
More information about the Kent
mailing list