All, Yesterday we were hit by a scan of our entire /16 looking (presumably) for hosts with port 2401 open, any ideas what vulerability this might be looking for? As best I can tell, CVS uses that port but I'm not aware of any particularly recent vulerabilities related to this. Below are a few packets for review, the source was a single Asia Pac host. Many of our hosts were hit up to 10 times with the same scan, all scans to a particular host came within a second or two. A quick web browse to this host yields a page with the following: MNS Hacked Your System UID=0(Root) GID=0(Root) Twe4k Greetz: Sense, Xentric For Contact: MNSSecureat_private Yes, I've notified the appropriate parties... just trying to get more info. Thanks, Aaron ------------------------------------------------------------------------------ #(3 - 126682) [2001-08-20 19:26:55] spp_stream4: STEALTH ACTIVITY (SYN FIN scan) detection IPv4: xxx.xxx.xxx.124 -> yyy.yyy.yyy.86 hlen=5 TOS=0 dlen=40 ID=39426 flags=0 offset=0 TTL=24 chksum=41707 TCP: port=2401 -> dport: 2401 flags=******SF seq=541615222 ack=596132070 off=5 res=0 win=1028 urp=0 chksum=18956 Payload: none ------------------------------------------------------------------------------ #(3 - 125059) [2001-08-20 19:26:42] spp_stream4: STEALTH ACTIVITY (SYN FIN scan) detection IPv4: xxx.xxx.xxx.124 -> yyy.yyy.yyy.206 hlen=5 TOS=0 dlen=40 ID=39426 flags=0 offset=0 TTL=17 chksum=44147 TCP: port=2401 -> dport: 2401 flags=******SF seq=1283850951 ack=886489455 off=5 res=0 win=1028 urp=0 chksum=61485 Payload: none ------------------------------------------------------------------------------ #(3 - 126136) [2001-08-20 19:26:47] spp_stream4: STEALTH ACTIVITY (SYN FIN scan) detection IPv4: xxx.xxx.xxx.124 -> yyy.yyy.yyy.205 hlen=5 TOS=0 dlen=40 ID=39426 flags=0 offset=0 TTL=11 chksum=45428 TCP: port=2401 -> dport: 2401 flags=******SF seq=830168929 ack=2092976059 off=5 res=0 win=1028 urp=0 chksum=57193 Payload: none ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Aug 22 2001 - 10:25:30 PDT