Large scale scan of port 2401

From: Aaron (lilnickat_private)
Date: Tue Aug 21 2001 - 16:55:43 PDT

Next message: Konrad Michels: "24 hour strobes from 10.0.x.x"

Previous message: Kevin Reardon: "Re: Flash Worms"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

All,
	Yesterday we were hit by a scan of our entire /16 looking
(presumably) for hosts with port 2401 open, any ideas what vulerability
this might be looking for? As best I can tell, CVS uses that port but I'm
not aware of any particularly recent vulerabilities related to this. Below
are a few packets for review, the source was a single Asia Pac host. Many
of our hosts were hit up to 10 times with the same scan, all scans to a
particular host came within a second or two.

A quick web browse to this host yields a page with the following:

MNS Hacked Your System
UID=0(Root) GID=0(Root)
Twe4k Greetz: Sense, Xentric
For Contact: MNSSecureat_private

Yes, I've notified the appropriate parties... just trying to get more
info.

Thanks,
Aaron

------------------------------------------------------------------------------
#(3 - 126682) [2001-08-20 19:26:55]  spp_stream4: STEALTH ACTIVITY (SYN
FIN scan) detection
IPv4: xxx.xxx.xxx.124 -> yyy.yyy.yyy.86
      hlen=5 TOS=0 dlen=40 ID=39426 flags=0 offset=0 TTL=24 chksum=41707
TCP:  port=2401 -> dport: 2401  flags=******SF seq=541615222
      ack=596132070 off=5 res=0 win=1028 urp=0 chksum=18956
Payload: none
------------------------------------------------------------------------------
#(3 - 125059) [2001-08-20 19:26:42]  spp_stream4: STEALTH ACTIVITY (SYN
FIN scan) detection
IPv4: xxx.xxx.xxx.124 -> yyy.yyy.yyy.206
      hlen=5 TOS=0 dlen=40 ID=39426 flags=0 offset=0 TTL=17 chksum=44147
TCP:  port=2401 -> dport: 2401  flags=******SF seq=1283850951
      ack=886489455 off=5 res=0 win=1028 urp=0 chksum=61485
Payload: none
------------------------------------------------------------------------------
#(3 - 126136) [2001-08-20 19:26:47]  spp_stream4: STEALTH ACTIVITY (SYN
FIN scan) detection
IPv4: xxx.xxx.xxx.124 -> yyy.yyy.yyy.205
      hlen=5 TOS=0 dlen=40 ID=39426 flags=0 offset=0 TTL=11 chksum=45428
TCP:  port=2401 -> dport: 2401  flags=******SF seq=830168929
      ack=2092976059 off=5 res=0 win=1028 urp=0 chksum=57193
Payload: none



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Konrad Michels: "24 hour strobes from 10.0.x.x"
Previous message: Kevin Reardon: "Re: Flash Worms"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Aug 22 2001 - 10:25:30 PDT