According to your banner, that host is an Arrowpoint (AKA a Cisco CSS) switch. Port 5001 is the default port for the Application Peering Protocol. It allows switches to communicate to each other to share content information (like content rules). I highly doubt your switch has been compromised. -- Heather Adkins -- Security Engineer -- NOCpulse, INC. -- 408.541.2857 On Fri, 28 Sep 2001, Chad Mawson wrote: > I vaguely remember seeing something about this a month or so ago, but I > don't remember any details. I am getting attempts 1-2 times a day from > different IP addresses on TCP port 22. > > nmap returns this: > > Port State Protocol Service > 21 open tcp ftp > 22 open tcp ssh > 23 open tcp telnet > 80 filtered tcp http > 5001 open tcp commplex-link > > I can't get a telnet, or http response, but ssh and ftp do. FTP - (not > trying to log in, just getting the headers) shows: > > 220 ArrowPoint (5.3.1) FTP server ready > Name (216.34.77.12:root): > 331 Password required > Password: > 530 Login failed. > Login failed. > ftp> quit > 221 Thank you for visiting. May the remainder of your day be filled with > joy. > > I also can't find any good info on the port 5001, I'm assuming these > systems have been compromised, but I'd like to make sure before I start > trying to contact anyone. > > Thanks > > Chad Mawson > Woods & Aitken LLP > > ------------------------------------------------------------------------ > ---- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Sep 28 2001 - 14:05:43 PDT