Re: ssh scans

From: Matthew Leeds (mleedsat_private)
Date: Fri Sep 28 2001 - 14:20:31 PDT

Next message: Eaton, Arthur: "RE: FBI Virus Alerts"

Previous message: Heather Adkins: "Re: ssh scans"
In reply to: Heather Adkins: "Re: ssh scans"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

There are a couple of well known holes in the CSS (nee ArrowPoint).

http://www.cisco.com/warp/public/707/arrowpoint-cli-filesystem-pub.shtml

You might want to contact the party responsible for these devices and have them check them.

---Matthew

*********** REPLY SEPARATOR  ***********

On 9/28/2001 at 2:04 PM Heather Adkins wrote:

>According to your banner, that host is an Arrowpoint (AKA a Cisco CSS)
>switch.
>
>Port 5001 is the default port for the Application Peering Protocol.  It
>allows switches to communicate to each other to share content information
>(like content rules).
>
>I highly doubt your switch has been compromised.
>
>-- Heather Adkins
>-- Security Engineer 
>-- NOCpulse, INC.
>-- 408.541.2857
>
>On Fri, 28 Sep 2001, Chad Mawson wrote:
>
>> I vaguely remember seeing something about this a month or so ago, but I
>> don't remember any details.  I am getting attempts 1-2 times a day from
>> different IP addresses on TCP port 22.
>> 
>> nmap returns this:
>> 
>> Port    State       Protocol  Service
>> 21      open        tcp       ftp
>> 22      open        tcp       ssh
>> 23      open        tcp       telnet
>> 80      filtered    tcp       http
>> 5001    open        tcp       commplex-link
>> 
>> I can't get a telnet, or http response, but ssh and ftp do.  FTP - (not
>> trying to log in, just getting the headers) shows:
>> 
>> 220 ArrowPoint (5.3.1) FTP server ready
>> Name (216.34.77.12:root):
>> 331 Password required
>> Password:
>> 530 Login failed.
>> Login failed.
>> ftp> quit
>> 221 Thank you for visiting. May the remainder of your day be filled with
>> joy.
>> 
>> I also can't find any good info on the port 5001, I'm assuming these
>> systems have been compromised, but I'd like to make sure before I start
>> trying to contact anyone.
>> 
>> Thanks
>> 
>> Chad Mawson
>> Woods & Aitken LLP
>> 
>> ------------------------------------------------------------------------
>> ----
>> This list is provided by the SecurityFocus ARIS analyzer service.
>> For more information on this free incident handling, management 
>> and tracking system please see: http://aris.securityfocus.com
>> 
>
>
>----------------------------------------------------------------------------
>This list is provided by the SecurityFocus ARIS analyzer service.
>For more information on this free incident handling, management 
>and tracking system please see: http://aris.securityfocus.com




----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Eaton, Arthur: "RE: FBI Virus Alerts"
Previous message: Heather Adkins: "Re: ssh scans"
In reply to: Heather Adkins: "Re: ssh scans"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Sep 28 2001 - 14:19:47 PDT