6112 tcp is also the default for dtspcd - one of the CDE exploit scanners I guess. % grep dtsp /etc/inetd.conf # dtspc stream tcp nowait root /usr/dt/bin/dtspcd dtspcd % grep dtsp /etc/services dtspc 6112/tcp #subprocess control Neil > On Fri, Dec 07, 2001 at 05:57:42PM -0600, dewt wrote: > > On Friday 07 December 2001 03:14 pm, Paul Dokas wrote: > > > Is anyone else seeing large numbers of 6112/TCP scan coming from > > > 63.240.0.0 - 63.242.255.255? I'm seeing about 10/minute destined to > > > random IPs within my networks. The scanning technique looks exactly > > > like the TCPMUX scans that were occuring a few months ago (forgive me, > > > I can't remember what the technique was, just that it was really odd). > > > > > > Obviously, they're looking for vulnerable CDE installations. > > > > > > Paul > > > > 6112 is the port used by blizzard's battlenet, you might just have people > > playing diablo 2,starcraft, or whatever on your network > > You know, at first, this sounded right to me. However, over the weekend > and yesterday, my IDS picked up lots of this: > > Time Source IP Dest IP Protocol Src Port Dest Port Type Connections/Packets > > 9-Dec-2001 12:56:27 63.240.202.138 A.B.C.26 6 1248 6112 bad dst port 1 > 9-Dec-2001 12:56:27 63.240.202.138 A.B.E.27 6 1193 6112 bad dst port 1 > 9-Dec-2001 12:56:37 63.240.202.138 A.B.F.69 6 1208 6112 bad dst port 1 > 9-Dec-2001 12:55:56 63.240.202.138 A.B.G.38 6 1128 6112 bad dst port 1 > 9-Dec-2001 12:56:07 63.240.202.138 A.B.G.43 6 1139 6112 bad dst port 1 > 9-Dec-2001 12:56:57 63.240.202.138 A.B.D.116 6 1127 6112 bad dst port 1 > 9-Dec-2001 12:57:37 63.240.202.138 A.B.D.105 6 1099 6112 bad dst port 1 > 9-Dec-2001 12:57:37 63.240.202.138 A.B.G.100 6 1176 6112 bad dst port 1 > . > . > . > > > Where I've replace my IP addresses with 'A.B.[CDEFG].' All of the packets > were 40bytes and not all of the destination IP addresses are being used. > > > The source of the packets were 63.240.202.138, 63.240.202.139 and > 63.240.202.140, the destination was always 6112/TCP. I've got ~450 > packets over the 4 day period from 00:00 GMT+6 12/8 through this morning > for my /21 network. > > > To me, it looks like there was a slow scan with randomized destinations going > until Friday. Then it seems to have switched to a faster type of scan, or > possibly to just scanning my class A or B network. > > > Also, there does appear to be legitimate battlenet traffic going to that > area of the Internet. Perhaps someone is scanning from those IPs specifically > to hide within the legit battlenet traffic? > > > Paul > -- > Paul Dokas dokasat_private > ====================================================================== > Don Juan Matus: an enigma wrapped in mystery wrapped in a tortilla. > > -------------------------------------------------------------------------- -- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Dec 11 2001 - 18:47:57 PST