On Wed, 5 Jun 2002, High Speed wrote: > last 2 days I noticed an increased scan against port 1524 > > ingreslock 1524/tcp ingres > ingreslock 1524/udp ingres For some reason, the script kiddie community has standardized on this port as a backdoor for most automated attacks. What you have now is attackers looking for systems that have already been hacked into with a backdoor installed. Very similar to the concept of the Leaves/W32 worm looking for systems compromised with Sub7. For over three years now the Honeynet Project has witnessed numerous different exploits and attacks against various Unix systems. Though the vulnerabilities and tools are constantly changing, we have repeatedly seen the use of 1524 as the backdoor. Even with the dtspcd exploit back in January, it used 1524 as the backdoor. While crude, scanning for port 1524 is an effective method to finding (and taking over) compromised systems. lance ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Jun 05 2002 - 13:05:13 PDT