Security Incidents mailing list archives
Re: dtspcd probes toward Solaris machines
From: Skip Carter <skip () taygeta com>
Date: Fri, 18 Jan 2002 09:54:56 -0800
We have had one probe that fits the description, and a couple of possibly related hits, starting December 8. Some of the traffic is _from_ 6112 rather than to it. Only one hit is both from and to 6112. We don't have any root kits left by the attacker(s).
Our Snort logs started showing these scans on 17 Jan (actually there was ONE probe on 7 Jan but none in 2001), with BOTH source and destination ports set to 6112: Jan 17 19:07:10 211.39.32.104:6112 -> xx.xx.xx.3:6112 SYN ******S* Jan 17 19:07:10 211.39.32.104:6112 -> xx.xx.xx.5:6112 SYN ******S* Jan 17 19:07:10 211.39.32.104:6112 -> xx.xx.xx.7:6112 SYN ******S* Jan 17 19:07:10 211.39.32.104:6112 -> xx.xx.xx.9:6112 SYN ******S* Jan 17 19:07:10 211.39.32.104:6112 -> xx.xx.xx.11:6112 SYN ******S* Jan 17 19:07:10 211.39.32.104:6112 -> xx.xx.xx.13:6112 SYN ******S* Jan 17 19:07:10 211.39.32.104:6112 -> xx.xx.xx.15:6112 SYN ******S* Jan 17 19:07:10 211.39.32.104:6112 -> xx.xx.xx.2:6112 SYN ******S* -- Dr. Everett (Skip) Carter Phone: 831-641-0645 FAX: 831-641-0647 Taygeta Scientific Inc. INTERNET: skip () taygeta com 1340 Munras Ave., Suite 314 WWW: http://www.taygeta.com Monterey, CA. 93940 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- dtspcd probes toward Solaris machines Scott Fendley (Jan 17)
- RE: dtspcd probes toward Solaris machines James C. Slora Jr. (Jan 18)
- Re: dtspcd probes toward Solaris machines Skip Carter (Jan 18)
- Re: dtspcd probes toward Solaris machines Lance Spitzner (Jan 18)
- Re: dtspcd probes toward Solaris machines Nathan W. Labadie (Jan 18)
- RE: dtspcd probes toward Solaris machines James C. Slora Jr. (Jan 18)