Security Incidents mailing list archives
Re: Who is looking for port 2036?
From: mis () seiden com
Date: Thu, 27 Oct 2005 14:51:42 -0700
might be someone looking for a no password remote login vulnerability in novell bordermanager, as described at: http://craigjconsulting.com/bmgrptch.html "Jan 11, 2003 - I added a note for some bugs below this section. I also wanted to finally tell people what the NW6RCONJ2A.EXE patch was all about. I had avoided telling about the bug until now to give people enough time to go about patching their servers before making it obvious what the bug was about. However, I keep getting new clients who have read my patch list here and just skipped that patch because they didn't think it was applicable to them. They are quite surprised when I connect to their BorderManager server over the Internet using RCONAG6 without a password! The version of RCONAG6 shipped with NW6SP2.EXE included a flawed version of RCONAG6. The bad version does not look at the password entry for the 'secure' (encrypted) port (2036 by default). Consequently, you can connect to a server without a password if that version of RCONAG6 is loaded, and the usual Novell default filter exceptions are in place. The NW6RCONJ2A patch fixes this problem." On Thu, Oct 27, 2005 at 08:10:19PM +0200, Joakim Berge wrote:
On 10/26/05, Tillmann Werner <tillmann.werner () gmx de> wrote:Joakim,The scan seems to be from a large botnet, across the world.What makes you believe the attack's origin is a botnet?I belive it is a botnet becouse the source addresses are couple of hundred different ones (i think....havent counted). I dont see any pattern, and they are spread across the planet.They have only targeted one ip, and it doesn't respond to those ports.Your samples only showed port 2036/tcp on a very low frequency. Is this representative for a longer period? What is the percentage of port 80/tcp packets?This has been going on for a month, and the frequency is about 200 per day for 2036 and 50 per day for 80. NFR also reports combined scan for "2036 80".Is it the tryout of a new worm?Unlikely, if it only targets a single ip address which does not respond. Http might be used as destination port for such packets are likely to go through firewalls. If you are interested in furhter investigation, you could run netcat on the attacked host to see if connection establishment goes on and if there arrives any data. Tillmann-- Joakim Berge Tlf. +47 93489696 MSN. joakim.berge () gmail com
Current thread:
- Who is looking for port 2036? Joakim Berge (Oct 25)
- Re: Who is looking for port 2036? Tillmann Werner (Oct 26)
- Re: Who is looking for port 2036? Joakim Berge (Oct 27)
- Re: Who is looking for port 2036? mis (Oct 27)
- Re: Who is looking for port 2036? Justin (Oct 28)
- Re: Who is looking for port 2036? Joakim Berge (Oct 27)
- Re: Who is looking for port 2036? Tillmann Werner (Oct 26)