Security Incidents mailing list archives
Re: Who is looking for port 2036?
From: Justin <justinvinn () gmail com>
Date: Fri, 28 Oct 2005 14:04:30 -0400
Joakim, I think that these are just script kiddie scans looking for poorly configured and/or vulnerable boxen. Hack together a few lines of Perl, and make it listen on 2036. Then see what the attackers send after the port is open. As to port 80, there are a bunch of reasons why this could be occuring. Keeping in line with the script kiddie idea, it could be somebody looking for IIS vulns or the like. GL with your research. peace, --Justin On 10/27/05, mis () seiden com <mis () seiden com> wrote:
might be someone looking for a no password remote login vulnerability in novell bordermanager, as described at: http://craigjconsulting.com/bmgrptch.html "Jan 11, 2003 - I added a note for some bugs below this section. I also wanted to finally tell people what the NW6RCONJ2A.EXE patch was all about. I had avoided telling about the bug until now to give people enough time to go about patching their servers before making it obvious what the bug was about. However, I keep getting new clients who have read my patch list here and just skipped that patch because they didn't think it was applicable to them. They are quite surprised when I connect to their BorderManager server over the Internet using RCONAG6 without a password! The version of RCONAG6 shipped with NW6SP2.EXE included a flawed version of RCONAG6. The bad version does not look at the password entry for the 'secure' (encrypted) port (2036 by default). Consequently, you can connect to a server without a password if that version of RCONAG6 is loaded, and the usual Novell default filter exceptions are in place. The NW6RCONJ2A patch fixes this problem." On Thu, Oct 27, 2005 at 08:10:19PM +0200, Joakim Berge wrote:On 10/26/05, Tillmann Werner <tillmann.werner () gmx de> wrote:Joakim,The scan seems to be from a large botnet, across the world.What makes you believe the attack's origin is a botnet?I belive it is a botnet becouse the source addresses are couple of hundred different ones (i think....havent counted). I dont see any pattern, and they are spread across the planet.They have only targeted one ip, and it doesn't respond to those ports.Your samples only showed port 2036/tcp on a very low frequency. Is this representative for a longer period? What is the percentage of port 80/tcp packets?This has been going on for a month, and the frequency is about 200 per day for 2036 and 50 per day for 80. NFR also reports combined scan for "2036 80".Is it the tryout of a new worm?Unlikely, if it only targets a single ip address which does not respond. Http might be used as destination port for such packets are likely to go through firewalls. If you are interested in furhter investigation, you could run netcat on the attacked host to see if connection establishment goes on and if there arrives any data. Tillmann-- Joakim Berge Tlf. +47 93489696 MSN. joakim.berge () gmail com
Current thread:
- Who is looking for port 2036? Joakim Berge (Oct 25)
- Re: Who is looking for port 2036? Tillmann Werner (Oct 26)
- Re: Who is looking for port 2036? Joakim Berge (Oct 27)
- Re: Who is looking for port 2036? mis (Oct 27)
- Re: Who is looking for port 2036? Justin (Oct 28)
- Re: Who is looking for port 2036? Joakim Berge (Oct 27)
- Re: Who is looking for port 2036? Tillmann Werner (Oct 26)