Security Incidents mailing list archives

Re: sgi-dgl scanning

From: ellidz () ERIDU UCHICAGO EDU (E. Larry Lidz)
Date: Tue, 28 Mar 2000 09:58:43 -0600


Michael Stone writes:

Does anyone know why I'd be seeing an increase in scanning on port 5232
(sgi-dgl)? Is there an exploit for dgl, a trojan using this port, or is
it just people trying to fingerprint sgi's?


We saw a scan for dgl followed by a few connections to the Object
Server port (5135) on a few machines. The machines that were running
the object server then had a non-root like account added to the machine
(called "hehe") and and attempt was made to use the df overflow to get
root.

We've reported a possible Object Server bug to CERT and SGI, but
haven't gotten any information back (SGI's policy is to neither confirm
nor deny problems until there is a fix).

The Object Server was removed after 6.2, I think. I'd be very cautious
if you're seeing connections to port 5135 as well.

-Larry

---
E. Larry Lidz                                        Phone: (773)702-2208
Network Security Officer                             Fax:   (773)702-3219
Network Security Center, The University of Chicago
PGP: finger ellidz () uchicago edu or network-security () uchicago edu

Current thread:

link-local IPs (Was "Re: 169.254.x.x (Dramatic increase in UDP Port 137 (NetBIOS Name Service) probe activity)"), (continued)
- - - link-local IPs (Was "Re: 169.254.x.x (Dramatic increase in UDP Port 137 (NetBIOS Name Service) probe activity)") Richard Johnson (Mar 30)
    - unapproved queries for "aol.com" Francis A. Vidal (Mar 26)
    - Linux-box hacked, ls, ps, login modified Frank Derichsweiler (Mar 22)
    - Re: Linux-box hacked, ls, ps, login modified Rick Tait (Mar 22)
    - Re: Linux-box hacked, ls, ps, login modified Granquist, Lamont (Mar 24)
    - 'fatal:' sshd log message Przemyslaw Frasunek (Mar 25)
    - sgi-dgl scanning Michael Stone (Mar 27)
    - unusual mail file Donald McLachlan (Mar 28)
    - Re: unusual mail file Ryan Hilton (Mar 28)
    - Front Page Extensions vventura () SIA PT (Mar 28)
    - Re: sgi-dgl scanning E. Larry Lidz (Mar 28)
    - Syn attacks ? Klavs Klavsen (Mar 28)
    - Re: lots of interest in port 109 (POP2) markus tromday (Mar 22)
- Re: lots of interest in port 109 (POP2) Donald McLachlan (Mar 07)
  - Re: lots of interest in port 109 (POP2) Paul Rice (Mar 13)
  - Munged Napster Sessions Stephen P. Berry (Mar 13)
    - Looking for Squid Proxies Cy Schubert - ITSD Open Systems Group (Mar 16)
    - Re: Munged Napster Sessions Vanja Hrustic (Mar 16)
    - Port 6112 Stuart Staniford-Chen (Mar 17)
    - Re: Port 6112 Robert Graham (Mar 20)
    - Re: Port 6112 Stuart Staniford-Chen (Mar 20)

(Thread continues...)