Security Incidents mailing list archives

Re: port 523/TCP scans

From: "E. Larry Lidz" <ellidz () ERIDU UCHICAGO EDU>
Date: Fri, 17 Nov 2000 13:42:48 -0600

Jose Nazario writes:

cwru.edu had a rash of some SGI's compromised, which i've been
investigating. they're currently blocked, btw, at the firewall (the
compromised machines we have identified) until they can be sanitized and
hardened.

i've been seeing some sweeps the past week for 5232/TCP. i presume it is
for marking SGI's on a unique port:

(from nmap output against an SGI)

5232/tcp   open        sgi-dgl

heads up, all.


Most of the scans we've seen for the OpenGL Daemon were fingerprinting
SGIs before a compromise attempt. The attempt we've seen most frequent
is the Objectserver vulnerability in SGI Advisory 20000303-01-PX,
though I think we might have seen it before some of the telnet
compromises (I don't have the advisory number on hand, sorry).

-Larry

---
E. Larry Lidz                                        Phone: (773)702-2208
Sr. Network Security Officer                         Fax:   (773)702-0559
Network Security Center, The University of Chicago
PGP: http://security.uchicago.edu/centerinfo/pgpkeys.shtml

Current thread:

port 523/TCP scans Jose Nazario (Nov 18)
- Re: port 523/TCP scans E. Larry Lidz (Nov 21)
- <Possible follow-ups>
- Re: port 523/TCP scans Joe Matusiewicz (Nov 21)
  - Re: port 523/TCP scans Russell Fulton (Nov 22)