Security Incidents mailing list archives

Re: port 523/TCP scans

From: Joe Matusiewicz <joem () NIST GOV>
Date: Fri, 17 Nov 2000 14:29:51 -0500

At 11:22 AM 11/17/00, Jose Nazario wrote:

cwru.edu had a rash of some SGI's compromised, which i've been
investigating. they're currently blocked, btw, at the firewall (the
compromised machines we have identified) until they can be sanitized and
hardened.

i've been seeing some sweeps the past week for 5232/TCP. i presume it is
for marking SGI's on a unique port:

(from nmap output against an SGI)

5232/tcp   open        sgi-dgl


I've had an attempt to scan 5,267 ip addresses in my address space on that
port yesterday from adsl-64-216-5-187.dsl.eulstx.swbell.net.  SWBell hasn't
answered my polite email to them pointing out this fact.  I did a search on
that port from google and there is talk out there that this is indeed
related to SGI's Distributed Graphics.

-- Joe

Current thread:

port 523/TCP scans Jose Nazario (Nov 18)
- Re: port 523/TCP scans E. Larry Lidz (Nov 21)
- <Possible follow-ups>
- Re: port 523/TCP scans Joe Matusiewicz (Nov 21)
  - Re: port 523/TCP scans Russell Fulton (Nov 22)