Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Large scale scan of port 2401

From: Aaron <lilnick () nepenthes org>
Date: Tue, 21 Aug 2001 16:55:43 -0700 (PDT)
All,
        Yesterday we were hit by a scan of our entire /16 looking
(presumably) for hosts with port 2401 open, any ideas what vulerability
this might be looking for? As best I can tell, CVS uses that port but I'm
not aware of any particularly recent vulerabilities related to this. Below
are a few packets for review, the source was a single Asia Pac host. Many
of our hosts were hit up to 10 times with the same scan, all scans to a
particular host came within a second or two.

A quick web browse to this host yields a page with the following:

MNS Hacked Your System
UID=0(Root) GID=0(Root)
Twe4k Greetz: Sense, Xentric
For Contact: MNSSecure () hotmail com

Yes, I've notified the appropriate parties... just trying to get more
info.

Thanks,
Aaron

------------------------------------------------------------------------------
#(3 - 126682) [2001-08-20 19:26:55]  spp_stream4: STEALTH ACTIVITY (SYN
FIN scan) detection
IPv4: xxx.xxx.xxx.124 -> yyy.yyy.yyy.86
      hlen=5 TOS=0 dlen=40 ID=39426 flags=0 offset=0 TTL=24 chksum=41707
TCP:  port=2401 -> dport: 2401  flags=******SF seq=541615222
      ack=596132070 off=5 res=0 win=1028 urp=0 chksum=18956
Payload: none
------------------------------------------------------------------------------
#(3 - 125059) [2001-08-20 19:26:42]  spp_stream4: STEALTH ACTIVITY (SYN
FIN scan) detection
IPv4: xxx.xxx.xxx.124 -> yyy.yyy.yyy.206
      hlen=5 TOS=0 dlen=40 ID=39426 flags=0 offset=0 TTL=17 chksum=44147
TCP:  port=2401 -> dport: 2401  flags=******SF seq=1283850951
      ack=886489455 off=5 res=0 win=1028 urp=0 chksum=61485
Payload: none
------------------------------------------------------------------------------
#(3 - 126136) [2001-08-20 19:26:47]  spp_stream4: STEALTH ACTIVITY (SYN
FIN scan) detection
IPv4: xxx.xxx.xxx.124 -> yyy.yyy.yyy.205
      hlen=5 TOS=0 dlen=40 ID=39426 flags=0 offset=0 TTL=11 chksum=45428
TCP:  port=2401 -> dport: 2401  flags=******SF seq=830168929
      ack=2092976059 off=5 res=0 win=1028 urp=0 chksum=57193
Payload: none



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: