Re: increase of scans against port 1524

[Lance Spitzner <lance () honeynet org>]

On Wed, 5 Jun 2002, High Speed wrote:

> last 2 days I noticed an increased scan against port 1524
>
> ingreslock    1524/tcp    ingres
> ingreslock    1524/udp    ingres

For some reason, the script kiddie community has standardized on
this port as a backdoor for most automated attacks.  What you
have now is attackers looking for systems that have already
been hacked into with a backdoor installed.  Very similar to
the concept of the Leaves/W32 worm looking for systems
compromised with Sub7.

For over three years now the Honeynet Project has witnessed
numerous different exploits and attacks against various
Unix systems.  Though the vulnerabilities and tools are
constantly changing, we have repeatedly seen the use of
1524 as the backdoor.  Even with the dtspcd exploit back
in January, it used 1524 as the backdoor.

While crude, scanning for port 1524 is an effective method
to finding (and taking over) compromised systems.

lance


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com