Re: Who is looking for port 2036?

[mis () seiden com]

might be someone looking for a no password remote login vulnerability
in novell bordermanager, as described at:
http://craigjconsulting.com/bmgrptch.html

"Jan 11, 2003 - I added a note for some bugs below this section. I
also wanted to finally tell people what the NW6RCONJ2A.EXE patch was
all about. I had avoided telling about the bug until now to give
people enough time to go about patching their servers before making it
obvious what the bug was about. However, I keep getting new clients
who have read my patch list here and just skipped that patch because
they didn't think it was applicable to them. They are quite surprised
when I connect to their BorderManager server over the Internet using
RCONAG6 without a password! The version of RCONAG6 shipped with
NW6SP2.EXE included a flawed version of RCONAG6. The bad version does
not look at the password entry for the 'secure' (encrypted) port (2036
by default). Consequently, you can connect to a server without a
password if that version of RCONAG6 is loaded, and the usual Novell
default filter exceptions are in place. The NW6RCONJ2A patch fixes
this problem."

On Thu, Oct 27, 2005 at 08:10:19PM +0200, Joakim Berge wrote:
> On 10/26/05, Tillmann Werner <tillmann.werner () gmx de> wrote:
> > Joakim,
> >
> > > The scan seems to be from a large botnet, across the world.
> >
> > What makes you believe the attack's origin is a botnet?
> I belive it is a botnet becouse the source addresses are couple of
> hundred different ones (i think....havent counted). I dont see any
> pattern, and they are spread across the planet.
>
>
>
> > > They have only targeted one ip, and it doesn't respond to those ports.
> >
> > Your samples only showed port 2036/tcp on a very low frequency. Is this
> > representative for a longer period? What is the percentage of port 80/tcp
> > packets?
>
> This has been going on for a month, and the frequency is about 200 per
> day for 2036 and 50 per day for 80. NFR also reports combined scan for
> "2036 80".
>
>
> > > Is it the tryout of a new worm?
> >
> > Unlikely, if it only targets a single ip address which does not respond. Http
> > might be used as destination port for such packets are likely to go through
> > firewalls.
> >
> > If you are interested in furhter investigation, you could run netcat on the
> > attacked host to see if connection establishment goes on and if there arrives
> > any data.
> >
> > Tillmann
>
>
> --
> Joakim Berge
> Tlf. +47 93489696
> MSN. joakim.berge () gmail com