Security Incidents mailing list archives
Re: port 523/TCP scans
From: "E. Larry Lidz" <ellidz () ERIDU UCHICAGO EDU>
Date: Fri, 17 Nov 2000 13:42:48 -0600
Jose Nazario writes:
cwru.edu had a rash of some SGI's compromised, which i've been investigating. they're currently blocked, btw, at the firewall (the compromised machines we have identified) until they can be sanitized and hardened. i've been seeing some sweeps the past week for 5232/TCP. i presume it is for marking SGI's on a unique port: (from nmap output against an SGI) 5232/tcp open sgi-dgl heads up, all.
Most of the scans we've seen for the OpenGL Daemon were fingerprinting SGIs before a compromise attempt. The attempt we've seen most frequent is the Objectserver vulnerability in SGI Advisory 20000303-01-PX, though I think we might have seen it before some of the telnet compromises (I don't have the advisory number on hand, sorry). -Larry --- E. Larry Lidz Phone: (773)702-2208 Sr. Network Security Officer Fax: (773)702-0559 Network Security Center, The University of Chicago PGP: http://security.uchicago.edu/centerinfo/pgpkeys.shtml
Current thread:
- port 523/TCP scans Jose Nazario (Nov 18)
- Re: port 523/TCP scans E. Larry Lidz (Nov 21)
- <Possible follow-ups>
- Re: port 523/TCP scans Joe Matusiewicz (Nov 21)
- Re: port 523/TCP scans Russell Fulton (Nov 22)