Re: port 523/TCP scans

[Russell Fulton <r.fulton () AUCKLAND AC NZ>]

On Fri, 17 Nov 2000 14:29:51 -0500 Joe Matusiewicz <joem () NIST GOV>
wrote:

> At 11:22 AM 11/17/00, Jose Nazario wrote:
> > cwru.edu had a rash of some SGI's compromised, which i've been
> > investigating. they're currently blocked, btw, at the firewall (the
> > compromised machines we have identified) until they can be sanitized and
> > hardened.
> >
> > i've been seeing some sweeps the past week for 5232/TCP. i presume it is
> > for marking SGI's on a unique port:
> >
> > (from nmap output against an SGI)
> >
> > 5232/tcp   open        sgi-dgl
>
> I've had an attempt to scan 5,267 ip addresses in my address space on
that
> port yesterday from adsl-64-216-5-187.dsl.eulstx.swbell.net.


Hmmm.... from the same IP starting on Wed 15 Nov 2000 at 05:35 (UTC) I
saw an extentive scan (all IPs in our address space with dns entries
appox 15,000) for tcp 5232.

Three machines responded (all running IRIX) and two of those were hit a
half an hour later with attempts to exploit the sgi telnet bug.  These
attempts were launched from 193.2.95.75 and I had not connected the two
incidents until now.  I assumed that 5232 was yet another default
trojan port.

I received an automated response to my complaint to SWBell.

Cheers, Russell