Security Incidents mailing list archives
Re: port 523/TCP scans
From: Russell Fulton <r.fulton () AUCKLAND AC NZ>
Date: Tue, 21 Nov 2000 10:07:40 +1300
On Fri, 17 Nov 2000 14:29:51 -0500 Joe Matusiewicz <joem () NIST GOV> wrote:
At 11:22 AM 11/17/00, Jose Nazario wrote:cwru.edu had a rash of some SGI's compromised, which i've been investigating. they're currently blocked, btw, at the firewall (the compromised machines we have identified) until they can be sanitized and hardened. i've been seeing some sweeps the past week for 5232/TCP. i presume it is for marking SGI's on a unique port: (from nmap output against an SGI) 5232/tcp open sgi-dglI've had an attempt to scan 5,267 ip addresses in my address space on
that
port yesterday from adsl-64-216-5-187.dsl.eulstx.swbell.net.
Hmmm.... from the same IP starting on Wed 15 Nov 2000 at 05:35 (UTC) I saw an extentive scan (all IPs in our address space with dns entries appox 15,000) for tcp 5232. Three machines responded (all running IRIX) and two of those were hit a half an hour later with attempts to exploit the sgi telnet bug. These attempts were launched from 193.2.95.75 and I had not connected the two incidents until now. I assumed that 5232 was yet another default trojan port. I received an automated response to my complaint to SWBell. Cheers, Russell
Current thread:
- port 523/TCP scans Jose Nazario (Nov 18)
- Re: port 523/TCP scans E. Larry Lidz (Nov 21)
- <Possible follow-ups>
- Re: port 523/TCP scans Joe Matusiewicz (Nov 21)
- Re: port 523/TCP scans Russell Fulton (Nov 22)