Re: [incidents] Re: Re : Large scale scan of port 2401

[David Bronder <david-bronder () uiowa edu>]

Actually, AIX does use port 2401 for an AIX-specific service, writesrv.
Yes, it is in conflict with the assigned number for cvspserver.  They're
not the first vendor to do that, and they won't be the last.

It does require disabling the writesrv service before running a CVS
pserver on AIX.  (Not that awkward, and not that hard to identify as the
reason your pserver won't start.  But still an extra step.)

I agree it probably does make more sense for it to be a search for CVS
servers than for AIX systems, though.

=Dave

Sevo Stille wrote:
> axess wrote:
>
> > 2401/tcp  cvspserver
> >
> > This port is used by AIX
>
>
> I'd be surprised if it were - it would make anon-cvs rather awkward to 
> run on AIX, and that probably would have made it into public knowledge. 
> This is the default port for CVS servers, anon included. And the number 
> of the latter alone will probably outnumber the count of open AIX 
> systems on the net by a magnitude or more...
>
> I'd expect 2401 scans to look for CVS rather than AIX. Have any new CVS 
> exploits cropped up? Of course, people might just be looking for open 
> accounts or public access to private archives...

-- 
Hello World.                                    David Bronder - Systems Admin
Segmentation Fault                                     ITS-SPA, Univ. of Iowa
Core dumped, disk trashed, quota filled, soda warm.   david-bronder () uiowa edu

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com