Security Incidents mailing list archives
Re: 6112/TCP scans
From: "Neil Long" <neil.long () computing-services oxford ac uk>
Date: Tue, 11 Dec 2001 22:06:15 -0000
6112 tcp is also the default for dtspcd - one of the CDE exploit scanners I guess. % grep dtsp /etc/inetd.conf # dtspc stream tcp nowait root /usr/dt/bin/dtspcd dtspcd % grep dtsp /etc/services dtspc 6112/tcp #subprocess control Neil
On Fri, Dec 07, 2001 at 05:57:42PM -0600, dewt wrote:On Friday 07 December 2001 03:14 pm, Paul Dokas wrote:Is anyone else seeing large numbers of 6112/TCP scan coming from 63.240.0.0 - 63.242.255.255? I'm seeing about 10/minute destined to random IPs within my networks. The scanning technique looks exactly like the TCPMUX scans that were occuring a few months ago (forgive me, I can't remember what the technique was, just that it was really odd). Obviously, they're looking for vulnerable CDE installations. Paul6112 is the port used by blizzard's battlenet, you might just have
people
playing diablo 2,starcraft, or whatever on your networkYou know, at first, this sounded right to me. However, over the weekend and yesterday, my IDS picked up lots of this: Time Source IP Dest IP Protocol Src Port Dest Port Type
Connections/Packets
9-Dec-2001 12:56:27 63.240.202.138 A.B.C.26 6 1248 6112 bad dst port 1 9-Dec-2001 12:56:27 63.240.202.138 A.B.E.27 6 1193 6112 bad dst port 1 9-Dec-2001 12:56:37 63.240.202.138 A.B.F.69 6 1208 6112 bad dst port 1 9-Dec-2001 12:55:56 63.240.202.138 A.B.G.38 6 1128 6112 bad dst port 1 9-Dec-2001 12:56:07 63.240.202.138 A.B.G.43 6 1139 6112 bad dst port 1 9-Dec-2001 12:56:57 63.240.202.138 A.B.D.116 6 1127 6112 bad dst port 1 9-Dec-2001 12:57:37 63.240.202.138 A.B.D.105 6 1099 6112 bad dst port 1 9-Dec-2001 12:57:37 63.240.202.138 A.B.G.100 6 1176 6112 bad dst port 1 . . . Where I've replace my IP addresses with 'A.B.[CDEFG].' All of the packets were 40bytes and not all of the destination IP addresses are being used. The source of the packets were 63.240.202.138, 63.240.202.139 and 63.240.202.140, the destination was always 6112/TCP. I've got ~450 packets over the 4 day period from 00:00 GMT+6 12/8 through this morning for my /21 network. To me, it looks like there was a slow scan with randomized destinations
going
until Friday. Then it seems to have switched to a faster type of scan, or possibly to just scanning my class A or B network. Also, there does appear to be legitimate battlenet traffic going to that area of the Internet. Perhaps someone is scanning from those IPs
specifically
to hide within the legit battlenet traffic? Paul -- Paul Dokas dokas () cs umn edu ====================================================================== Don Juan Matus: an enigma wrapped in mystery wrapped in a tortilla. --------------------------------------------------------------------------
--
This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- 6112/TCP scans Paul Dokas (Dec 07)
- Re: 6112/TCP scans dewt (Dec 07)
- Re: 6112/TCP scans Paul Dokas (Dec 11)
- Re: 6112/TCP scans Neil Long (Dec 11)
- Re: 6112/TCP scans Paul Dokas (Dec 11)
- Re: 6112/TCP scans Paul Dokas (Dec 11)
- Re: 6112/TCP scans dewt (Dec 07)