Re: 6112/TCP scans

["Neil Long" <neil.long () computing-services oxford ac uk>]

6112 tcp is also the default for dtspcd - one of the CDE exploit scanners I
guess.

% grep dtsp /etc/inetd.conf
# dtspc stream tcp nowait root /usr/dt/bin/dtspcd dtspcd

% grep dtsp /etc/services
dtspc           6112/tcp                #subprocess control


Neil


> On Fri, Dec 07, 2001 at 05:57:42PM -0600, dewt wrote:
> > On Friday 07 December 2001 03:14 pm, Paul Dokas wrote:
> > > Is anyone else seeing large numbers of 6112/TCP scan coming from
> > > 63.240.0.0 - 63.242.255.255?  I'm seeing about 10/minute destined to
> > > random IPs within my networks.  The scanning technique looks exactly
> > > like the TCPMUX scans that were occuring a few months ago (forgive me,
> > > I can't remember what the technique was, just that it was really odd).
> > >
> > > Obviously, they're looking for vulnerable CDE installations.
> > >
> > > Paul
> >
> > 6112 is the port used by blizzard's battlenet, you might just have
people
> > playing diablo 2,starcraft, or whatever on your network
>
> You know, at first, this sounded right to me.  However, over the weekend
> and yesterday, my IDS picked up lots of this:
>
> Time Source IP Dest IP Protocol Src Port Dest Port Type
Connections/Packets
> 9-Dec-2001 12:56:27 63.240.202.138 A.B.C.26 6 1248 6112 bad dst port 1
> 9-Dec-2001 12:56:27 63.240.202.138 A.B.E.27 6 1193 6112 bad dst port 1
> 9-Dec-2001 12:56:37 63.240.202.138 A.B.F.69 6 1208 6112 bad dst port 1
> 9-Dec-2001 12:55:56 63.240.202.138 A.B.G.38 6 1128 6112 bad dst port 1
> 9-Dec-2001 12:56:07 63.240.202.138 A.B.G.43 6 1139 6112 bad dst port 1
> 9-Dec-2001 12:56:57 63.240.202.138 A.B.D.116 6 1127 6112 bad dst port 1
> 9-Dec-2001 12:57:37 63.240.202.138 A.B.D.105 6 1099 6112 bad dst port 1
> 9-Dec-2001 12:57:37 63.240.202.138 A.B.G.100 6 1176 6112 bad dst port 1
> .
> .
> .
>
>
> Where I've replace my IP addresses with 'A.B.[CDEFG].'  All of the packets
> were 40bytes and not all of the destination IP addresses are being used.
>
>
> The source of the packets were 63.240.202.138, 63.240.202.139 and
> 63.240.202.140, the destination was always 6112/TCP.  I've got ~450
> packets over the 4 day period from 00:00 GMT+6 12/8 through this morning
> for my /21 network.
>
>
> To me, it looks like there was a slow scan with randomized destinations
going
> until Friday.  Then it seems to have switched to a faster type of scan, or
> possibly to just scanning my class A or B network.
>
>
> Also, there does appear to be legitimate battlenet traffic going to that
> area of the Internet.  Perhaps someone is scanning from those IPs
specifically
> to hide within the legit battlenet traffic?
>
>
> Paul
> --
> Paul Dokas                                            dokas () cs umn edu
> ======================================================================
> Don Juan Matus:  an enigma wrapped in mystery wrapped in a tortilla.
>
> --------------------------------------------------------------------------
--
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com