Security Incidents mailing list archives

Re: dtspcd probes toward Solaris machines

From: Skip Carter <skip () taygeta com>
Date: Fri, 18 Jan 2002 09:54:56 -0800

We have had one probe that fits the description, and a couple of possibly
related hits, starting December 8. Some of the traffic is _from_ 6112 rather
than to it. Only one hit is both from and to 6112. We don't have any root
kits left by the attacker(s).


Our Snort logs started showing these scans on 17 Jan (actually there
was ONE probe on 7 Jan but none in 2001), with BOTH source
and destination ports set to 6112:

Jan 17 19:07:10 211.39.32.104:6112 -> xx.xx.xx.3:6112 SYN ******S*
Jan 17 19:07:10 211.39.32.104:6112 -> xx.xx.xx.5:6112 SYN ******S*
Jan 17 19:07:10 211.39.32.104:6112 -> xx.xx.xx.7:6112 SYN ******S*
Jan 17 19:07:10 211.39.32.104:6112 -> xx.xx.xx.9:6112 SYN ******S*
Jan 17 19:07:10 211.39.32.104:6112 -> xx.xx.xx.11:6112 SYN ******S*
Jan 17 19:07:10 211.39.32.104:6112 -> xx.xx.xx.13:6112 SYN ******S*
Jan 17 19:07:10 211.39.32.104:6112 -> xx.xx.xx.15:6112 SYN ******S*
Jan 17 19:07:10 211.39.32.104:6112 -> xx.xx.xx.2:6112 SYN ******S*






-- 
 Dr. Everett (Skip) Carter      Phone: 831-641-0645 FAX:  831-641-0647
 Taygeta Scientific Inc.        INTERNET: skip () taygeta com
 1340 Munras Ave., Suite 314    WWW: http://www.taygeta.com
 Monterey, CA. 93940            












----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

dtspcd probes toward Solaris machines Scott Fendley (Jan 17)
- RE: dtspcd probes toward Solaris machines James C. Slora Jr. (Jan 18)
  - Re: dtspcd probes toward Solaris machines Skip Carter (Jan 18)
- Re: dtspcd probes toward Solaris machines Lance Spitzner (Jan 18)
  - Re: dtspcd probes toward Solaris machines Nathan W. Labadie (Jan 18)