Security Incidents mailing list archives
Re: increase of scans against port 1524
From: gminick <gminick () underground org pl>
Date: Wed, 5 Jun 2002 18:33:55 +0200
On Wed, Jun 05, 2002 at 01:17:45PM +0200, High Speed wrote:
last 2 days I noticed an increased scan against port 1524 ingreslock 1524/tcp ingres ingreslock 1524/udp ingres Are there known issues with this port ? Recently found vulnerabilities ?
I see them too, but, what is really interesting, SRC_PORT == DST_PORT, so, packets are going from 1524 to 1524. Besides of 1524 to 1524 I see a lot of packets (usually with SYN, or SYN+FIN flags set) to port 21 from 21 (or 22-22) Amount of those packets is increasing from day to day and it affects all servers I'm looking at. Now it doesn't look like an individual with hping2 or sth, it's rather some kind of worm-like tool. Strange, since it's making signature-based NIDS life simpler... :) -- [ Wojtek gminick Walczak ] [ http://gminick.linuxsecurity.pl/ ] [ gminick (at) hacker.pl ] [ gminick (at) underground.org.pl/ ] ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- increase of scans against port 1524 High Speed (Jun 05)
- Re: increase of scans against port 1524 Joe Matusiewicz (Jun 05)
- Re: increase of scans against port 1524 GrdnWsl (Jun 05)
- Re: increase of scans against port 1524 Drew Schaffner (Jun 05)
- Re: increase of scans against port 1524 Michael Katz (Jun 05)
- RE: increase of scans against port 1524 Antonio Montes (Jun 05)
- Re: increase of scans against port 1524 gminick (Jun 05)
- Re: increase of scans against port 1524 gminick (Jun 05)
- Re: increase of scans against port 1524 Lance Spitzner (Jun 05)
- <Possible follow-ups>
- RE: increase of scans against port 1524 Foster, Belinda (Jun 05)
- Re: increase of scans against port 1524 Steven M. Christey (Jun 07)