|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: sgi-dgl scanning
From: E. Larry Lidz (ellidz
ERIDU.UCHICAGO.EDU)Date: Tue Mar 28 2000 - 09:58:43 CST
- Next message: Klavs Klavsen: "Syn attacks ?"
- Previous message: Michael Stone: "sgi-dgl scanning"
- In reply to: Michael Stone: "sgi-dgl scanning"
- Next in thread: Jose Nazario: "Re: sgi-dgl scanning"
- Reply: E. Larry Lidz: "Re: sgi-dgl scanning"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Michael Stone writes:
>Does anyone know why I'd be seeing an increase in scanning on port 5232
>(sgi-dgl)? Is there an exploit for dgl, a trojan using this port, or is
>it just people trying to fingerprint sgi's?
We saw a scan for dgl followed by a few connections to the Object
Server port (5135) on a few machines. The machines that were running
the object server then had a non-root like account added to the machine
(called "hehe") and and attempt was made to use the df overflow to get
root.
We've reported a possible Object Server bug to CERT and SGI, but
haven't gotten any information back (SGI's policy is to neither confirm
nor deny problems until there is a fix).
The Object Server was removed after 6.2, I think. I'd be very cautious
if you're seeing connections to port 5135 as well.
-Larry
--- E. Larry Lidz Phone: (773)702-2208 Network Security Officer Fax: (773)702-3219 Network Security Center, The University of Chicago PGP: finger ellidz
- Next message: Klavs Klavsen: "Syn attacks ?"
- Previous message: Michael Stone: "sgi-dgl scanning"
- In reply to: Michael Stone: "sgi-dgl scanning"
- Next in thread: Jose Nazario: "Re: sgi-dgl scanning"
- Reply: E. Larry Lidz: "Re: sgi-dgl scanning"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]