OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Aaron (lilnicknepenthes.org)
Date: Tue Aug 21 2001 - 18:55:43 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    All,
            Yesterday we were hit by a scan of our entire /16 looking
    (presumably) for hosts with port 2401 open, any ideas what vulerability
    this might be looking for? As best I can tell, CVS uses that port but I'm
    not aware of any particularly recent vulerabilities related to this. Below
    are a few packets for review, the source was a single Asia Pac host. Many
    of our hosts were hit up to 10 times with the same scan, all scans to a
    particular host came within a second or two.

    A quick web browse to this host yields a page with the following:

    MNS Hacked Your System
    UID=0(Root) GID=0(Root)
    Twe4k Greetz: Sense, Xentric
    For Contact: MNSSecurehotmail.com

    Yes, I've notified the appropriate parties... just trying to get more
    info.

    Thanks,
    Aaron

    ------------------------------------------------------------------------------
    #(3 - 126682) [2001-08-20 19:26:55] spp_stream4: STEALTH ACTIVITY (SYN
    FIN scan) detection
    IPv4: xxx.xxx.xxx.124 -> yyy.yyy.yyy.86
          hlen=5 TOS=0 dlen=40 ID=39426 flags=0 offset=0 TTL=24 chksum=41707
    TCP: port=2401 -> dport: 2401 flags=******SF seq=541615222
          ack=596132070 off=5 res=0 win=1028 urp=0 chksum=18956
    Payload: none
    ------------------------------------------------------------------------------
    #(3 - 125059) [2001-08-20 19:26:42] spp_stream4: STEALTH ACTIVITY (SYN
    FIN scan) detection
    IPv4: xxx.xxx.xxx.124 -> yyy.yyy.yyy.206
          hlen=5 TOS=0 dlen=40 ID=39426 flags=0 offset=0 TTL=17 chksum=44147
    TCP: port=2401 -> dport: 2401 flags=******SF seq=1283850951
          ack=886489455 off=5 res=0 win=1028 urp=0 chksum=61485
    Payload: none
    ------------------------------------------------------------------------------
    #(3 - 126136) [2001-08-20 19:26:47] spp_stream4: STEALTH ACTIVITY (SYN
    FIN scan) detection
    IPv4: xxx.xxx.xxx.124 -> yyy.yyy.yyy.205
          hlen=5 TOS=0 dlen=40 ID=39426 flags=0 offset=0 TTL=11 chksum=45428
    TCP: port=2401 -> dport: 2401 flags=******SF seq=830168929
          ack=2092976059 off=5 res=0 win=1028 urp=0 chksum=57193
    Payload: none

    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management
    and tracking system please see: http://aris.securityfocus.com