OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Re: Large increase in TCP/554 (rtsp) scans

From: Alan Murphy (gilmour_37yahoo.com)
Date: Wed Nov 05 2003 - 13:00:41 CST


Yes, there was an exploit against the RealNetworks streaming servers (both
8.x and Helix Universal Server 9.x). Info and fixes here:

http://service.real.com/help/faq/security/rootexploit091103.html

On Wed, 5 Nov 2003, Ben Nelson wrote:

||In the last two days I have seen a large increase in scans destined for
||port 554, which is traditionally the rtsp (Real Time Streaming Protocol)
||port. These scans are coming from a large number of different hosts
||from many different ISP's. These scans have hit two different class C
||IP blocks of mine that are geographically dispersed and owned by two
||different service providers.
||
||I haven't seen any recent exploits for any streaming media products. Or
||are any other known back doors configured to listen on this port? I
||don't have any servers running any of these services any way, so it
||seems like blind scanning.
||
||Has anyone else seen a similar increase? Or does anyone know if a new
||DDOS for any of the streaming media servers has popped up?
||
||Thanks,
||--Ben
||
||
||---------------------------------------------------------------------------
||Network with over 10,000 of the brightest minds in information security
||at the largest, most highly-anticipated industry event of the year.
||Don't miss RSA Conference 2004! Choose from over 200 class sessions and
||see demos from more than 250 industry vendors. If your job touches
||security, you need to be here. Learn more or register at
||http://www.securityfocus.com/sponsor/RSA_incidents_031023
||and use priority code SF4.
||----------------------------------------------------------------------------
||
||

--
Alan Murphy amurphyreal.com
Program Manager, Security w. 206.892.6620
Platinum Security Services c. 206.465.5076
RealNetworks f. 206.448.6203
-----------------------------------------------------------------
GnuPG Public Key ID: 0x1B289CB1 Key Server: pgp.mit.edu
Fingerprint: 3F7D A96F FA31 BD6E C8A3 4001 4234 E6DA 1B28 9CB1
-----------------------------------------------------------------

---------------------------------------------------------------------------
Network with over 10,000 of the brightest minds in information security
at the largest, most highly-anticipated industry event of the year.
Don't miss RSA Conference 2004! Choose from over 200 class sessions and
see demos from more than 250 industry vendors. If your job touches
security, you need to be here. Learn more or register at
http://www.securityfocus.com/sponsor/RSA_incidents_031023
and use priority code SF4.
----------------------------------------------------------------------------