Large scale scan of port 2401

From: Aaron (lilnick@nepenthes.org)
Date: 08/22/01 

Date: Tue, 21 Aug 2001 16:55:43 -0700 (PDT)
From: Aaron <lilnick@nepenthes.org>
To: <incidents@securityfocus.com>
Subject: Large scale scan of port 2401
Message-ID: <Pine.LNX.4.33.0108211634060.3272-100000@trap.nepenthes.org>

All,
        Yesterday we were hit by a scan of our entire /16 looking
(presumably) for hosts with port 2401 open, any ideas what vulerability
this might be looking for? As best I can tell, CVS uses that port but I'm
not aware of any particularly recent vulerabilities related to this. Below
are a few packets for review, the source was a single Asia Pac host. Many
of our hosts were hit up to 10 times with the same scan, all scans to a
particular host came within a second or two.

A quick web browse to this host yields a page with the following:

MNS Hacked Your System
UID=0(Root) GID=0(Root)
Twe4k Greetz: Sense, Xentric
For Contact: MNSSecure@hotmail.com

Yes, I've notified the appropriate parties... just trying to get more
info.

Thanks,
Aaron

------------------------------------------------------------------------------
#(3 - 126682) [2001-08-20 19:26:55] spp_stream4: STEALTH ACTIVITY (SYN
FIN scan) detection
IPv4: xxx.xxx.xxx.124 -> yyy.yyy.yyy.86
      hlen=5 TOS=0 dlen=40 ID=39426 flags=0 offset=0 TTL=24 chksum=41707
TCP: port=2401 -> dport: 2401 flags=******SF seq=541615222
      ack=596132070 off=5 res=0 win=1028 urp=0 chksum=18956
Payload: none
------------------------------------------------------------------------------
#(3 - 125059) [2001-08-20 19:26:42] spp_stream4: STEALTH ACTIVITY (SYN
FIN scan) detection
IPv4: xxx.xxx.xxx.124 -> yyy.yyy.yyy.206
      hlen=5 TOS=0 dlen=40 ID=39426 flags=0 offset=0 TTL=17 chksum=44147
TCP: port=2401 -> dport: 2401 flags=******SF seq=1283850951
      ack=886489455 off=5 res=0 win=1028 urp=0 chksum=61485
Payload: none
------------------------------------------------------------------------------
#(3 - 126136) [2001-08-20 19:26:47] spp_stream4: STEALTH ACTIVITY (SYN
FIN scan) detection
IPv4: xxx.xxx.xxx.124 -> yyy.yyy.yyy.205
      hlen=5 TOS=0 dlen=40 ID=39426 flags=0 offset=0 TTL=11 chksum=45428
TCP: port=2401 -> dport: 2401 flags=******SF seq=830168929
      ack=2092976059 off=5 res=0 win=1028 urp=0 chksum=57193
Payload: none

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Relevant Pages

  • Re: External drives not installing or working properly on USB
    ... with the USB system before but these disappearred when I disabled the ... Only one of the five host controllers is connected to the 6 ... work on any port on the PC? ... operating system to recognise the four additional 'drives'. ...
    (microsoft.public.windowsxp.general)
  • Re: A firewall wont stop this one
    ... On top of that I implement IPF on each host ... >> for further access control to limit NFS, ... By restricting access to the NFS server. ... >> via port filtering that only allowed specific hosts rather than all. ...
    (alt.computer.security)
  • Re: /etc/hosts.equiv & .rhosts
    ... want to login at another host, that host needs the first host's name ... best to allow key-only login so hackers can't ... on the port 22 as it WILL be messed with all day long. ... # Protocol 2 only ...
    (comp.os.linux.security)
  • Re: REMOTE DESKTOP NOT WORKING ANY LONGER PLEASE HELP!
    ... I understand that you have checked in the registry *which* port is ... Is the host located at your work? ... be a centrally managed GPO which disables Remote Desktop ... Noest MCSE, CCEA, Microsoft MVP - Terminal Server ...
    (microsoft.public.windows.terminal_services)
  • Re: REMOTE DESKTOP NOT WORKING ANY LONGER PLEASE HELP!
    ... Yes the host is listening on port 3389 the default and I verified this. ... Try connecting again. ...
    (microsoft.public.windows.terminal_services)