Re: dtspcd probes toward Solaris machines

From: Skip Carter (skip@taygeta.com)
Date: 01/18/02 

To: Jim.Slora@phra.com (James C. Slora Jr.)
Date: Fri, 18 Jan 2002 09:54:56 -0800
From: Skip Carter <skip@taygeta.com>

> We have had one probe that fits the description, and a couple of possibly
> related hits, starting December 8. Some of the traffic is _from_ 6112 rather
> than to it. Only one hit is both from and to 6112. We don't have any root
> kits left by the attacker(s).

Our Snort logs started showing these scans on 17 Jan (actually there
was ONE probe on 7 Jan but none in 2001), with BOTH source
and destination ports set to 6112:

Jan 17 19:07:10 211.39.32.104:6112 -> xx.xx.xx.3:6112 SYN ******S*
Jan 17 19:07:10 211.39.32.104:6112 -> xx.xx.xx.5:6112 SYN ******S*
Jan 17 19:07:10 211.39.32.104:6112 -> xx.xx.xx.7:6112 SYN ******S*
Jan 17 19:07:10 211.39.32.104:6112 -> xx.xx.xx.9:6112 SYN ******S*
Jan 17 19:07:10 211.39.32.104:6112 -> xx.xx.xx.11:6112 SYN ******S*
Jan 17 19:07:10 211.39.32.104:6112 -> xx.xx.xx.13:6112 SYN ******S*
Jan 17 19:07:10 211.39.32.104:6112 -> xx.xx.xx.15:6112 SYN ******S*
Jan 17 19:07:10 211.39.32.104:6112 -> xx.xx.xx.2:6112 SYN ******S* 

-- 
 Dr. Everett (Skip) Carter      Phone: 831-641-0645 FAX:  831-641-0647
 Taygeta Scientific Inc.        INTERNET: skip@taygeta.com
 1340 Munras Ave., Suite 314    WWW: http://www.taygeta.com
 Monterey, CA. 93940            

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Relevant Pages