Re: Who is looking for port 2036?
From: Justin (justinvinn_at_gmail.com)
Date: 10/28/05
- Previous message: Justin: "Re: ICMP Type:8 Code:137"
- In reply to: mis_at_seiden.com: "Re: Who is looking for port 2036?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 28 Oct 2005 14:04:30 -0400 To: "mis@seiden.com" <mis@seiden.com>
Joakim,
I think that these are just script kiddie scans looking for poorly
configured and/or vulnerable boxen. Hack together a few lines of Perl,
and make it listen on 2036. Then see what the attackers send after the
port is open.
As to port 80, there are a bunch of reasons why this could be
occuring. Keeping in line with the script kiddie idea, it could be
somebody looking for IIS vulns or the like.
GL with your research.
peace,
--Justin
On 10/27/05, mis@seiden.com <mis@seiden.com> wrote:
> might be someone looking for a no password remote login vulnerability
> in novell bordermanager, as described at:
> http://craigjconsulting.com/bmgrptch.html
>
> "Jan 11, 2003 - I added a note for some bugs below this section. I
> also wanted to finally tell people what the NW6RCONJ2A.EXE patch was
> all about. I had avoided telling about the bug until now to give
> people enough time to go about patching their servers before making it
> obvious what the bug was about. However, I keep getting new clients
> who have read my patch list here and just skipped that patch because
> they didn't think it was applicable to them. They are quite surprised
> when I connect to their BorderManager server over the Internet using
> RCONAG6 without a password! The version of RCONAG6 shipped with
> NW6SP2.EXE included a flawed version of RCONAG6. The bad version does
> not look at the password entry for the 'secure' (encrypted) port (2036
> by default). Consequently, you can connect to a server without a
> password if that version of RCONAG6 is loaded, and the usual Novell
> default filter exceptions are in place. The NW6RCONJ2A patch fixes
> this problem."
>
> On Thu, Oct 27, 2005 at 08:10:19PM +0200, Joakim Berge wrote:
> > On 10/26/05, Tillmann Werner <tillmann.werner@gmx.de> wrote:
> > > Joakim,
> > >
> > > > The scan seems to be from a large botnet, across the world.
> > >
> > > What makes you believe the attack's origin is a botnet?
> > >
> > I belive it is a botnet becouse the source addresses are couple of
> > hundred different ones (i think....havent counted). I dont see any
> > pattern, and they are spread across the planet.
> >
> >
> >
> > > > They have only targeted one ip, and it doesn't respond to those ports.
> > >
> > > Your samples only showed port 2036/tcp on a very low frequency. Is this
> > > representative for a longer period? What is the percentage of port 80/tcp
> > > packets?
> > >
> >
> > This has been going on for a month, and the frequency is about 200 per
> > day for 2036 and 50 per day for 80. NFR also reports combined scan for
> > "2036 80".
> >
> >
> > > > Is it the tryout of a new worm?
> > >
> > > Unlikely, if it only targets a single ip address which does not respond. Http
> > > might be used as destination port for such packets are likely to go through
> > > firewalls.
> > >
> > > If you are interested in furhter investigation, you could run netcat on the
> > > attacked host to see if connection establishment goes on and if there arrives
> > > any data.
> > >
> > > Tillmann
> > >
> >
> >
> > --
> > Joakim Berge
> > Tlf. +47 93489696
> > MSN. joakim.berge@gmail.com
>
- Previous message: Justin: "Re: ICMP Type:8 Code:137"
- In reply to: mis_at_seiden.com: "Re: Who is looking for port 2036?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
