Handler on Duty: Guy Bruneau
Threat Level: green
Loading...
|
|
|||||||||||||||||
| URL |
|---|
| port 901 surge |
| Tsunami.exe, Oracle critical patch update, got packets? |
| Submitted By | Date |
|---|---|
| Comment | |
| gizmo | 2006-02-09 19:14:44 |
| 901 TCP along with 902 TCP is being used by VMWare management for communictions from a central management console to the console and vmotion interfaces of a vmware complex. | |
| Bradley D. Moore | 2004-01-30 19:54:29 |
| Port 901 is also the Samba/SWAT port for (at least) RedHat linux boxes. This increase in scans could be related to attackers looking for open/mis-/poorly-configured SWAT implementations. The default for SWAT is localhost only, but anyone looking to manage off-site customer Samba via SWAT may have this port open - possibly without filters. Although I haven't caught wind of any SWAT vulnerabilities per se, but it's worth noting that the 901 scans may be looking for something *other* than RealSecure. An open SWAT connection with poor pasword protection could be a potential exploit/vulnerability. If you're running SWAT, I'd take this increas in 901 scans/attacks as a nudge to verify the security of your SWAT access ACL's at all levels (network and host configs). Just my $0.02. (B.) | |
| Daniel Grim | 2003-10-14 05:31:05 |
| Most of the increase in traffic could be accounted for due to the fact that a new version of the Trojan/IRCbot W32.Spybot.Worm has been released which attempts to spread itself using the old trojan called Net Devil/Backdoor.Devil using TCP port 901. This Trojan/IRCbot also attempts to spread itself using TCP port 17300(Kuang2TheVirus) and TCP port 27374/1243(SubSeven Trojan). | |
| JMcR | 2003-06-04 00:10:03 |
| We have seen a sudden increase in scanning activity looking for TCP/901 at our sites. Basic research of this port number points to one of RealSecure's management ports, SWAT, and an older Trojan called Net Devil/Backdoor.Devil. | |
| CVE # | Description |
|---|
© 2025 SANS™ Internet Storm Center
Developers: We have an API for you! 