Threat Level: green Handler on Duty: Daniel Wesemann

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Do you want to play a game...?

Published: 2007-07-06
Last Updated: 2007-07-07 21:55:29 UTC
by Tom Liston (Version: 2)
0 comment(s)

No... it's not called "Global Thermonuclear War"... although that's a fun game too...

This game is called "What Are the Kidz Doing On Port 5151?"

Lookie here:  http://isc.sans.org/port.html?port=5151

And, to top that off, we've seen peaks of interest in port 5151 in the past:

February, April, and August 2004
April, July, and December 2005
February and September of 2006

To play, simply click here and tell us what you think.  Better still, set up a netcat listener and tell us what you find (or what finds you...)

Update: (by Kevin "Not Tom" Liston)

Daniel's Darknet (everyone should have one) spotted only backscatter from what appeared to be a Denial of service ( or possibly a brute-force attack) targeting a Chinese IP on ports 80, 110, and 389 (HTTP, POP3, and LDAP respectively.)  I checked my darknet and on 28-JUN-2007 I spooted similar activity targeting another Chinese IP.

Timothy, and other's have reported that netcat listeners have turned up no results.  This implies that the scans are simply that: scans only for port TCP/5151.

Darren provides a potential "why" to our "who/what/where/when/why/how" construct with his link to an exploit targeting ESRI's ArcSDE which involves a buffer overflow on a service listening on TCP/5151.  This happened to have been released 26-JUN-2007.  The timing of events seems compelling.  The published exploit doesn't check for headers, it simply opens the port and sprays.

 

Keywords:
0 comment(s)
Diary Archives