Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Port 6502 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Port 6502

Published: 2007-01-09
Last Updated: 2007-01-12 01:27:28 UTC
by Swa Frantzen (Version: 4)
0 comment(s)

Port 6502 is showing a significant increase in unwanted traffic:

port 6502

The increase is almost purely TCP.

It seems possible this is related to the activity reported earlier by US-CERT regarding the CA BrightStor ARCserve Backup Tape Engine. It exploits a vulnerability disclosed on November 24th, 2006 for which there doesn't seem to be a patch available.

To be sure what it is, we'd like some packets. Please note we don't need just SYN packets, they are useless for this. We need you to set up something that listens and actively tries to talk as a server on port 6502.   "nc" with the right options comes to mind (options are system dependent, check your man page).

It's interesting to note the length of time that passed on this one if this is indeed still the same vulnerability they are attempting to exploit.

--
Swa Frantzen -- Section 66

Keywords:
0 comment(s)
Diary Archives