Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Port 41523; Linux Exploit; Phishing Name server; New Feature: tcp %; ssh attacks; MSRC blog - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Port 41523; Linux Exploit; Phishing Name server; New Feature: tcp %; ssh attacks; MSRC blog

Port 41523/tcp

Port 41523/tcp is still the port to watch today.

The small number of sources indicates that this is likely not a worm, but
a recognizance/target list acquisition operation. An exploit against ARCServe,
which is commonly listening on this port, is easily available.

The Top 10 IPs scanning for this port right now:

| IP | AS Number |
| | 589 |
| | 16852 |
| | 11817 |
| | 6503 |
| | 13127 |
| | 2914 |
| | 3269 |
| | 3269 |
| | 812 |
| | 4589 |

a more comprehensive list may follow later.

Linux exploit

An exploit was released for the recently discovered local privilege escalation
vulnerabilities. The vulnerability information was released today as well.

Vulnerability details:

Phishing Name Server

The DNS server '' currently hosts the following domains,,,
which appear to be phishing related. The use of actual 'valid' domains
like this opens up the possibility that they are used with SSL certificates.
The whois info for these domains appears to be fake.

New Feature: tcp %

We do get requests, to better differentiate between tcp and udp in our
port reports. One reason we don't do this much is that for most ports, only
udp or tcp is actually used (e.g port 80 is almost exclusively tcp,
However, for some ports this is not so clear. All 'port detail' pages now
include a new column (see the 'raw data' section below the graph) which
shows what % of the reports are TCP. As a sample see port 53:

Only about 2% of the traffic reported to DShield on this port is tcp. Of
course, in this case this may be the interesting traffic.

New RSS Feed Test

I am experimenting with a different RSS feed format. To see a preview,
check and let us know if it works
better/worse for you.

ssh attacks

still the same thing. Brute forcing tons of common usernames. This time,
Neil sent us a log showing about 300 usernames. The best way to report ssh scans
is via DShield. See for details.


Members of the Microsoft Security Response Center started posting
their own blog at which
includes some nice insights about issues with patches, security
response and neat tools.

Johannes Ullrich, jullrich\\;-)//

CTO SANS Internet Storm CenterI will be teaching next: Application Security: Securing Web Apps, APIs, and Microservices - SANSFIRE 2022


4506 Posts
ISC Handler
Feb 15th 2005

Sign Up for Free or Log In to start participating in the conversation!