Threat Level: green Handler on Duty: Jim Clausing

SANS ISC: Port 41523; Linux Exploit; Phishing Name server; New Feature: tcp %; ssh attacks; MSRC blog

SANS Site Network

Current Site

SANS Internet Storm Center

Other SANS Sites Help

Graduate Degree Programs

Security Training

Security Certification

Security Awareness Training

Penetration Testing

Industrial Control Systems

Cyber Defense Foundations

DFIR

Software Security

Government OnSite Training

SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Log In or Sign Up for Free!

Port 41523; Linux Exploit; Phishing Name server; New Feature: tcp %; ssh attacks; MSRC blog
Port 41523/tcp Port 41523/tcp is still the port to watch today. http://isc.sans.org/port_details.php?port=41523 The small number of sources indicates that this is likely not a worm, but a recognizance/target list acquisition operation. An exploit against ARCServe, which is commonly listening on this port, is easily available. The Top 10 IPs scanning for this port right now: +-----------------+-----------+ \| IP \| AS Number \| +-----------------+-----------+ \| 129.120.055.067 \| 589 \| \| 066.243.030.084 \| 16852 \| \| 066.011.128.151 \| 11817 \| \| 148.245.198.131 \| 6503 \| \| 062.058.035.115 \| 13127 \| \| 062.073.174.092 \| 2914 \| \| 156.054.253.023 \| 3269 \| \| 217.059.017.034 \| 3269 \| \| 024.157.087.120 \| 812 \| \| 195.172.166.182 \| 4589 \| +-----------------+-----------+ a more comprehensive list may follow later. Linux exploit An exploit was released for the recently discovered local privilege escalation vulnerabilities. The vulnerability information was released today as well. Vulnerability details: http://www.guninski.com/where_do_you_want_billg_to_go_today_3.html Phishing Name Server The DNS server 'NS1.SPX2K.com' currently hosts the following domains CITIFINANCUPDATE.com, SAFE-KEYNET.com, WAMU4U.com, WAMUCORP.com which appear to be phishing related. The use of actual 'valid' domains like this opens up the possibility that they are used with SSL certificates. The whois info for these domains appears to be fake. New Feature: tcp % We do get requests, to better differentiate between tcp and udp in our port reports. One reason we don't do this much is that for most ports, only udp or tcp is actually used (e.g port 80 is almost exclusively tcp, However, for some ports this is not so clear. All 'port detail' pages now include a new column (see the 'raw data' section below the graph) which shows what % of the reports are TCP. As a sample see port 53: http://isc.sans.org/port_details.php?port=53 Only about 2% of the traffic reported to DShield on this port is tcp. Of course, in this case this may be the interesting traffic. New RSS Feed Test I am experimenting with a different RSS feed format. To see a preview, check http://isc.sans.org/rssfeed_new.php and let us know if it works better/worse for you. ssh attacks still the same thing. Brute forcing tons of common usernames. This time, Neil sent us a log showing about 300 usernames. The best way to report ssh scans is via DShield. See http://www.dshield.org/howto.php for details. MSRC Blog Members of the Microsoft Security Response Center started posting their own blog at http://spaces.msn.com/members/msrc/ which includes some nice insights about issues with patches, security response and neat tools. ----------------- Johannes Ullrich, jullrich\\;-)//sans.org CTO SANS Internet Storm CenterI will be teaching next: Intrusion Detection In-Depth - SANS Las Vegas Spring 2020	Johannes 3835 Posts ISC Handler
Subscribe	Feb 15th 2005 1 decade ago

Sign Up for Free or Log In to start participating in the conversation!