Threat Level: green Handler on Duty: Jan Kopriva

SANS ISC: Port 41523; Linux Exploit; Phishing Name server; New Feature: tcp %; ssh attacks; MSRC blog SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Port 41523; Linux Exploit; Phishing Name server; New Feature: tcp %; ssh attacks; MSRC blog

Port 41523/tcp



Port 41523/tcp is still the port to watch today.
http://isc.sans.org/port_details.php?port=41523

The small number of sources indicates that this is likely not a worm, but
a recognizance/target list acquisition operation. An exploit against ARCServe,
which is commonly listening on this port, is easily available.

The Top 10 IPs scanning for this port right now:


+-----------------+-----------+

| IP              | AS Number |

+-----------------+-----------+

| 129.120.055.067 |       589 |

| 066.243.030.084 |     16852 |

| 066.011.128.151 |     11817 |

| 148.245.198.131 |      6503 |

| 062.058.035.115 |     13127 |

| 062.073.174.092 |      2914 |

| 156.054.253.023 |      3269 |

| 217.059.017.034 |      3269 |

| 024.157.087.120 |       812 |

| 195.172.166.182 |      4589 |

+-----------------+-----------+


a more comprehensive list may follow later.

Linux exploit



An exploit was released for the recently discovered local privilege escalation
vulnerabilities. The vulnerability information was released today as well.

Vulnerability details:

http://www.guninski.com/where_do_you_want_billg_to_go_today_3.html

Phishing Name Server



The DNS server 'NS1.SPX2K.com' currently hosts the following domains
CITIFINANCUPDATE.com, SAFE-KEYNET.com, WAMU4U.com, WAMUCORP.com
which appear to be phishing related. The use of actual 'valid' domains
like this opens up the possibility that they are used with SSL certificates.
The whois info for these domains appears to be fake.

New Feature: tcp %



We do get requests, to better differentiate between tcp and udp in our
port reports. One reason we don't do this much is that for most ports, only
udp or tcp is actually used (e.g port 80 is almost exclusively tcp,
However, for some ports this is not so clear. All 'port detail' pages now
include a new column (see the 'raw data' section below the graph) which
shows what % of the reports are TCP. As a sample see port 53:

http://isc.sans.org/port_details.php?port=53

Only about 2% of the traffic reported to DShield on this port is tcp. Of
course, in this case this may be the interesting traffic.

New RSS Feed Test



I am experimenting with a different RSS feed format. To see a preview,
check http://isc.sans.org/rssfeed_new.php and let us know if it works
better/worse for you.

ssh attacks



still the same thing. Brute forcing tons of common usernames. This time,
Neil sent us a log showing about 300 usernames. The best way to report ssh scans
is via DShield. See http://www.dshield.org/howto.php for details.

MSRC Blog



Members of the Microsoft Security Response Center started posting
their own blog at http://spaces.msn.com/members/msrc/ which
includes some nice insights about issues with patches, security
response and neat tools.

-----------------
Johannes Ullrich, jullrich\\;-)//sans.org

CTO SANS Internet Storm CenterI will be teaching next: Defending Web Applications Security Essentials - SANS San Francisco Spring 2020

 Johannes

3698 Posts
ISC Handler
Subscribe Feb 15th 2005
1 decade ago

Sign Up for Free or Log In to start participating in the conversation!