Port 41523/tcpPort 41523/tcp is still the port to watch today. http://isc.sans.org/port_details.php?port=41523 The small number of sources indicates that this is likely not a worm, but a recognizance/target list acquisition operation. An exploit against ARCServe, which is commonly listening on this port, is easily available. The Top 10 IPs scanning for this port right now:
a more comprehensive list may follow later. Linux exploitAn exploit was released for the recently discovered local privilege escalation vulnerabilities. The vulnerability information was released today as well. Vulnerability details: http://www.guninski.com/where_do_you_want_billg_to_go_today_3.html Phishing Name ServerThe DNS server 'NS1.SPX2K.com' currently hosts the following domains CITIFINANCUPDATE.com, SAFE-KEYNET.com, WAMU4U.com, WAMUCORP.com which appear to be phishing related. The use of actual 'valid' domains like this opens up the possibility that they are used with SSL certificates. The whois info for these domains appears to be fake. New Feature: tcp %We do get requests, to better differentiate between tcp and udp in our port reports. One reason we don't do this much is that for most ports, only udp or tcp is actually used (e.g port 80 is almost exclusively tcp, However, for some ports this is not so clear. All 'port detail' pages now include a new column (see the 'raw data' section below the graph) which shows what % of the reports are TCP. As a sample see port 53: http://isc.sans.org/port_details.php?port=53 Only about 2% of the traffic reported to DShield on this port is tcp. Of course, in this case this may be the interesting traffic. New RSS Feed TestI am experimenting with a different RSS feed format. To see a preview, check http://isc.sans.org/rssfeed_new.php and let us know if it works better/worse for you. ssh attacksstill the same thing. Brute forcing tons of common usernames. This time, Neil sent us a log showing about 300 usernames. The best way to report ssh scans is via DShield. See http://www.dshield.org/howto.php for details. MSRC BlogMembers of the Microsoft Security Response Center started posting their own blog at http://spaces.msn.com/members/msrc/ which includes some nice insights about issues with patches, security response and neat tools. ----------------- Johannes Ullrich, jullrich\\;-)//sans.org CTO SANS Internet Storm CenterI will be teaching next: Defending Web Applications Security Essentials - SANS Cyber Security West: March 2021 |
Johannes 4068 Posts ISC Handler Feb 15th 2005 |
Thread locked Subscribe |
Feb 15th 2005 1 decade ago |
Sign Up for Free or Log In to start participating in the conversation!