Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Port 41523 (tcp/udp) Attack Activity

SANS Site Network

Current Site

SANS Internet Storm Center

Other SANS Sites Help

Graduate Degree Programs

Security Training

Security Certification

Security Awareness Training

Penetration Testing

Industrial Control Systems

Cyber Defense Foundations

DFIR

Software Security

Government OnSite Training

Port 41523 (tcp/udp) Attack Activity

Log In or Sign Up for Free!

Loading...

[get complete service list]

Port Information
Protocol	Service	Name

Top IPs Scanning
Today	Yesterday
92.63.197.9 (4)	193.163.125.133 (2)
193.163.125.31 (1)	193.163.125.107 (1)
92.63.197.7 (1)	193.163.125.27 (1)
193.163.125.109 (1)	193.163.125.114 (1)
185.156.73.31 (1)	193.163.125.172 (1)
193.163.125.82 (1)	193.163.125.57 (1)
51.171.132.123 (1)	193.163.125.97 (1)
193.163.125.33 (1)	193.163.125.8 (1)
79.124.62.110 (1)	193.163.125.143 (1)
193.163.125.167 (1)	193.163.125.75 (1)

Port diary mentions
URL
Happy Valentine's Day; ARCserve probes?; OWA issue; new Opera version
Port 41523; Linux Exploit; Phishing Name server; New Feature: tcp %; ssh attacks; MSRC blog
New mydoom variant; ARCserve exploitation has begun... got Port 41523 TCP packets?

User Comments
Submitted By	Date
Comment
Joy Whitney	2005-03-10 08:09:02
This is the Computer Associates Brightstor Arcserver discovery service port. All of the machines in one address range on our WAN was hit at about 8:20PST on 2/24/05. On most machines it just killed the process. On 5 machines it killed the process but also attempted to write a file named wumgrs32.exe. Also found a file named o (with the same time stamp)which was an ftp script to download the mentioned exe file.

CVE Links
CVE #	Description