Loading...
[get complete service list]
Top of page
Port Information
Protocol Service Name
tcp realsecure RealSecure sensor
tcp samba-swat Samba SWAT tool
tcp smpnameres SMPNAMERES
udp smpnameres SMPNAMERES
Top IPs Scanning
Today Yesterday
64.39.106.75 (8)64.39.106.74 (16)
103.56.61.130 (5)103.56.61.144 (13)
106.75.162.153 (3)38.110.46.254 (11)
118.123.105.85 (3)101.6.21.12 (10)
101.6.21.12 (3)106.75.162.153 (8)
103.56.61.144 (2)79.110.62.88 (6)
194.180.49.68 (2)204.10.53.162 (4)
47.252.54.218 (2)79.110.62.79 (3)
47.90.181.225 (2)118.123.105.93 (3)
193.163.125.213 (1)121.43.53.2 (2)
Port diary mentions
URL
port 901 surge
Tsunami.exe, Oracle critical patch update, got packets?
Top of page
User Comments
Submitted By Date
Comment
gizmo 2006-02-09 19:14:44
901 TCP along with 902 TCP is being used by VMWare management for communictions from a central management console to the console and vmotion interfaces of a vmware complex.
Bradley D. Moore 2004-01-30 19:54:29
Port 901 is also the Samba/SWAT port for (at least) RedHat linux boxes. This increase in scans could be related to attackers looking for open/mis-/poorly-configured SWAT implementations. The default for SWAT is localhost only, but anyone looking to manage off-site customer Samba via SWAT may have this port open - possibly without filters. Although I haven't caught wind of any SWAT vulnerabilities per se, but it's worth noting that the 901 scans may be looking for something *other* than RealSecure. An open SWAT connection with poor pasword protection could be a potential exploit/vulnerability. If you're running SWAT, I'd take this increas in 901 scans/attacks as a nudge to verify the security of your SWAT access ACL's at all levels (network and host configs). Just my $0.02. (B.)
Daniel Grim 2003-10-14 05:31:05
Most of the increase in traffic could be accounted for due to the fact that a new version of the Trojan/IRCbot W32.Spybot.Worm has been released which attempts to spread itself using the old trojan called Net Devil/Backdoor.Devil using TCP port 901. This Trojan/IRCbot also attempts to spread itself using TCP port 17300(Kuang2TheVirus) and TCP port 27374/1243(SubSeven Trojan).
JMcR 2003-06-04 00:10:03
We have seen a sudden increase in scanning activity looking for TCP/901 at our sites. Basic research of this port number points to one of RealSecure's management ports, SWAT, and an older Trojan called Net Devil/Backdoor.Devil.
Top of page
CVE Links
CVE # Description
Top of page