Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Port 901 (tcp/udp) Attack Activity Port 901 (tcp/udp) Attack Activity


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Loading...
[get complete service list]
Port Information
Protocol Service Name
tcp realsecure RealSecure sensor
tcp samba-swat Samba SWAT tool
tcp smpnameres SMPNAMERES
udp smpnameres SMPNAMERES
Top IPs Scanning
TodayYesterday
81.22.45.125 (9)78.128.112.114 (25)
185.143.223.131 (7)23.228.101.195 (14)
23.228.101.195 (3)185.143.223.131 (12)
150.109.170.240 (2)185.176.27.2 (9)
170.106.36.63 (2)170.106.37.186 (3)
124.156.55.36 (2)45.136.108.22 (2)
162.62.15.18 (2)170.106.81.25 (2)
170.106.80.52 (2)124.156.241.237 (2)
170.106.36.97 (2)170.106.81.211 (2)
150.109.170.179 (1)103.52.216.127 (2)
Port diary mentions
URL
port 901 surge
Tsunami.exe, Oracle critical patch update, got packets?
User Comments
Submitted By Date
Comment
gizmo 2006-02-09 19:14:44
901 TCP along with 902 TCP is being used by VMWare management for communictions from a central management console to the console and vmotion interfaces of a vmware complex.
Bradley D. Moore 2004-01-30 19:54:29
Port 901 is also the Samba/SWAT port for (at least) RedHat linux boxes. This increase in scans could be related to attackers looking for open/mis-/poorly-configured SWAT implementations. The default for SWAT is localhost only, but anyone looking to manage off-site customer Samba via SWAT may have this port open - possibly without filters. Although I haven't caught wind of any SWAT vulnerabilities per se, but it's worth noting that the 901 scans may be looking for something *other* than RealSecure. An open SWAT connection with poor pasword protection could be a potential exploit/vulnerability. If you're running SWAT, I'd take this increas in 901 scans/attacks as a nudge to verify the security of your SWAT access ACL's at all levels (network and host configs). Just my $0.02. (B.)
Daniel Grim 2003-10-14 05:31:05
Most of the increase in traffic could be accounted for due to the fact that a new version of the Trojan/IRCbot W32.Spybot.Worm has been released which attempts to spread itself using the old trojan called Net Devil/Backdoor.Devil using TCP port 901. This Trojan/IRCbot also attempts to spread itself using TCP port 17300(Kuang2TheVirus) and TCP port 27374/1243(SubSeven Trojan).
JMcR 2003-06-04 00:10:03
We have seen a sudden increase in scanning activity looking for TCP/901 at our sites. Basic research of this port number points to one of RealSecure's management ports, SWAT, and an older Trojan called Net Devil/Backdoor.Devil.
Add a comment
CVE Links
CVE # Description