|901 TCP along with 902 TCP is being used by VMWare management for communictions from a central management console to the console and vmotion interfaces of a vmware complex.
|Bradley D. Moore
|Port 901 is also the Samba/SWAT port for (at least) RedHat linux boxes. This increase in scans could be related to attackers looking for open/mis-/poorly-configured SWAT implementations.
The default for SWAT is localhost only, but anyone looking to manage off-site customer Samba via SWAT may have this port open - possibly without filters.
Although I haven't caught wind of any SWAT vulnerabilities per se, but it's worth noting that the 901 scans may be looking for something *other* than RealSecure. An open SWAT connection with poor pasword protection could be a potential exploit/vulnerability.
If you're running SWAT, I'd take this increas in 901 scans/attacks as a nudge to verify the security of your SWAT access ACL's at all levels (network and host configs).
Just my $0.02.
|Most of the increase in traffic could be accounted for due to the fact that a new version of the Trojan/IRCbot W32.Spybot.Worm has been released which attempts to spread itself using the old trojan called Net Devil/Backdoor.Devil using TCP port 901. This Trojan/IRCbot also attempts to spread itself using TCP port 17300(Kuang2TheVirus) and TCP port 27374/1243(SubSeven Trojan).
|We have seen a sudden increase in scanning activity looking for TCP/901 at our sites.
Basic research of this port number points to one of RealSecure's management ports, SWAT, and an older Trojan called Net Devil/Backdoor.Devil.