Threat Level: green Handler on Duty: Rick Wanner

SANS ISC: TCP/UDP Port 901 Activity - SANS Internet Storm Center TCP/UDP Port 901 Activity

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Port Information
Protocol Service Name
tcp realsecure RealSecure sensor
tcp samba-swat Samba SWAT tool
tcp smpnameres SMPNAMERES
udp smpnameres SMPNAMERES
[get complete service list]
User Comments
Submitted By Date
gizmo 2006-02-09 19:14:44
901 TCP along with 902 TCP is being used by VMWare management for communictions from a central management console to the console and vmotion interfaces of a vmware complex.
Bradley D. Moore 2004-01-30 19:54:29
Port 901 is also the Samba/SWAT port for (at least) RedHat linux boxes. This increase in scans could be related to attackers looking for open/mis-/poorly-configured SWAT implementations. The default for SWAT is localhost only, but anyone looking to manage off-site customer Samba via SWAT may have this port open - possibly without filters. Although I haven't caught wind of any SWAT vulnerabilities per se, but it's worth noting that the 901 scans may be looking for something *other* than RealSecure. An open SWAT connection with poor pasword protection could be a potential exploit/vulnerability. If you're running SWAT, I'd take this increas in 901 scans/attacks as a nudge to verify the security of your SWAT access ACL's at all levels (network and host configs). Just my $0.02. (B.)
Daniel Grim 2003-10-14 05:31:05
Most of the increase in traffic could be accounted for due to the fact that a new version of the Trojan/IRCbot W32.Spybot.Worm has been released which attempts to spread itself using the old trojan called Net Devil/Backdoor.Devil using TCP port 901. This Trojan/IRCbot also attempts to spread itself using TCP port 17300(Kuang2TheVirus) and TCP port 27374/1243(SubSeven Trojan).
JMcR 2003-06-04 00:10:03
We have seen a sudden increase in scanning activity looking for TCP/901 at our sites. Basic research of this port number points to one of RealSecure's management ports, SWAT, and an older Trojan called Net Devil/Backdoor.Devil.
Add a comment
CVE Links
CVE # Description