|
Security Incidents
mailing list archives
Re: increase of scans against port 1524
From: Lance Spitzner <lance () honeynet org>
Date: Wed, 5 Jun 2002 13:10:35 -0500 (CDT)
On Wed, 5 Jun 2002, High Speed wrote:
last 2 days I noticed an increased scan against port 1524
ingreslock 1524/tcp ingres
ingreslock 1524/udp ingres
For some reason, the script kiddie community has standardized on
this port as a backdoor for most automated attacks. What you
have now is attackers looking for systems that have already
been hacked into with a backdoor installed. Very similar to
the concept of the Leaves/W32 worm looking for systems
compromised with Sub7.
For over three years now the Honeynet Project has witnessed
numerous different exploits and attacks against various
Unix systems. Though the vulnerabilities and tools are
constantly changing, we have repeatedly seen the use of
1524 as the backdoor. Even with the dtspcd exploit back
in January, it used 1524 as the backdoor.
While crude, scanning for port 1524 is an effective method
to finding (and taking over) compromised systems.
lance
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
 By Date 
By Thread
Current thread:
- Re: increase of scans against port 1524, (continued)
|
Intro
