[Dshield] Port 10616 -> Updates to the DShield site?

Daniel G. Kluge dkluge at acm.org
Sun Aug 6 15:01:54 GMT 2006


Hello group,
it was a slow day, so I was going through all the ports I didn't know  
offhand that were probed, and one which struck me as an interesting  
example is port 10616 (TCP).

This port is used by the eiQnetworks Enterprise Security Analyzer  
(ESA) for licensing communication apparently, and guess what it has a  
vulnerability (updates are available). For a background see http:// 
www.zerodayinitiative.com/advisories/ZDI-06-024.html

Now if you do a port on DShield  using http://www.dshield.org/ 
port_report.php?port=10616 you will see all the hallmarks of a fresh  
exploit. Since shell-code was available at the time of public  
disclosure of the bug, some people started scanning right away I'd  
guess.

One thing that I find annoying is that the port report only lists  
approved CVEs, and not the candidates. I guess the threat will be all  
but over by the time the CVE is approved by the CVE editorial board,  
BTW it's CVE-2006-3838 and has references to no end.

So question: Couldn't we/shouldn't we include CVE candidates too in  
the port reports?

And another thing that I saw during fight-back (was mentioned before)  
is the "[/etc/jwhois.conf: Unable to open]" issue appearing from time  
to time.

Cheers,
-daniel


More information about the list mailing list