[unisog] Scans on tcp/41523

Doug Pearson dodpears at indiana.edu
Mon Feb 14 18:18:15 GMT 2005


REN-ISAC is seeing the TCP/41523 activity in Abilene netflow (see attached graph) and in our darknet. 

Abilene netflow for the period 2005-02-14 0000-1200 EST shows 301 source /21 netblocks, the top ten sources are responsible for 93 percent of the traffic. Breakdown of the top ten is:

        1       23%
        2       18%
        3       11%
        4       9%
        5       8%
        6       5%
        7       5%
        8       5%
        9       5%
        10      4%

In the darknet, with many thousands of hits, we saw one source, corresponding to the #1 source seen in Netflow.

We've reported the incident to #1 source site and are investigating the others to confirm malicious-looking behavior.

As reported in Unisog, this appears to be related to the recently announced ArcServe vulnerabilities and exploits. Information provided by the IT-ISAC regarding ArcServe:

BrightStor Discovery service buffer overflow
http://xforce.iss.net/xforce/xfdb/19251

o 02/12/2005 - Metasploit Framework - New exploit module added: cabrightstor_disco_servicepc
http://www.metasploit.net/projects/Framework/exploits.html#cabrightstor_disco_servicepc

o CA BrightStor ARCserve Backup Remote Buffer
Overflow Exploit http://www.kotik.com/exploits/20050211.brightstor.c.php

o CA BrightStor ARCserve Discovery SERVICEPC
Overflow Exploit #2 http://www.kotik.com/exploits/20050213.cabrightstor_disco_servicepc.pm.php

o CA BrightStor ARCserve Backup Discovery Service
Overflow Exploit http://www.kotik.com/exploits/20050213.cabrightstor_disco_servicepc.pm.php

BrightStor ARCserve Backup r11.1 could allow a remote attacker to execute arbitrary commands, caused by a vulnerability with hard coded credentials being left in the UniversalAgent for Unix. A remote attacker could exploit this vulnerability by using credentials to gain unauthorized access to the system and execute arbitrary commands on the system with root privileges.
http://xforce.iss.net/xforce/xfdb/19293



Doug Pearson
Research and Education Networking ISAC
24x7 Watch Desk: +1(317)278-6630, ren-isac at iu.edu
http://www.ren-isac.net




At 09:39 AM 2/14/2005 -0600, Keith Schoenefeld wrote:
>I'm not sure what's going on yet, but I've started picking up a
>reasonably large number of scans on port tcp/41523 from off campus.  The
>Internet Storm Center at SANS (isc.sans.org) has a cool tool where you
>can look up a port and see if other people are picking up scans on
>specific ports.  On Feb. 12th, there were 144 total scans reported to
>isc on port 41523.  For today, and total of 46,000 scans had been
>reported (a 31,844% increase if my math is correct).  Something is up.
>Anyone know of any new worm that creates a backdoor on tcp/41523?
>
>-- KS
>
>-- 
>Keith Schoenefeld
>Manager of College Computer Services
>College of Engineering and Natural Sciences
>The University of Tulsa
>
>
>_______________________________________________
>unisog mailing list
>unisog at lists.sans.org
>http://www.dshield.org/mailman/listinfo/unisog
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 20050214_tcp_dst_41523_flows.png
Type: image/png
Size: 74740 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/unisog/attachments/20050214/fc65d297/20050214_tcp_dst_41523_flows-0002.png


More information about the unisog mailing list