[unisog] Scans on tcp/41523

Doug Pearson dodpears at indiana.edu
Mon Feb 14 18:18:15 GMT 2005

REN-ISAC is seeing the TCP/41523 activity in Abilene netflow (see attached graph) and in our darknet. 

Abilene netflow for the period 2005-02-14 0000-1200 EST shows 301 source /21 netblocks, the top ten sources are responsible for 93 percent of the traffic. Breakdown of the top ten is:

        1       23%
        2       18%
        3       11%
        4       9%
        5       8%
        6       5%
        7       5%
        8       5%
        9       5%
        10      4%

In the darknet, with many thousands of hits, we saw one source, corresponding to the #1 source seen in Netflow.

We've reported the incident to #1 source site and are investigating the others to confirm malicious-looking behavior.

As reported in Unisog, this appears to be related to the recently announced ArcServe vulnerabilities and exploits. Information provided by the IT-ISAC regarding ArcServe:

BrightStor Discovery service buffer overflow

o 02/12/2005 - Metasploit Framework - New exploit module added: cabrightstor_disco_servicepc

o CA BrightStor ARCserve Backup Remote Buffer
Overflow Exploit http://www.kotik.com/exploits/20050211.brightstor.c.php

o CA BrightStor ARCserve Discovery SERVICEPC
Overflow Exploit #2 http://www.kotik.com/exploits/20050213.cabrightstor_disco_servicepc.pm.php

o CA BrightStor ARCserve Backup Discovery Service
Overflow Exploit http://www.kotik.com/exploits/20050213.cabrightstor_disco_servicepc.pm.php

BrightStor ARCserve Backup r11.1 could allow a remote attacker to execute arbitrary commands, caused by a vulnerability with hard coded credentials being left in the UniversalAgent for Unix. A remote attacker could exploit this vulnerability by using credentials to gain unauthorized access to the system and execute arbitrary commands on the system with root privileges.

Doug Pearson
Research and Education Networking ISAC
24x7 Watch Desk: +1(317)278-6630, ren-isac at iu.edu

At 09:39 AM 2/14/2005 -0600, Keith Schoenefeld wrote:
>I'm not sure what's going on yet, but I've started picking up a
>reasonably large number of scans on port tcp/41523 from off campus.  The
>Internet Storm Center at SANS (isc.sans.org) has a cool tool where you
>can look up a port and see if other people are picking up scans on
>specific ports.  On Feb. 12th, there were 144 total scans reported to
>isc on port 41523.  For today, and total of 46,000 scans had been
>reported (a 31,844% increase if my math is correct).  Something is up.
>Anyone know of any new worm that creates a backdoor on tcp/41523?
>-- KS
>Keith Schoenefeld
>Manager of College Computer Services
>College of Engineering and Natural Sciences
>The University of Tulsa
>unisog mailing list
>unisog at lists.sans.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 20050214_tcp_dst_41523_flows.png
Type: image/png
Size: 74740 bytes
Desc: not available
Url : http://www.dshield.org/pipermail/unisog/attachments/20050214/fc65d297/20050214_tcp_dst_41523_flows-0002.png

More information about the unisog mailing list