[unisog] Tcp/6101 spike

Jason Richardson A00JER2 at wpo.cso.niu.edu
Wed Jan 12 14:51:17 GMT 2005


We've been seeing it here also.  As soon as it was discussed on this
list last week, I started watching the port and we began to see probes
on port 6101 directed at several servers on our network (none belonging
to central IT).  I made contact with the sys admins and got them to
patch the boxes but, considering the post that I just saw over on
Educause about the Win2003 machine running Veritas 9.1 that was
exploited, I'm wondering if our patching was too little too late.  We'll
be watching the boxes and the traffic closely (we're still seeing port
6101 traffic directed at the same IPs so I assume that they are on zero
day list somewhere).

Thanks,

---
Jason Richardson
Manager, IT Security and Client Development
Enterprise Systems Support
Northern Illinois University
Voice: 815-753-1678
Fax: 815-753-2555
jasrich at niu.edu

>>> C.J.Leune at uvt.nl 1/11/2005 4:07:50 AM >>>
Hi,

On Sat, Jan 08, 2005 at 12:32:39PM +0100, Kees Leune wrote:
> Hi,
> 
> I've been seeing spikes on tcp/6101 probes since yesterday or so.
Haven't been
> able to capture packets yet. Any ideas what is causing this? The sans
port
> graph at http://isc.sans.org/port_details.php?port=6101 seems to
confirm my
> observation.

The internet storm center also reports something about this port on
today's
diary.

"The 6101/TCP is theorized to be scanning for the Veritas BackupExec
Agent
vulnerability discussed earlier
(http://isc.sans.org/diary.php?date=2004-12-16) in December."

More info at http://isc.sans.org/diary.php?date=2005-01-10 

-kees

-- 
Drs. Kees Leune                                 Tilburg University
Researcher                                     Infolab, Room B 738
+31 13 466 2688                                    The Netherlands
_______________________________________________
unisog mailing list
unisog at lists.sans.org 
http://www.dshield.org/mailman/listinfo/unisog



More information about the unisog mailing list