Joakim,
I think that these are just script kiddie scans looking for poorly
configured and/or vulnerable boxen. Hack together a few lines of Perl,
and make it listen on 2036. Then see what the attackers send after the
port is open.
As to port 80, there are a bunch of reasons why this could be
occuring. Keeping in line with the script kiddie idea, it could be
somebody looking for IIS vulns or the like.
GL with your research.
peace,
--Justin
On 10/27/05, mis@seiden.com <mis@seiden.com> wrote:
might be someone looking for a no password remote login vulnerability
in novell bordermanager, as described at:
http://craigjconsulting.com/bmgrptch.html
"Jan 11, 2003 - I added a note for some bugs below this section. I
also wanted to finally tell people what the NW6RCONJ2A.EXE patch was
all about. I had avoided telling about the bug until now to give
people enough time to go about patching their servers before making it
obvious what the bug was about. However, I keep getting new clients
who have read my patch list here and just skipped that patch because
they didn't think it was applicable to them. They are quite surprised
when I connect to their BorderManager server over the Internet using
RCONAG6 without a password! The version of RCONAG6 shipped with
NW6SP2.EXE included a flawed version of RCONAG6. The bad version does
not look at the password entry for the 'secure' (encrypted) port (2036
by default). Consequently, you can connect to a server without a
password if that version of RCONAG6 is loaded, and the usual Novell
default filter exceptions are in place. The NW6RCONJ2A patch fixes
this problem."
On Thu, Oct 27, 2005 at 08:10:19PM +0200, Joakim Berge wrote:
On 10/26/05, Tillmann Werner <tillmann.werner@gmx.de> wrote:
Joakim,
The scan seems to be from a large botnet, across the world.
What makes you believe the attack's origin is a botnet?
I belive it is a botnet becouse the source addresses are couple of
hundred different ones (i think....havent counted). I dont see any
pattern, and they are spread across the planet.
They have only targeted one ip, and it doesn't respond to those ports.
Your samples only showed port 2036/tcp on a very low frequency. Is this
representative for a longer period? What is the percentage of port 80/tcp
packets?
This has been going on for a month, and the frequency is about 200 per
day for 2036 and 50 per day for 80. NFR also reports combined scan for
"2036 80".
Is it the tryout of a new worm?
Unlikely, if it only targets a single ip address which does not respond.
Http
might be used as destination port for such packets are likely to go
through
firewalls.
If you are interested in furhter investigation, you could run netcat on
the
attacked host to see if connection establishment goes on and if there
arrives
any data.
Tillmann
--
Joakim Berge
Tlf. +47 93489696
MSN. joakim.berge@gmail.com
