On Wed, 11 Jun 2003 13:41:52 -0400, Michael H. Warfield wrote > On Mon, Jun 09, 2003 at 12:56:35PM -0600, Mike Vanecek wrote: > > I have been gone for a month and notice that I am now getting packets for port > > 901 (Samba Swat) from all over the world (see sample of packets below). I run > > Samba and Samba Swat, but it is only enabled for the internal addresses. > > Hence, all of the below packets end up being rejected and show up in my > > rejected logs. > > Port 901 is used for more than just SWAT. It's also used for > ISS RealSecure and it's a known backdoor port for the Net-Devil > backdoor. The actual IANA definition for port 901 is smpnameres, but > I have NO idea who uses that. Since I'm both on the Samba Team AND > employed at ISS, I guess that means the port 901 activity has my attention. > Unfortunately, it comes and goes very sporatically (so I don't > think it's a worm). > > Current, odds-on, bets are favoring that it's probably > shady characters scanning for Windows boxes infected with Net-Devil > backdoors. While I've got captures of the scanning, I don't have > any captures of any actually traffic if they find something on 901.
I currently have 54 port 901 scans in my log, the last of which was on Jan 11th. I can send you a copy of them if it would be off any use. > At the moment, I've got SWAT honeypots set up and I'm monitoring > for traffic, but haven't seen anything more since Friday. I'm also > looking to set up a pot with Net-Devil on it but I haven't managed > to score a copy of it yet. Interesting, the games we have to play ... Regards, Mike -- redhat-list mailing list unsubscribe mailto:[EMAIL PROTECTED] https://www.redhat.com/mailman/listinfo/redhat-list
