[nsp-sec] Rise in TCP 1100/1106 scanning - HP StorageWorks

jose nazario jose at arbor.net
Thu Jun 5 12:59:43 EDT 2008 

Folks 

We're seeing a small but real rise in HP StorageWorks scanning on TCP ports
1100 and 1106:


Tcp port 1100 in the past week:


Key     ASN     Bytes per subnet     Percentage
    AS16276 (OVH)     54.24 B     61.2%
    AS9848 (GNGAS)     20.82 B     23.5%
    AS34762 (COMBELL-AS)     13.10 B     14.8%
    AS20648 (RAN-NETWORKS)     0.21 B     0.2%
    AS5432 (BELGACOM-SKYNET-AS)     0.13 B     0.1%
    AS4134 (CHINANET-BACKBONE)     0.12 B     0.1%
    AS3741 (IS)     0.02 B     0.0%
    AS4808 (CHINA169-BJ)     0.02 B     0.0%
    Other     0 B     0.0%


And TCP port 1106:



Key      ASN      Bytes per subnet      Percentage
    AS34762 (COMBELL-AS)     13.09 B     81.5%
    AS3491 (BTN-ASN)     2.80 B     17.4%
    AS4134 (CHINANET-BACKBONE)     0.12 B     0.8%
    AS22047 (VTR)     0.03 B     0.2%
    AS17633 (CHINATELECOM-SD-AS-AP)     0.02 B     0.1%
    Other     0 B     0.0%


References:
Double-Take
http://www.doubletake.com/products/double-take/default.aspx
2008-0-25

Zero Day Initiative (ZDI)
HP StorageWorks Storage Mirroring Authentication Processing Stack Overflow
Vulnerability 
http://www.zerodayinitiative.com/advisories/ZDI-08-034
2008-06-04

Luigi Auriemma 
Double-Take
http://aluigi.altervista.org/adv/doubletakedown-adv.txt
2008-02-22

The Metaploit Framework
DoubleTake exploit
http://packetstormsecurity.org/0806-exploits/hpstorage-meta.txt
2008-06-04

Vulnerability IDs
CVE     CVE-2008-1661

Just a heads up.


-------------------------------------------------------------
jose nazario, ph.d.  <jose at arbor.net>
security researcher, office of the CTO
Arbor Networks
v: (734) 821 1427
PGP: 0x40A7BF94
www.arbornetworks.com
-------------------------------------------------------------

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20080605/c68f036e/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.jpg
Type: image/jpeg
Size: 13065 bytes
Desc: not available
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20080605/c68f036e/attachment-0002.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.jpg
Type: image/jpeg
Size: 13293 bytes
Desc: not available
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20080605/c68f036e/attachment-0003.jpg>

More information about the nsp-security mailing list