[nsp-sec] Rise in TCP 1100/1106 scanning - HP StorageWorks

Smith, Donald Donald.Smith at CenturyLink.com
Wed May 1 16:25:19 EDT 2013 

Jose, those are marked 2008 and Jun1 are you sure those graphs are right?



I checked isc.sans.edu and didn't see any real rise in those ports.





(coffee != sleep) & (!coffee == sleep)
 Donald.Smith at centurylink.com<mailto:Donald.Smith at centurylink.com>
________________________________
From: nsp-security [nsp-security-bounces at puck.nether.net] on behalf of jose nazario [jose at arbor.net]
Sent: Thursday, June 05, 2008 1:46 PM
To: nsp-security NSP
Subject: [nsp-sec] Rise in TCP 1100/1106 scanning - HP StorageWorks

Folks

We're seeing a small but real rise in HP StorageWorks scanning on TCP ports 1100 and 1106:


Tcp port 1100 in the past week:
[cid:3295525573_3128431]

Key     ASN     Bytes per subnet     Percentage
    AS16276 (OVH)     54.24 B     61.2%
    AS9848 (GNGAS)     20.82 B     23.5%
    AS34762 (COMBELL-AS)     13.10 B     14.8%
    AS20648 (RAN-NETWORKS)     0.21 B     0.2%
    AS5432 (BELGACOM-SKYNET-AS)     0.13 B     0.1%
    AS4134 (CHINANET-BACKBONE)     0.12 B     0.1%
    AS3741 (IS)     0.02 B     0.0%
    AS4808 (CHINA169-BJ)     0.02 B     0.0%
    Other     0 B     0.0%


And TCP port 1106:

[cid:3295525573_3126188]

Key      ASN      Bytes per subnet      Percentage
    AS34762 (COMBELL-AS)     13.09 B     81.5%
    AS3491 (BTN-ASN)     2.80 B     17.4%
    AS4134 (CHINANET-BACKBONE)     0.12 B     0.8%
    AS22047 (VTR)     0.03 B     0.2%
    AS17633 (CHINATELECOM-SD-AS-AP)     0.02 B     0.1%
    Other     0 B     0.0%


References:
Double-Take
http://www.doubletake.com/products/double-take/default.aspx
2008-0-25

Zero Day Initiative (ZDI)
HP StorageWorks Storage Mirroring Authentication Processing Stack Overflow
Vulnerability
http://www.zerodayinitiative.com/advisories/ZDI-08-034
2008-06-04

Luigi Auriemma
Double-Take
http://aluigi.altervista.org/adv/doubletakedown-adv.txt
2008-02-22

The Metaploit Framework
DoubleTake exploit
http://packetstormsecurity.org/0806-exploits/hpstorage-meta.txt
2008-06-04

Vulnerability IDs
CVE     CVE-2008-1661

Just a heads up.


-------------------------------------------------------------
jose nazario, ph.d.  <jose at arbor.net>
security researcher, office of the CTO
Arbor Networks
v: (734) 821 1427
PGP: 0x40A7BF94
www.arbornetworks.com
-------------------------------------------------------------
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.jpg
Type: image/jpeg
Size: 13065 bytes
Desc: image.jpg
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20130501/b0687f47/attachment-0002.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.jpg
Type: image/jpeg
Size: 13293 bytes
Desc: image.jpg
URL: <https://puck.nether.net/mailman/private/nsp-security/attachments/20130501/b0687f47/attachment-0003.jpg>

More information about the nsp-security mailing list