Recent Attacks & Attackers data shows that attackers are scanning for port 2100/tcp -- a service which was not blocked at the campus boundary. We assume the scans are malicious and our best guess is the attackers are trying to find the sometimes vulnerable Oracle XDB FTP service. See SANS ISC Diary of 22-Jul-2005.
We are aware of a very few Oracle servers on campus (most are for enterprise systems managed by IST) and are not aware of any requirements for the XDB FTP service. Within IST our practice has been to disabled that service and to limit off campus access to systems offering Oracle services. Nevertheless we have detected systems configured in error where the XDB FTP service was not disabled and the service was exposed to the world. We are very concerned that Oracle servers may not at current patch level and may well be vulnerable.
We are not aware of any compromises involving this service. However, given that there is no requirement to expose the service to the world and the attackers are showing a keen interest in finding these servers we've implemented an alarm to notify attackers (so the attacker's ISP can invoke their acceptable use agreement) and we've initiated discussions to block this port at the campus boundary.
A consensus has been found that we ought to implement a strong firewall that blocks all services with exceptions for only those services that are required (see the work of the Firewall Working Group). Work is underway to find the appropriate technologies.
Ports ports 2100/tcp (Oracle FTP), 6101/tcp (Veritas Backup) and 31337/tcp (a worm/virus backdoor) were blocked at the campus boundary with no exceptions requested on August 10, 2005.
Automated alarms notifying abuse@attacker-site were disable August 24, 2005.
Information Systems & Technology
University of Waterloo
200 University Avenue West
Waterloo, Ontario, Canada N2L 3G1
519 888 4567 x37070
Contact Us |
Give Us Feedback |
Privacy Statement