COT Constitutional CIO Security Contacts; COT Cabinet CIO Security Contacts; CTC Members
COT Exchange Administrators; COT Security Alert Contacts; COT Security Contact COT-Support; COT Security Contact Pass; COT Security Contact Self-Support; COT Technical Contacts; SecurityContacts Group
COT Security Alert
COT has received a Situational Awareness Report (SAR) from US-CERT regarding the malicious scanning of TCP Port 20000. Eleven outside organizations have reported the scanning of TCP Port 20000. Six of the reports came from electric power entities, three from state government agencies, and two came from federal government agencies. In addition, an allied government forwarded reports of scanning against an electric power sector entity, four federal department entities, and four provincial government entities.
All entities report TCP Port 20000 scanning beginning as early as October 3, 2006 through as recently as November 21, 2006.
TCP Port 20000, used for distributed network protocol (DNP) communications, is widely used within the electric and water utilities, as well as the transportation, oil, and gas industries.
Some of the scanning IP’s were also observed scanning TCP port 10000, which is associated with both webmin and the network data management protocol (NDMP). Webmin is a web-based interface for system administration for Unix. NDMP is an open standard, vendor-independent protocol used for data backup.
If DNP Protocol is utilized for any reason in the organization, the recommendation is to analyze traffic to determine if similar malicious activity has occurred. Please report any suspicious activity to COT Security Services ISS, COTSecurityServicesISS@ky.gov. COT will continue to monitor this situation and provide additional information as it comes available.
NOTICE: COT is providing this information so that you are aware of the latest security threats, vulnerabilities, software patches, etc. You should consult with your network administrator or other technical resources to ensure that the appropriate actions for these alerts are followed. If you are a network administrator and need additional information, please call the Help Desk at 502.564.7576.
Confidentiality Statement - This communication contains information which is confidential. It is for the exclusive use of the intended recipient(s). If you are not the intended recipient(s), please note that any form of distribution, copying, forwarding or use of this communication or the information therein is strictly prohibited and may be unlawful. If you have received this communication in error, please return it to the sender and send a copy or notify: securitynotice@ky.gov and then delete the communication and destroy any copies.
Security Administration Branch
Division of Technical Services
Commonwealth Office of Technology
1266 Louisville Rd.,
Perimeter Park
Frankfort,
KY 40601
Phone: 502.564.5274
COTSecurityServicesISS@ky.gov
http://ky.gov/got/security/