Security Incidents mailing list archives
Re: FW: Sub-7
From: o'neil.brooke () LMCO COM (Brooke, O'Neil)
Date: Fri, 9 Jun 2000 14:58:22 -0400
When BO came out I noticed similar traffic. In the bo traffic it became evident that individuals (or groups) were building up personal networks of infected hosts. This situation is quite serious. Take a look at the time index of this log file, see the number of infected hosts advertising in such a short period? With this kind of traffic an individual could build a network of several hundred nodes within a week or two. When I first saw thjs kind of activity back in 98, I tried to tell people about it so some action could be taken to correct the situation. Those words fell on deaf ears. Perhaps times have changed. Does anyone have any ideas on how to stop this kind of activity, or the people that are involved? Abel Wisman wrote on 8/6/00 4:06 pm: this is output in a channel on irc: 17:10] *** Joins: cwc [17:10] <cwc> Sub7Server v.2.1 installed on port: 27374, ip: 195.252.137.208 - victim: pechfregel - password: rasta [17:10] *** Quits: dt018 (Leaving) [17:10] *** Joins: kwxqry [17:10] <kwxqry> Sub7Server v.2.1 installed on port: 27374, ip: 213.6.181.193 - victim: pechfregel - password: rasta [17:10] <moxbj> Sub7Server v.2.1 installed on port: 27374, ip: 62.157.13.4 - victim: pechfregel - password: rasta [17:10] <pjv> Sub7Server v.2.1 installed on port: 27374, ip: 192.168.10.52 - victim: pechfregel - password: rasta [17:10] *** Joins: xakjbl [17:10] <xakjbl> Sub7Server v.2.1 installed on port: 27374, ip: 62.224.173.111 - victim: pechfregel - password: rasta [17:10] <paxlp> Sub7Server v.2.1 installed on port: 27374, ip: 195.71.25.254 - victim: pechfregel - password: rasta [17:10] <sjil> Sub7Server v.2.1 installed on port: 27374, ip: 195.131.87.73 - victim: pechfregel - password: rasta [17:11] <fwwm> Sub7Server v.2.1 installed on port: 27374, ip: 62.224.200.40 - victim: pechfregel - password: rasta [17:11] *** Joins: yagc [17:11] <yagc> Sub7Server v.2.1 installed on port: 27374, ip: 213.6.119.91 - victim: pechfregel - password: rasta [17:12] <bstdm> Sub7Server v.2.1 installed on port: 27374, ip: 193.159.1.191 - victim: pechfregel - password: rasta [17:12] <uen> Sub7Server v.2.1 installed on port: 27374, ip: -193.0.81.2-192.168.171.26-193.159.10.204- - victim: pechfregel - password: rasta (attached log) abel wisman ABLE-TOWERS is a division of UROwear Llc which in turn is a division of ABLE Consultancy Holding BV we recommend you visit these pages: www.able-towers.com (hosting) www.ul.org (domainregistration) www.nut-shell.com (webdesign) www.webdesignsdirect.com (webdesign) -----Original Message----- From: Incidents Mailing List [mailto:INCIDENTS () SECURITYFOCUS COM]On Behalf Of Khan, Mansoor Sent: maandag 5 juni 2000 19:49 To: INCIDENTS () SECURITYFOCUS COM Subject: Sub-7 I was wondering if any one has any experience with this Trojan (Sub-7). am interested in finding out if it sends info through a general broadcast to chat rooms. Additionally, what specific info does it send (from a w-95 machine) e.g. registry settings, user ids and passwords etc. Thanks,