Security Incidents mailing list archives
RE: Increase in Sub7 scans
From: bparis () sorrentolactalis com
Date: Tue, 12 Jun 2001 13:06:27 -0400
On June 4th around 8:30EDT, the popular online game server, Battle.Net (http://www.battle.net) began restricting bots from logging onto their servers. Many players had used these bots to control their private "clan channels". Since they were no longer able use their old bots (i.e.: http://www.ultimatebot.com), they turned to using "binary" bots that are able to fool the BattleNet servers into thinking that they are a player logging onto the server instead of a bot. The vast majority of these bots being passed around are "trojaned" with various backdoors that load Sub7 onto the victims box, or DL Sub7 onto the victims box. One popular binary bot making the rounds is Damnbot (http://damnbot.cjb.net). Although the webpage claims to say the version available for download is virus-free, it indeed contains a backdoor which was caught by McAfee using their latest defs. Others floating around are ScBot and D2SkyBot (particularly nasty). I have samples of the D2 and SC bots available for inspection... William S. Paris Telecommunication/Network Analyst Sorrento Lactalis Inc. bparis () sorrentolactalis com -----Original Message----- From: Obert, Jack E. [mailto:JObert () sprg smhs com] Sent: Tuesday, June 12, 2001 9:43 AM To: 'incidents () securityfocus com' Subject: Increase in Sub7 scans Since February, I've been receiving tcp port scans for the default sub7 port (27374) at a rate of approximately 3-4 per day. Starting on June 8th to present, I've been receiving them at 9 times that rate. 6/5/01 - 3 Scans 6/6/01 - 4 Scans 6/7/01 - 3 Scans 6/8/01 - 8 Scans 6/9/01 - 14 Scans 6/10/01 - 38 Scans 6/11/01 - 22 Scans Any ideas on what could have sparked this increased scanning? A new utility? A new vulnerability related to sub7? New media publicity? Thanks Jack E. Obert, GSEC Technical Information Security Officer St. John's Health System
Current thread:
- Increase in Sub7 scans Obert, Jack E. (Jun 12)
- Re: Increase in Sub7 scans Eric S. Johnson (Jun 12)
- Re: Increase in Sub7 scans Adam Stanley (Jun 12)
- Re: Increase in Sub7 scans Daniel Martin (Jun 12)
- <Possible follow-ups>
- RE: Increase in Sub7 scans gene . g . beaird (Jun 12)
- Re: Increase in Sub7 scans sarnold (Jun 12)
- RE: Increase in Sub7 scans David Endler (Jun 12)
- Re: Increase in Sub7 scans Phil (Jun 12)
- Re: Increase in Sub7 scans Alan Hannan (Jun 13)
- RE: Increase in Sub7 scans bparis (Jun 12)
- Re: Increase in Sub7 scans Justin Shore (Jun 12)