Security Incidents mailing list archives
RE: SUB7 (update) Now Netbus too!
From: "Davis, Scott" <Scott_Davis () troweprice com>
Date: Wed, 14 Nov 2001 12:27:02 -0500
Sub-7 (TCP 27374) 130.243.95.28 172.147.200.38 209.82.52.205 211.193.102.156 212.198.221.4 24.188.134.202 63.217.170.150 64.240.35.162 65.100.96.170 TCP 12345 130.243.95.28 194.122.194.228 205.214.204.206 63.217.170.150 63.217.170.150 63.28.218.84 65.100.96.170 -----Original Message----- From: gattaca [mailto:gattaca () liquidmatrix org] Sent: Wednesday, November 14, 2001 12:13 PM To: Davis, Scott; 'Brice Carlson'; incidents () securityfocus com Subject: Re: SUB7 (update) Now Netbus too! Gents, Where are these scans originating? I've been seeing some of these on the rise from one particular host as well but, nothing beyond the ordinary. Mostly an annoyance. There are other proggies that operate on these ports beyond the aforementioned. Some of which can be found on http://www.liquidmatrix.org/trojan.htm some other resources: http://www.sans.org/y2k/031901.htm http://www.sans.org/y2k/112200.htm cheers, gattaca ---------------- liquidmatrix.Org ---------------- ----- Original Message ----- From: "Davis, Scott" <Scott_Davis () troweprice com> To: "'Brice Carlson'" <tuck167 () hotmail com>; <incidents () securityfocus com> Sent: Wednesday, November 14, 2001 11:36 AM Subject: RE: SUB7 (update) Now Netbus too!
Brian, I have seen an increase of hits on our firewall and border routers for
both
TCP 27374 (sub-7) and also TCP port 12345. I know UDP port 12345 was used for netbus, but I am seeing TCP 12345. The scans have been from the same host, usually TCP 27374, followed by TCP 12345. I am still seeing more
hits
on TCP 27374 then TCP 12345, about 88 to 6 for the last 4 days. -----Original Message----- From: Brice Carlson [mailto:tuck167 () hotmail com] Sent: Tuesday, November 13, 2001 11:23 PM To: incidents () securityfocus com Subject: SUB7 (update) Now Netbus too! I send off the file to all those who requested and there has been a few updates since... one, i orginal IRC stated was WRONG. irc.ozmatrix.com chat.ozmatrix.com They also have a web site. http://www.geocities.com/ircx_chat/ um, now its scanning for port 12345 along with scanning for sub7. Anyone pick up an increase in scans in port 12345 let me know... Thanks Brice Carlson _____ If i was supposed to of emailed you the program and you didn't recieve it please email me again. put sub7 in the subject and make it caps. Tis i
only
got 400 emails a day. Thanks... _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp --------------------------------------------------------------------------
--
This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com --------------------------------------------------------------------------
--
This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- SUB7 (update) Now Netbus too! Brice Carlson (Nov 14)
- RE: SUB7 (update) Now Netbus too! Fernando Cardoso (Nov 14)
- <Possible follow-ups>
- RE: SUB7 (update) Now Netbus too! Davis, Scott (Nov 14)
- Re: SUB7 (update) Now Netbus too! gattaca (Nov 14)
- RE: SUB7 (update) Now Netbus too! Davis, Scott (Nov 14)