Security Incidents mailing list archives
RE: Subseven Scans
From: Rob Keown <Keown () MACDIRECT COM>
Date: Mon, 12 Aug 2002 15:24:54 -0400
They were caught by a IDS product outside of the firewall. And they where just port probes. There are about 7 different signatures for SubSeven on the IDS (mostly to spot victims inside the perimeter). So I can only say they were probes to that port. I am looking for 12345 as well since some here report seeing these at the same time. I have not looked at any evidence logs to see if there is anything else I can spot. Rob -----Original Message----- From: H C [mailto:keydet89 () yahoo com] Sent: Monday, August 12, 2002 2:11 PM To: Rob Keown; incidents () securityfocus com Subject: Re: Subseven Scans Rob, Can you be more specific? When you say "subseven scans" are you referring to the default port? If so, how do you know they were intended for subseven, and not the Linux worm (Lion or Ramen, I can't remember which) that utilized the same port? Just curious as to what other info you can provide...assuming, of course, that you're not simply talking about SYN packets that got dropped at the firewall... Thanks --- Rob Keown <Keown () MACDIRECT COM> wrote:
Anyone else seeing a huge increase in subseven scans...6708 since about 0300Z - across all of my class C's and from quite a few sources (running the query now to see how many). Rob
----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
__________________________________________________ Do You Yahoo!? HotJobs - Search Thousands of New Jobs http://www.hotjobs.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Subseven Scans Rob Keown (Aug 12)
- Re: Subseven Scans Preston Kutzner (Aug 12)
- Re: Subseven Scans Baribault, Gary (Aug 12)
- Re: Subseven Scans H C (Aug 13)
- Re: Subseven Scans Ben Lambrey (Aug 12)
- Re[2]: Subseven Scans Preston Kutzner (Aug 12)
- Re: Subseven Scans H C (Aug 12)
- <Possible follow-ups>
- RE: Subseven Scans Rob Keown (Aug 12)
- Re: Subseven Scans Gene Yoo (Aug 12)
- RE: Subseven Scans Rob Keown (Aug 12)
- RE: Subseven Scans H C (Aug 12)
- FW: Subseven Scans Rob Keown (Aug 13)
- Odd scans and stuff bouncing off firewalls Nexus (Aug 13)
- Re: Odd scans and stuff bouncing off firewalls Greg A. Woods (Aug 13)
- Odd scans and stuff bouncing off firewalls Nexus (Aug 13)
- RE: Subseven Scans Robert Buckley (Aug 13)
- RE: Subseven Scans H C (Aug 13)
- RE: Subseven Scans Robert Buckley (Aug 14)
- RE: Subseven Scans H C (Aug 14)
- RE: Subseven Scans Robert Buckley (Aug 15)
- Re: Subseven Scans Preston Kutzner (Aug 12)