Security Incidents mailing list archives
Re: Subseven Scans
From: H C <keydet89 () yahoo com>
Date: Mon, 12 Aug 2002 13:39:11 -0700 (PDT)
Preston,
I've seen quite a bit of traffic on ports tcp/12345 and tcp/27374. According to what I've seen, 27374 is a port used by quite a few versions of SubSeven,
A couple of things...first, port 27374 is the default port for both SubSeven, as well as the Ramen worm (Linux). Therefore, a SYN packet destined for that port is, in and of itself, inconclusive. Second, I'm sure you're aware that default ports are just that, and in many cases, configurable.
as for 12345, it's not mentioned that subseven runs on that port (that I've seen)
It's NetBus's default port (1.7x and previous versions).
but I am seeing attempted connections to these ports at the same time (maybe some other vuln attempt I'm not aware of? anyone?). Hope that helps.
Given that these SYN packets are dropped by the f/w (in most cases), they simply seem to be scans at this point. As far as vulnerabilities are concerned, they may or may not be...but if there's a trojan installed on a system, the admin has more to worry about than vulnerabilities. __________________________________________________ Do You Yahoo!? HotJobs - Search Thousands of New Jobs http://www.hotjobs.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Subseven Scans Rob Keown (Aug 12)
- Re: Subseven Scans Preston Kutzner (Aug 12)
- Re: Subseven Scans Baribault, Gary (Aug 12)
- Re: Subseven Scans H C (Aug 13)
- Re: Subseven Scans Ben Lambrey (Aug 12)
- Re[2]: Subseven Scans Preston Kutzner (Aug 12)
- Re: Subseven Scans H C (Aug 12)
- <Possible follow-ups>
- RE: Subseven Scans Rob Keown (Aug 12)
- Re: Subseven Scans Gene Yoo (Aug 12)
- RE: Subseven Scans Rob Keown (Aug 12)
- RE: Subseven Scans H C (Aug 12)
- FW: Subseven Scans Rob Keown (Aug 13)
- Odd scans and stuff bouncing off firewalls Nexus (Aug 13)
- Re: Odd scans and stuff bouncing off firewalls Greg A. Woods (Aug 13)
- Odd scans and stuff bouncing off firewalls Nexus (Aug 13)
(Thread continues...)
- Re: Subseven Scans Preston Kutzner (Aug 12)