Security Incidents mailing list archives
RE: Increase in Sub7 scans
From: <h8macs () yahoo com>
Date: 30 Jul 2001 17:55:44 -0000
Yes a bulk of the scans seem to be coming from the @home network. I am resolving IP's from home.com and home.net. Specifically: 24.11.134.131 - optical.mi.home.com 24.94.204.6 - wks-94-204-6.kscable.com 24.16.208.135 - C1553725-a.vncvr1.wa.home.com
Jack, Port 27374 is also used by other trojans such as
Ramen, TTFloader, Seeker, Bad Blood, etc.
It could be simply some script kiddies scanning for
open subseven/backdoor zombies,
etc using any number of free tools. Is there any pattern to the source of the scans
(from china, .edu's, etc.) ?
-dave David Endler, CISSP Practice Manager, iDEFENSE Risk Management
Services
3975 Fair Ridge Drive Suite 400 Fairfax, VA 22033-2924 voice: 703.219.2408 fax: 703.359.5323 dendler () idefense com www.idefense.com -----Original Message----- From: Obert, Jack E.
[mailto:JObert () sprg smhs com]
Sent: Tuesday, June 12, 2001 9:43 AM To: 'incidents () securityfocus com' Subject: Increase in Sub7 scans Since February, I've been receiving tcp port scans
for the default sub7 port
(27374) at a rate of approximately 3-4 per day.
Starting on June 8th to
present, I've been receiving them at 9 times that
rate.
6/5/01 - 3 Scans 6/6/01 - 4 Scans 6/7/01 - 3 Scans 6/8/01 - 8 Scans 6/9/01 - 14 Scans 6/10/01 - 38 Scans 6/11/01 - 22 Scans Any ideas on what could have sparked this
increased scanning? A new
utility? A new vulnerability related to sub7? New
media publicity?
Thanks Jack E. Obert, GSEC Technical Information Security Officer St. John's Health System
---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- RE: Increase in Sub7 scans h8macs (Jul 30)