RE: Increase in Sub7 scans

[<h8macs () yahoo com>]

Yes a bulk of the scans seem to be coming from the 
@home network. I am resolving IP's from home.com 
and home.net.

Specifically:

24.11.134.131 - optical.mi.home.com
24.94.204.6 - wks-94-204-6.kscable.com
24.16.208.135 - C1553725-a.vncvr1.wa.home.com


> Jack,
>
> Port 27374 is also used by other trojans such as 
Ramen, TTFloader, Seeker, Bad Blood, etc.  
> It could be simply some script kiddies scanning for 
open subseven/backdoor zombies, 
> etc using any number of free tools.  
>
> Is there any pattern to the source of the scans 
(from china, .edu's, etc.) ?
> -dave
>
> David Endler, CISSP
> Practice Manager, iDEFENSE Risk Management 
Services
> 3975 Fair Ridge Drive Suite 400
> Fairfax, VA 22033-2924
> voice: 703.219.2408
> fax: 703.359.5323
>
> dendler () idefense com
> www.idefense.com
>
> -----Original Message-----
> From: Obert, Jack E. 
[mailto:JObert () sprg smhs com]
> Sent: Tuesday, June 12, 2001 9:43 AM
> To: 'incidents () securityfocus com'
> Subject: Increase in Sub7 scans
>
>
> Since February, I've been receiving tcp port scans 
for the default sub7 port
> (27374) at a rate of approximately 3-4 per day.  
Starting on June 8th to
> present, I've been receiving them at 9 times that 
rate.  
> 6/5/01 - 3 Scans
> 6/6/01 - 4 Scans
> 6/7/01 - 3 Scans
> 6/8/01 - 8 Scans
> 6/9/01 - 14 Scans
> 6/10/01 - 38 Scans
> 6/11/01 - 22 Scans
>
> Any ideas on what could have sparked this 
increased scanning?  A new
> utility?  A new vulnerability related to sub7?  New 
media publicity?
> Thanks
>
> Jack E. Obert, GSEC 
> Technical Information Security Officer 
> St. John's Health System 

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com