Security Incidents mailing list archives

RE: Increase in Sub7 scans

From: David Endler <dendler () idefense com>
Date: Tue, 12 Jun 2001 11:34:5 -0500

Jack,

Port 27374 is also used by other trojans such as Ramen, TTFloader, Seeker, Bad Blood, etc.  
It could be simply some script kiddies scanning for open subseven/backdoor zombies, 
etc using any number of free tools.  

Is there any pattern to the source of the scans (from china, .edu's, etc.) ?

-dave

David Endler, CISSP
Practice Manager, iDEFENSE Risk Management Services
3975 Fair Ridge Drive Suite 400
Fairfax, VA 22033-2924
voice: 703.219.2408
fax: 703.359.5323

dendler () idefense com
www.idefense.com

-----Original Message-----
From: Obert, Jack E. [mailto:JObert () sprg smhs com]
Sent: Tuesday, June 12, 2001 9:43 AM
To: 'incidents () securityfocus com'
Subject: Increase in Sub7 scans


Since February, I've been receiving tcp port scans for the default sub7 port
(27374) at a rate of approximately 3-4 per day.  Starting on June 8th to
present, I've been receiving them at 9 times that rate.  

6/5/01 - 3 Scans
6/6/01 - 4 Scans
6/7/01 - 3 Scans
6/8/01 - 8 Scans
6/9/01 - 14 Scans
6/10/01 - 38 Scans
6/11/01 - 22 Scans

Any ideas on what could have sparked this increased scanning?  A new
utility?  A new vulnerability related to sub7?  New media publicity?

Thanks

Jack E. Obert, GSEC 
Technical Information Security Officer 
St. John's Health System

Current thread:

Increase in Sub7 scans Obert, Jack E. (Jun 12)
- Re: Increase in Sub7 scans Eric S. Johnson (Jun 12)
- Re: Increase in Sub7 scans Adam Stanley (Jun 12)
- Re: Increase in Sub7 scans Daniel Martin (Jun 12)
- <Possible follow-ups>
- RE: Increase in Sub7 scans gene . g . beaird (Jun 12)
  - Re: Increase in Sub7 scans sarnold (Jun 12)
- RE: Increase in Sub7 scans David Endler (Jun 12)
- Re: Increase in Sub7 scans Phil (Jun 12)
  - Re: Increase in Sub7 scans Alan Hannan (Jun 13)
- RE: Increase in Sub7 scans bparis (Jun 12)
- Re: Increase in Sub7 scans Justin Shore (Jun 12)