Security Incidents mailing list archives
Re: Is this distributed SubSeven?
From: Russell Fulton <r.fulton () AUCKLAND AC NZ>
Date: Wed, 7 Mar 2001 12:59:00 +1300
On Tue, 6 Mar 2001 15:34:20 -0600 Glenn Forbes Fleming Larratt <glratt () IO COM> wrote:
A summary of our border, in the format below - is this what ditributed SubSeven looks like?
Hmmm... are you in 24.0.0.0/8? If so I would guess that what you are seeing are trojans that are scanning (at random within their /8) for subseven. I have a program that detect low level scans and we see low level probing for upd 137 (100's mostly in 130/8) tcp 524, 515, and various other trojan ports like subseven. I have alway assumed that these were independently infected machines that scan randomly so their probes do not have to bigger footprint on any network. Typical rates we see are 10 packets per day over our /16 address space. Russell Fulton, Computer and Network Security Officer The University of Auckland, New Zealand
Current thread:
- Is this distributed SubSeven? Glenn Forbes Fleming Larratt (Mar 06)
- Re: Is this distributed SubSeven? Russell Fulton (Mar 06)
- Re: Is this distributed SubSeven? Glenn Forbes Fleming Larratt (Mar 07)
- Re: Is this distributed SubSeven? Russell Fulton (Mar 07)
- Re: Is this distributed SubSeven? Glenn Forbes Fleming Larratt (Mar 07)
- Re: Is this distributed SubSeven? Russell Fulton (Mar 06)