Security Incidents mailing list archives
Re: Is this distributed SubSeven?
From: Glenn Forbes Fleming Larratt <glratt () IO COM>
Date: Tue, 6 Mar 2001 19:02:26 -0600
On Wed, 7 Mar 2001, Russell Fulton wrote:
Hmmm... are you in 24.0.0.0/8? If so I would guess that what you are
No. We, like you, are a /16 in Class B address space.
seeing are trojans that are scanning (at random within their /8) for subseven. I have a program that detect low level scans and we see low level probing for upd 137 (100's mostly in 130/8) tcp 524, 515, and various other trojan ports like subseven. I have alway assumed that these were independently infected machines that scan randomly so their probes do not have to bigger footprint on any network. Typical rates we see are 10 packets per day over our /16 address space. Russell Fulton, Computer and Network Security Officer The University of Auckland, New Zealand
-- Glenn Forbes Fleming Larratt The Lab Ratt (not briggs :-) glratt () io com http://www.io.com/~glratt There are imaginary bugs to chase in heaven.
Current thread:
- Is this distributed SubSeven? Glenn Forbes Fleming Larratt (Mar 06)
- Re: Is this distributed SubSeven? Russell Fulton (Mar 06)
- Re: Is this distributed SubSeven? Glenn Forbes Fleming Larratt (Mar 07)
- Re: Is this distributed SubSeven? Russell Fulton (Mar 07)
- Re: Is this distributed SubSeven? Glenn Forbes Fleming Larratt (Mar 07)
- Re: Is this distributed SubSeven? Russell Fulton (Mar 06)