Re: Is this distributed SubSeven?

[Glenn Forbes Fleming Larratt <glratt () IO COM>]

On Wed, 7 Mar 2001, Russell Fulton wrote:

> Hmmm... are you in 24.0.0.0/8?  If so I would guess that what you are

        No. We, like you,  are a /16 in Class B address space.

> seeing are trojans that are scanning (at random within their /8) for
> subseven.  I have a program that detect low level scans and we see low
> level probing for upd 137 (100's mostly in 130/8) tcp 524, 515, and
> various other trojan ports like subseven.  I have alway assumed that
> these were independently infected machines that scan randomly so their
> probes do not have to bigger footprint on any network.  Typical rates
> we see are 10 packets per day over our /16 address space.
>
> Russell Fulton, Computer and Network Security Officer
> The University of Auckland,  New Zealand

--
Glenn Forbes Fleming Larratt         The Lab Ratt (not briggs :-)
glratt () io com                        http://www.io.com/~glratt
There are imaginary bugs to chase in heaven.