Security Incidents mailing list archives

RE: SUB7 (update) Now Netbus too!

From: "Davis, Scott" <Scott_Davis () troweprice com>
Date: Wed, 14 Nov 2001 12:27:02 -0500

Sub-7 (TCP 27374)
130.243.95.28
172.147.200.38
209.82.52.205
211.193.102.156
212.198.221.4
24.188.134.202
63.217.170.150
64.240.35.162
65.100.96.170

TCP 12345
130.243.95.28
194.122.194.228
205.214.204.206
63.217.170.150
63.217.170.150
63.28.218.84
65.100.96.170


-----Original Message-----
From: gattaca [mailto:gattaca () liquidmatrix org]
Sent: Wednesday, November 14, 2001 12:13 PM
To: Davis, Scott; 'Brice Carlson'; incidents () securityfocus com
Subject: Re: SUB7 (update) Now Netbus too!


Gents,

Where are these scans originating? I've been seeing some of these on the
rise from one particular host as well but, nothing beyond the ordinary.
Mostly an annoyance. There are other proggies that operate on these ports
beyond the aforementioned. Some of which can be found on
http://www.liquidmatrix.org/trojan.htm

some other resources:
http://www.sans.org/y2k/031901.htm
http://www.sans.org/y2k/112200.htm

cheers,
gattaca
----------------
liquidmatrix.Org
----------------

----- Original Message -----
From: "Davis, Scott" <Scott_Davis () troweprice com>
To: "'Brice Carlson'" <tuck167 () hotmail com>; <incidents () securityfocus com>
Sent: Wednesday, November 14, 2001 11:36 AM
Subject: RE: SUB7 (update) Now Netbus too!

Brian,

I have seen an increase of hits on our firewall and border routers for

both

TCP 27374 (sub-7) and also TCP port 12345.  I know UDP port 12345 was used
for netbus, but I am seeing TCP 12345.  The scans have been from the same
host, usually TCP 27374, followed by TCP 12345. I am still seeing more

hits

on TCP 27374 then TCP 12345, about 88 to 6 for the last 4 days.

-----Original Message-----
From: Brice Carlson [mailto:tuck167 () hotmail com]
Sent: Tuesday, November 13, 2001 11:23 PM
To: incidents () securityfocus com
Subject: SUB7 (update) Now Netbus too!

I send off the file to all those who requested and there has been a few
updates since...

one, i orginal IRC stated was WRONG.

irc.ozmatrix.com
chat.ozmatrix.com

They also have a web site.

http://www.geocities.com/ircx_chat/

um, now its scanning for port 12345 along with scanning for sub7.

Anyone pick up an increase in scans in port 12345 let me know...

Thanks
Brice Carlson

_____

If i was supposed to of emailed you the program and you didn't recieve it
please email me again. put sub7 in the subject and make it caps. Tis i

only

got 400 emails a day. Thanks...

_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp


--------------------------------------------------------------------------

--

This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

--------------------------------------------------------------------------

--

This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

SUB7 (update) Now Netbus too! Brice Carlson (Nov 14)
- RE: SUB7 (update) Now Netbus too! Fernando Cardoso (Nov 14)
- <Possible follow-ups>
- RE: SUB7 (update) Now Netbus too! Davis, Scott (Nov 14)
  - Re: SUB7 (update) Now Netbus too! gattaca (Nov 14)
- RE: SUB7 (update) Now Netbus too! Davis, Scott (Nov 14)