Security Incidents mailing list archives

Re: Port 17300 probes?

From: Joe Stewart <jstewart () lurhq com>
Date: Tue, 15 Apr 2003 17:18:38 -0400

We've found the source of the recent port 17300 probes, and have done
a quick analysis. Basically there is a trojan being propagated to hosts that
are already infected with SubSeven or Kuang2_the_Virus, and they have
the capability to scan and auto-infect new hosts on command.

Analysis is here:
http://www.lurhq.com/sig-milkit.html

-- 
Joe Stewart, GCIH 
Senior Intrusion Analyst
LURHQ Corporation
http://www.lurhq.com/


----------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the 
world's premier event for IT and network security experts.  The two-day 
Training features 6 hand-on courses on May 12-13 taught by professionals.  
The two-day Briefings on May 14-15 features 24 top speakers with no vendor 
sales pitches.  Deadline for the best rates is April 25.  Register today to 
ensure your place. http://www.securityfocus.com/BlackHat-incidents 
----------------------------------------------------------------------------

Current thread:

Port 17300 probes? incidents (Apr 14)
- Re: Port 17300 probes? Gerd Feiner (Apr 15)
- <Possible follow-ups>
- Re: Port 17300 probes? Kevin Patz (Apr 15)
  - Re: Port 17300 probes? Joe Stewart (Apr 17)
- Re: Port 17300 probes? MARLON BORBA (Apr 15)
- Re: Port 17300 probes? Joris De Donder (Apr 17)