Jack, Port 27374 is also used by other trojans such as Ramen, TTFloader, Seeker, Bad Blood, etc. It could be simply some script kiddies scanning for open subseven/backdoor zombies, etc using any number of free tools. Is there any pattern to the source of the scans (from china, .edu's, etc.) ? -dave David Endler, CISSP Practice Manager, iDEFENSE Risk Management Services 3975 Fair Ridge Drive Suite 400 Fairfax, VA 22033-2924 voice: 703.219.2408 fax: 703.359.5323 dendlerat_private www.idefense.com -----Original Message----- From: Obert, Jack E. [mailto:JObertat_private] Sent: Tuesday, June 12, 2001 9:43 AM To: 'incidentsat_private' Subject: Increase in Sub7 scans Since February, I've been receiving tcp port scans for the default sub7 port (27374) at a rate of approximately 3-4 per day. Starting on June 8th to present, I've been receiving them at 9 times that rate. 6/5/01 - 3 Scans 6/6/01 - 4 Scans 6/7/01 - 3 Scans 6/8/01 - 8 Scans 6/9/01 - 14 Scans 6/10/01 - 38 Scans 6/11/01 - 22 Scans Any ideas on what could have sparked this increased scanning? A new utility? A new vulnerability related to sub7? New media publicity? Thanks Jack E. Obert, GSEC Technical Information Security Officer St. John's Health System
This archive was generated by hypermail 2b30 : Tue Jun 12 2001 - 09:17:10 PDT