"Obert, Jack E." <JObertat_private> writes: > Since February, I've been receiving tcp port scans for the default sub7 port > (27374) at a rate of approximately 3-4 per day. Starting on June 8th to > present, I've been receiving them at 9 times that rate. Can you check the time of day for those scans? I'd hazard a guess that what you'll see is not a general increase in sub7 scans but rather the three-four spaced out scans together with bursts of up to 20 scans occurring in a 1-2 minute time frame. I observe this pattern whenever I get scanned by someone's IRC botnet - basically, the way some of these botnets work is that first all the bots join some irc channel. Then, a special bot starts spitting out IP addresses and each of the other bots will then go scan that address. Sometimes the process spitting out IP addresses will first probe the target IP before telling all the bots to go run their exploits against it, sometimes not. For what it's worth, my subseven honeypot has not recorded any significant increase in scanning activity recently (in fact, I got no scans on Saturday).
This archive was generated by hypermail 2b30 : Tue Jun 12 2001 - 09:53:07 PDT