RE: Increase in Sub7 scans

From: h8macsat_private
Date: Mon Jul 30 2001 - 10:55:44 PDT

  • Next message: Stephen Malenshek: "Mail Issue"

    Yes a bulk of the scans seem to be coming from the 
    @home network. I am resolving IP's from home.com 
    and home.net.
    
    Specifically:
    
    24.11.134.131 - optical.mi.home.com
    24.94.204.6 - wks-94-204-6.kscable.com
    24.16.208.135 - C1553725-a.vncvr1.wa.home.com
    
    
    > Jack,
    > 
    > Port 27374 is also used by other trojans such as 
    Ramen, TTFloader, Seeker, Bad Blood, etc.  
    > It could be simply some script kiddies scanning for 
    open subseven/backdoor zombies, 
    > etc using any number of free tools.  
    > 
    > Is there any pattern to the source of the scans 
    (from china, .edu's, etc.) ?
    > 
    > -dave
    > 
    > David Endler, CISSP
    > Practice Manager, iDEFENSE Risk Management 
    Services
    > 3975 Fair Ridge Drive Suite 400
    > Fairfax, VA 22033-2924
    > voice: 703.219.2408
    > fax: 703.359.5323
    > 
    > dendlerat_private
    > www.idefense.com
    > 
    > -----Original Message-----
    > From: Obert, Jack E. 
    [mailto:JObertat_private]
    > Sent: Tuesday, June 12, 2001 9:43 AM
    > To: 'incidentsat_private'
    > Subject: Increase in Sub7 scans
    > 
    > 
    > Since February, I've been receiving tcp port scans 
    for the default sub7 port
    > (27374) at a rate of approximately 3-4 per day.  
    Starting on June 8th to
    > present, I've been receiving them at 9 times that 
    rate.  
    > 
    > 6/5/01 - 3 Scans
    > 6/6/01 - 4 Scans
    > 6/7/01 - 3 Scans
    > 6/8/01 - 8 Scans
    > 6/9/01 - 14 Scans
    > 6/10/01 - 38 Scans
    > 6/11/01 - 22 Scans
    > 
    > Any ideas on what could have sparked this 
    increased scanning?  A new
    > utility?  A new vulnerability related to sub7?  New 
    media publicity?
    > 
    > Thanks
    > 
    > Jack E. Obert, GSEC 
    > Technical Information Security Officer 
    > St. John's Health System 
    > 
    > 
    > 
    > 
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Mon Jul 30 2001 - 11:12:21 PDT