Yes a bulk of the scans seem to be coming from the @home network. I am resolving IP's from home.com and home.net. Specifically: 24.11.134.131 - optical.mi.home.com 24.94.204.6 - wks-94-204-6.kscable.com 24.16.208.135 - C1553725-a.vncvr1.wa.home.com > Jack, > > Port 27374 is also used by other trojans such as Ramen, TTFloader, Seeker, Bad Blood, etc. > It could be simply some script kiddies scanning for open subseven/backdoor zombies, > etc using any number of free tools. > > Is there any pattern to the source of the scans (from china, .edu's, etc.) ? > > -dave > > David Endler, CISSP > Practice Manager, iDEFENSE Risk Management Services > 3975 Fair Ridge Drive Suite 400 > Fairfax, VA 22033-2924 > voice: 703.219.2408 > fax: 703.359.5323 > > dendlerat_private > www.idefense.com > > -----Original Message----- > From: Obert, Jack E. [mailto:JObertat_private] > Sent: Tuesday, June 12, 2001 9:43 AM > To: 'incidentsat_private' > Subject: Increase in Sub7 scans > > > Since February, I've been receiving tcp port scans for the default sub7 port > (27374) at a rate of approximately 3-4 per day. Starting on June 8th to > present, I've been receiving them at 9 times that rate. > > 6/5/01 - 3 Scans > 6/6/01 - 4 Scans > 6/7/01 - 3 Scans > 6/8/01 - 8 Scans > 6/9/01 - 14 Scans > 6/10/01 - 38 Scans > 6/11/01 - 22 Scans > > Any ideas on what could have sparked this increased scanning? A new > utility? A new vulnerability related to sub7? New media publicity? > > Thanks > > Jack E. Obert, GSEC > Technical Information Security Officer > St. John's Health System > > > > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Jul 30 2001 - 11:12:21 PDT