Re: SUB7 (update) Now Netbus too!

From: gattaca (gattacaat_private)
Date: Wed Nov 14 2001 - 09:12:44 PST

  • Next message: Davis, Scott: "RE: SUB7 (update) Now Netbus too!"

    Gents,
    
    Where are these scans originating? I've been seeing some of these on the
    rise from one particular host as well but, nothing beyond the ordinary.
    Mostly an annoyance. There are other proggies that operate on these ports
    beyond the aforementioned. Some of which can be found on
    http://www.liquidmatrix.org/trojan.htm
    
    some other resources:
    http://www.sans.org/y2k/031901.htm
    http://www.sans.org/y2k/112200.htm
    
    cheers,
    gattaca
    ----------------
    liquidmatrix.Org
    ----------------
    
    ----- Original Message -----
    From: "Davis, Scott" <Scott_Davisat_private>
    To: "'Brice Carlson'" <tuck167at_private>; <incidentsat_private>
    Sent: Wednesday, November 14, 2001 11:36 AM
    Subject: RE: SUB7 (update) Now Netbus too!
    
    
    > Brian,
    >
    > I have seen an increase of hits on our firewall and border routers for
    both
    > TCP 27374 (sub-7) and also TCP port 12345.  I know UDP port 12345 was used
    > for netbus, but I am seeing TCP 12345.  The scans have been from the same
    > host, usually TCP 27374, followed by TCP 12345. I am still seeing more
    hits
    > on TCP 27374 then TCP 12345, about 88 to 6 for the last 4 days.
    >
    > -----Original Message-----
    > From: Brice Carlson [mailto:tuck167at_private]
    > Sent: Tuesday, November 13, 2001 11:23 PM
    > To: incidentsat_private
    > Subject: SUB7 (update) Now Netbus too!
    >
    >
    > I send off the file to all those who requested and there has been a few
    > updates since...
    >
    > one, i orginal IRC stated was WRONG.
    >
    > irc.ozmatrix.com
    > chat.ozmatrix.com
    >
    > They also have a web site.
    >
    > http://www.geocities.com/ircx_chat/
    >
    > um, now its scanning for port 12345 along with scanning for sub7.
    >
    > Anyone pick up an increase in scans in port 12345 let me know...
    >
    > Thanks
    > Brice Carlson
    >
    > _____
    >
    > If i was supposed to of emailed you the program and you didn't recieve it
    > please email me again. put sub7 in the subject and make it caps. Tis i
    only
    > got 400 emails a day. Thanks...
    >
    > _________________________________________________________________
    > Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
    >
    >
    > --------------------------------------------------------------------------
    --
    > This list is provided by the SecurityFocus ARIS analyzer service.
    > For more information on this free incident handling, management
    > and tracking system please see: http://aris.securityfocus.com
    >
    > --------------------------------------------------------------------------
    --
    > This list is provided by the SecurityFocus ARIS analyzer service.
    > For more information on this free incident handling, management
    > and tracking system please see: http://aris.securityfocus.com
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Wed Nov 14 2001 - 09:18:45 PST