Sub-7 (TCP 27374) 130.243.95.28 172.147.200.38 209.82.52.205 211.193.102.156 212.198.221.4 24.188.134.202 63.217.170.150 64.240.35.162 65.100.96.170 TCP 12345 130.243.95.28 194.122.194.228 205.214.204.206 63.217.170.150 63.217.170.150 63.28.218.84 65.100.96.170 -----Original Message----- From: gattaca [mailto:gattacaat_private] Sent: Wednesday, November 14, 2001 12:13 PM To: Davis, Scott; 'Brice Carlson'; incidentsat_private Subject: Re: SUB7 (update) Now Netbus too! Gents, Where are these scans originating? I've been seeing some of these on the rise from one particular host as well but, nothing beyond the ordinary. Mostly an annoyance. There are other proggies that operate on these ports beyond the aforementioned. Some of which can be found on http://www.liquidmatrix.org/trojan.htm some other resources: http://www.sans.org/y2k/031901.htm http://www.sans.org/y2k/112200.htm cheers, gattaca ---------------- liquidmatrix.Org ---------------- ----- Original Message ----- From: "Davis, Scott" <Scott_Davisat_private> To: "'Brice Carlson'" <tuck167at_private>; <incidentsat_private> Sent: Wednesday, November 14, 2001 11:36 AM Subject: RE: SUB7 (update) Now Netbus too! > Brian, > > I have seen an increase of hits on our firewall and border routers for both > TCP 27374 (sub-7) and also TCP port 12345. I know UDP port 12345 was used > for netbus, but I am seeing TCP 12345. The scans have been from the same > host, usually TCP 27374, followed by TCP 12345. I am still seeing more hits > on TCP 27374 then TCP 12345, about 88 to 6 for the last 4 days. > > -----Original Message----- > From: Brice Carlson [mailto:tuck167at_private] > Sent: Tuesday, November 13, 2001 11:23 PM > To: incidentsat_private > Subject: SUB7 (update) Now Netbus too! > > > I send off the file to all those who requested and there has been a few > updates since... > > one, i orginal IRC stated was WRONG. > > irc.ozmatrix.com > chat.ozmatrix.com > > They also have a web site. > > http://www.geocities.com/ircx_chat/ > > um, now its scanning for port 12345 along with scanning for sub7. > > Anyone pick up an increase in scans in port 12345 let me know... > > Thanks > Brice Carlson > > _____ > > If i was supposed to of emailed you the program and you didn't recieve it > please email me again. put sub7 in the subject and make it caps. Tis i only > got 400 emails a day. Thanks... > > _________________________________________________________________ > Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp > > > -------------------------------------------------------------------------- -- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > -------------------------------------------------------------------------- -- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Nov 14 2001 - 09:39:39 PST