Re: Subseven Scans

From: H C (keydet89at_private)
Date: Mon Aug 12 2002 - 13:39:11 PDT

  • Next message: Rob Keown: "FW: Subseven Scans"

    > I've seen quite a bit of traffic on ports tcp/12345
    > and tcp/27374.
    > According to what I've seen, 27374 is a port used by
    > quite a few versions of SubSeven, 
    A couple of things...first, port 27374 is the default
    port for both SubSeven, as well as the Ramen worm
    (Linux).  Therefore, a SYN packet destined for that
    port is, in and of itself, inconclusive.
    Second, I'm sure you're aware that default ports are
    just that, and in many cases, configurable.
    > as for 12345, it's not mentioned that subseven
    > runs on that port (that I've seen)
    It's NetBus's default port (1.7x and previous
    > but I am seeing attempted
    > connections to these ports at the same time (maybe
    > some other vuln
    > attempt I'm not aware of?  anyone?).  Hope that
    > helps.
    Given that these SYN packets are dropped by the f/w
    (in most cases), they simply seem to be scans at this
    point.   As far as vulnerabilities are concerned, they
    may or may not be...but if there's a trojan installed
    on a system, the admin has more to worry about than
    Do You Yahoo!?
    HotJobs - Search Thousands of New Jobs
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:

    This archive was generated by hypermail 2b30 : Tue Aug 13 2002 - 08:31:11 PDT