Sorry for the missing details. They were all found the online scanner at http://housecall.antivirus.com. They included a variant of subseven, latinus, sua.a, and sua.b. McAfee and Norton did not find them, but the customers may not have had the latest virus defintion updates. -----Original Message----- From: Garramone, Michael (CCI-Las Vegas) Sent: Wednesday, September 04, 2002 8:31 AM To: Andrey G. Sergeev (AKA Andris); Incidents List Subject: RE: Any tcp/608 activity? Last week I received spam complaints against 4 different customers, all the same message and all with no knowledge of the incident. The only similarity I could find was port 608 open on each user's machine. Telnet to this port returned a number sequence, and successive telnets increased the number returned. Each customer found a trojan/backdoor installed, but not all the same one. -----Original Message----- From: Andrey G. Sergeev (AKA Andris) [mailto:andrisat_private] Sent: Saturday, August 31, 2002 10:06 AM To: Incidents List Subject: Any tcp/608 activity? Hello! Did anyone here seen *any* activity, either legal or suspicious, on TCP port 608 for, say, past 3 months? My question _isn't related_ to Sender-Initiated/Unsolicited File Transfer proto (RFC 1440) although I'm still interested in your comments if you're using this service and have some records in the SIFT-UFT daemon logs saying something like "Unrecognized command", "Invalid data", "Bad request" and so on. Thanks. -- Yours sincerely, Andrey G. Sergeev (AKA Andris) ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Sep 05 2002 - 09:22:49 PDT