We've found the source of the recent port 17300 probes, and have done a quick analysis. Basically there is a trojan being propagated to hosts that are already infected with SubSeven or Kuang2_the_Virus, and they have the capability to scan and auto-infect new hosts on command. Analysis is here: http://www.lurhq.com/sig-milkit.html -- Joe Stewart, GCIH Senior Intrusion Analyst LURHQ Corporation http://www.lurhq.com/ ---------------------------------------------------------------------------- Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the world's premier event for IT and network security experts. The two-day Training features 6 hand-on courses on May 12-13 taught by professionals. The two-day Briefings on May 14-15 features 24 top speakers with no vendor sales pitches. Deadline for the best rates is April 25. Register today to ensure your place. http://www.securityfocus.com/BlackHat-incidents ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Thu Apr 17 2003 - 14:17:06 PDT