New SubSeven outbreak?

• Previous message (by thread): New SubSeven outbreak?
• Next message (by thread): DirecPC Engineering Contact
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Stoned koala bears drooled eucalyptus spit in awe as Johannes B. Ullrich 
exclaimed:

>
>
>> I have seen 6 portscans looking for SubSeven on a /24 in the past 24
>> hours.  It'd been a while since I had seen *any*, now I'm seeing all
>> these.  Is  this a new outbreak/vulnerability, or have I just been
>> lucky?  Has anybody  else seen an increase in scans on tcp port 27374?
>
> There are a number of IRC controlled bots that will allow
> scanning of subnets for Sub7. So you will see occasional
> flameups of Sub7 scans as they happen to focus on your
> network. Try to connect to some of the cable modem in 24/8
> and you will see more of that.
>
> I should still have a little perl honeypot around that you can use
> to find out what they try to install on sub7 infected machines.

Thanks for the pointer.  I looked on www.sans.org for it, but couldn't find 
it, but I found one on another site called "leaves" that seems to do what I 
need.  It's going to be amusing to see IRC bots try to upload windows EXE 
files to a NetBSD machine and try to run them.

-J

--
Jeff Workman | jworkman at pimpworks.org | http://www.pimpworks.org

• Previous message (by thread): New SubSeven outbreak?
• Next message (by thread): DirecPC Engineering Contact
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]