New SubSeven outbreak?
Jeff Workman
jworkman at pimpworks.org
Sun May 12 15:40:49 UTC 2002
Stoned koala bears drooled eucalyptus spit in awe as Johannes B. Ullrich
exclaimed:
>
>
>> I have seen 6 portscans looking for SubSeven on a /24 in the past 24
>> hours. It'd been a while since I had seen *any*, now I'm seeing all
>> these. Is this a new outbreak/vulnerability, or have I just been
>> lucky? Has anybody else seen an increase in scans on tcp port 27374?
>
> There are a number of IRC controlled bots that will allow
> scanning of subnets for Sub7. So you will see occasional
> flameups of Sub7 scans as they happen to focus on your
> network. Try to connect to some of the cable modem in 24/8
> and you will see more of that.
>
> I should still have a little perl honeypot around that you can use
> to find out what they try to install on sub7 infected machines.
Thanks for the pointer. I looked on www.sans.org for it, but couldn't find
it, but I found one on another site called "leaves" that seems to do what I
need. It's going to be amusing to see IRC bots try to upload windows EXE
files to a NetBSD machine and try to run them.
-J
--
Jeff Workman | jworkman at pimpworks.org | http://www.pimpworks.org
More information about the NANOG
mailing list