New SubSeven outbreak?

• Previous message (by thread): New SubSeven outbreak?
• Next message (by thread): New SubSeven outbreak?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> I have seen 6 portscans looking for SubSeven on a /24 in the past 24 hours. 
> It'd been a while since I had seen *any*, now I'm seeing all these.  Is 
> this a new outbreak/vulnerability, or have I just been lucky?  Has anybody 
> else seen an increase in scans on tcp port 27374?

There are a number of IRC controlled bots that will allow 
scanning of subnets for Sub7. So you will see occasional
flameups of Sub7 scans as they happen to focus on your
network. Try to connect to some of the cable modem in 24/8
and you will see more of that.

I should still have a little perl honeypot around that you can use
to find out what they try to install on sub7 infected machines.

-- 
-------
jullrich at sans.org                    Join http://www.DShield.org
                          Distributed Intrusion Detection System

• Previous message (by thread): New SubSeven outbreak?
• Next message (by thread): New SubSeven outbreak?
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]