[47748] in North American Network Operators' Group
Re: New SubSeven outbreak?
daemon@ATHENA.MIT.EDU (Jeff Workman)
Sun May 12 11:43:31 2002
Date: Sun, 12 May 2002 11:40:49 -0400
From: Jeff Workman <jworkman@pimpworks.org>
To: "Johannes B. Ullrich" <jullrich@sans.org>
Cc: nanog@merit.edu
Message-ID: <92600000.1021218049@kyle>
In-Reply-To: <Pine.LNX.4.44.0205121038030.30000-100000@johannes.euclidian.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
Errors-To: owner-nanog-outgoing@merit.edu
Stoned koala bears drooled eucalyptus spit in awe as Johannes B. Ullrich
exclaimed:
>
>
>> I have seen 6 portscans looking for SubSeven on a /24 in the past 24
>> hours. It'd been a while since I had seen *any*, now I'm seeing all
>> these. Is this a new outbreak/vulnerability, or have I just been
>> lucky? Has anybody else seen an increase in scans on tcp port 27374?
>
> There are a number of IRC controlled bots that will allow
> scanning of subnets for Sub7. So you will see occasional
> flameups of Sub7 scans as they happen to focus on your
> network. Try to connect to some of the cable modem in 24/8
> and you will see more of that.
>
> I should still have a little perl honeypot around that you can use
> to find out what they try to install on sub7 infected machines.
Thanks for the pointer. I looked on www.sans.org for it, but couldn't find
it, but I found one on another site called "leaves" that seems to do what I
need. It's going to be amusing to see IRC bots try to upload windows EXE
files to a NetBSD machine and try to run them.
-J
--
Jeff Workman | jworkman@pimpworks.org | http://www.pimpworks.org
