North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: New SubSeven outbreak?

  • From: Jeff Workman
  • Date: Sun May 12 11:45:27 2002




Stoned koala bears drooled eucalyptus spit in awe as Johannes B. Ullrich exclaimed:


I have seen 6 portscans looking for SubSeven on a /24 in the past 24
hours.  It'd been a while since I had seen *any*, now I'm seeing all
these.  Is  this a new outbreak/vulnerability, or have I just been
lucky?  Has anybody  else seen an increase in scans on tcp port 27374?
There are a number of IRC controlled bots that will allow
scanning of subnets for Sub7. So you will see occasional
flameups of Sub7 scans as they happen to focus on your
network. Try to connect to some of the cable modem in 24/8
and you will see more of that.

I should still have a little perl honeypot around that you can use
to find out what they try to install on sub7 infected machines.
Thanks for the pointer. I looked on www.sans.org for it, but couldn't find it, but I found one on another site called "leaves" that seems to do what I need. It's going to be amusing to see IRC bots try to upload windows EXE files to a NetBSD machine and try to run them.

-J

--
Jeff Workman | [email protected] | http://www.pimpworks.org