[Full-Disclosure] Port 27347 concerns

From: Joshua Levitsky (jlevitsk_at_joshie.com)
Date: 11/02/03

  • Next message: Alexander Antipov: "[Full-Disclosure] Unauthorized access in Web Wiz Forum"
    To: <nanog@merit.edu>
    Date: Sat, 1 Nov 2003 22:56:57 -0500
    
    

    Has anyone here captured any of this traffic? It's come up last week, but I didn't see anyone actually say they had a sample of the traffic or a honeypot they let get infected. Someone has to have a sample or a log they can share that has more detail than just blocking the attacker.

    http://isc.incidents.org/port_details.html?port=27347

    If you look at the table below you will see this is something building that will explode soon. 11/01 - Saturday is low because it is a weekend and less machines are on. The 11/02 - Sunday stats will be low as well I believe. 10/25 and 10/26 you can see the same weekend dip.

    If on 10/24 we have 389 sources, and on 10/31 there are 709 sources then we should be well over 1000 sources by next Friday. This trend is concerning me because it could become very bad rapidly. Just don't want us all to be caught off guard by whatever this is. Some people seem to think it's a SubSeven trojan that has the port number flipped from 27374 to 27347, but if it is then someone has a delivery mechanism that is working very well if you look at the table below which goes from 7 hosts to 709 hosts on Friday.

          Date Sources Targets Records
          2003-11-02 33 33399 33518
          2003-11-01 456 68165 320465
          2003-10-31 709 68764 323829
          2003-10-30 699 68522 658366
          2003-10-29 580 67878 802494
          2003-10-28 356 67157 1362930
          2003-10-27 204 67643 781985
          2003-10-26 135 733 7830
          2003-10-25 216 736 11622
          2003-10-24 389 1068 13989
          2003-10-23 244 328 2539
          2003-10-22 7 4 78

    --
    Joshua Levitsky, MCSE, CISSP
    System Engineer
    Time Inc. Information Technology
    [5957 F27C 9C71 E9A7 274A 0447 C9B9 75A4 9B41 D4D1]
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html
    

  • Next message: Alexander Antipov: "[Full-Disclosure] Unauthorized access in Web Wiz Forum"

    Relevant Pages