RE: Subseven Scans

From: Rob Keown (Keown@MACDIRECT.COM)
Date: 08/12/02 

From: Rob Keown <Keown@MACDIRECT.COM>
To: 'H C' <keydet89@yahoo.com>, Rob Keown <Keown@MACDIRECT.COM>, incidents@securityfocus.com
Date: Mon, 12 Aug 2002 15:24:54 -0400

They were caught by a IDS product outside of the firewall. And they where
just port probes. There are about 7 different signatures for SubSeven on the
IDS (mostly to spot victims inside the perimeter). So I can only say they
were probes to that port. I am looking for 12345 as well since some here
report seeing these at the same time.

I have not looked at any evidence logs to see if there is anything else I
can spot.

Rob

-----Original Message-----
From: H C [mailto:keydet89@yahoo.com]
Sent: Monday, August 12, 2002 2:11 PM
To: Rob Keown; incidents@securityfocus.com
Subject: Re: Subseven Scans

Rob,

Can you be more specific? When you say "subseven
scans" are you referring to the default port? If so,
how do you know they were intended for subseven, and
not the Linux worm (Lion or Ramen, I can't remember
which) that utilized the same port?

Just curious as to what other info you can
provide...assuming, of course, that you're not simply
talking about SYN packets that got dropped at the
firewall...

Thanks

--- Rob Keown <Keown@MACDIRECT.COM> wrote:
> Anyone else seeing a huge increase in subseven
> scans...6708 since about
> 0300Z - across all of my class C's and from quite a
> few sources (running the
> query now to see how many).
>
> Rob
>
>
>
----------------------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS
> analyzer service.
> For more information on this free incident handling,
> management
> and tracking system please see:
> http://aris.securityfocus.com
>

__________________________________________________
Do You Yahoo!?
HotJobs - Search Thousands of New Jobs
http://www.hotjobs.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

Relevant Pages

  • Re: keeping ports open
    ... If a port is open, it means that 1) a software or service is running on your ... and 2) you're not using a firewall or your firewall isn't ... Use firewall software and hardware and antivirus software that is ... Follow the instructions for hardening Windows and IIS at ...
    (microsoft.public.security)
  • Re: How to Maintain an IIS Server?
    ... > server running on a Windows 2000 server. ... before a firewall and antivirus have been installed]. ... open ports; however, this will not identify which program is using the port. ...
    (microsoft.public.inetserver.iis.security)
  • Re: CEICW fails at firewall config
    ... ISA Server prevents connection to a remote desktop when you connect through ... Remote Web Workplace on a Windows Small Business Server 2003-based computer ... Acceleration Server as a firewall. ... connection uses TCP port 4125. ...
    (microsoft.public.windows.server.sbs)
  • Re: How to Maintain an IIS Server?
    ... >> server running on a Windows 2000 server. ... > before a firewall and antivirus have been installed]. ... > program or executable using that port. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Is secedit.exe left by a hacker?
    ... > tested on port 445. ... > I have a Linksys router that I use as a firewall to my ... Secedit.exe is the name of a legitimate Windows file, ... investigate the files on your computer - antivirus with the latest updates ...
    (microsoft.public.win2000.security)