Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Security Incidents: RE: Subseven Scans

RE: Subseven Scans

From: H C <keydet89_at_yahoo.com>
Date: Mon, 12 Aug 2002 12:42:00 -0700 (PDT)

Rob,

So I guess from what you're saying is that these were
just the initial SYN packets, coming from remote
source IPs...right? None of these were signatures
going from inside your organization, headed
out...right?

Also, the IDS product picked these up based on the
port assignment, right? If that's the case, while it
*could be* SubSeven, it could also be that Linux worm
(Ramen) that I mentioned...it uses the same port...

Just as a side thought...did you happen to nmap scan
any of the source IPs? Your first post said that each
scan consisted of three packets...based on the timing
between them, that could be a Windows box.

--- Rob Keown <Keown_at_MACDIRECT.COM> wrote:
> They were caught by a IDS product outside of the
> firewall. And they where
> just port probes. There are about 7 different
> signatures for SubSeven on the
> IDS (mostly to spot victims inside the perimeter).
> So I can only say they
> were probes to that port. I am looking for 12345 as
> well since some here
> report seeing these at the same time.
>
> I have not looked at any evidence logs to see if
> there is anything else I
> can spot.
>
> Rob
>
>
> -----Original Message-----
> From: H C [mailto:keydet89_at_yahoo.com]
> Sent: Monday, August 12, 2002 2:11 PM
> To: Rob Keown; incidents_at_securityfocus.com
> Subject: Re: Subseven Scans
>
>
> Rob,
>
> Can you be more specific? When you say "subseven
> scans" are you referring to the default port? If
> so,
> how do you know they were intended for subseven, and
> not the Linux worm (Lion or Ramen, I can't remember
> which) that utilized the same port?
>
> Just curious as to what other info you can
> provide...assuming, of course, that you're not
> simply
> talking about SYN packets that got dropped at the
> firewall...
>
> Thanks
>
> --- Rob Keown <Keown_at_MACDIRECT.COM> wrote:
> > Anyone else seeing a huge increase in subseven
> > scans...6708 since about
> > 0300Z - across all of my class C's and from quite
> a
> > few sources (running the
> > query now to see how many).
> >
> > Rob
> >
> >
> >
>
----------------------------------------------------------------------------
> > This list is provided by the SecurityFocus ARIS
> > analyzer service.
> > For more information on this free incident
> handling,
> > management
> > and tracking system please see:
> > http://aris.securityfocus.com
> >
>
>
> __________________________________________________
> Do You Yahoo!?
> HotJobs - Search Thousands of New Jobs
> http://www.hotjobs.com

__________________________________________________
Do You Yahoo!?
HotJobs - Search Thousands of New Jobs
http://www.hotjobs.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
Received on Aug 12 2002

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos