Security Incidents: RE: Subseven Scans

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Security Incidents mailing list archives

RE: Subseven Scans

From: H C <keydet89 () yahoo com>
Date: Mon, 12 Aug 2002 12:42:00 -0700 (PDT)

Rob,

So I guess from what you're saying is that these were
just the initial SYN packets, coming from remote
source IPs...right?  None of these were signatures
going from inside your organization, headed
out...right?

Also, the IDS product picked these up based on the
port assignment, right?  If that's the case, while it
*could be* SubSeven, it could also be that Linux worm
(Ramen) that I mentioned...it uses the same port...

Just as a side thought...did you happen to nmap scan
any of the source IPs?  Your first post said that each
scan consisted of three packets...based on the timing
between them, that could be a Windows box.

--- Rob Keown <Keown () MACDIRECT COM> wrote:

They were caught by a IDS product outside of the
firewall. And they where
just port probes. There are about 7 different
signatures for SubSeven on the
IDS (mostly to spot victims inside the perimeter).
So I can only say they
were probes to that port. I am looking for 12345 as
well since some here
report seeing these at the same time.

I have not looked at any evidence logs to see if
there is anything else I
can spot.

Rob


-----Original Message-----
From: H C [mailto:keydet89 () yahoo com]
Sent: Monday, August 12, 2002 2:11 PM
To: Rob Keown; incidents () securityfocus com
Subject: Re: Subseven Scans


Rob,

Can you be more specific?  When you say "subseven
scans" are you referring to the default port?  If
so,
how do you know they were intended for subseven, and
not the Linux worm (Lion or Ramen, I can't remember
which) that utilized the same port? 

Just curious as to what other info you can
provide...assuming, of course, that you're not
simply
talking about SYN packets that got dropped at the
firewall...

Thanks

--- Rob Keown <Keown () MACDIRECT COM> wrote:

Anyone else seeing a huge increase in subseven
scans...6708 since about
0300Z - across all of my class C's and from quite

few sources (running the
query now to see how many). 

Rob

----------------------------------------------------------------------------

This list is provided by the SecurityFocus ARIS
analyzer service.
For more information on this free incident

handling,

management 
and tracking system please see:
http://aris.securityfocus.com



__________________________________________________
Do You Yahoo!?
HotJobs - Search Thousands of New Jobs
http://www.hotjobs.com



__________________________________________________
Do You Yahoo!?
HotJobs - Search Thousands of New Jobs
http://www.hotjobs.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

By Date By Thread

Current thread:

Re[2]: Subseven Scans, (continued)
- Re: Subseven Scans H C (Aug 12)
- RE: Subseven Scans Rob Keown (Aug 12)
  - Re: Subseven Scans Gene Yoo (Aug 12)
- RE: Subseven Scans Rob Keown (Aug 12)
  - RE: Subseven Scans H C (Aug 12)
- FW: Subseven Scans Rob Keown (Aug 13)
  - Odd scans and stuff bouncing off firewalls Nexus (Aug 13)
    - Re: Odd scans and stuff bouncing off firewalls Greg A. Woods (Aug 13)
- RE: Subseven Scans Robert Buckley (Aug 13)
  - RE: Subseven Scans H C (Aug 13)