Security Incidents: Re: Subseven Scans

[H C <keydet89 () yahoo com>]

Preston,

> I've seen quite a bit of traffic on ports tcp/12345
> and tcp/27374.
> According to what I've seen, 27374 is a port used by
> quite a few versions of SubSeven, 
A couple of things...first, port 27374 is the default
port for both SubSeven, as well as the Ramen worm
(Linux).  Therefore, a SYN packet destined for that
port is, in and of itself, inconclusive.

Second, I'm sure you're aware that default ports are
just that, and in many cases, configurable.

> as for 12345, it's not mentioned that subseven
> runs on that port (that I've seen)
It's NetBus's default port (1.7x and previous
versions).

> but I am seeing attempted
> connections to these ports at the same time (maybe
> some other vuln
> attempt I'm not aware of?  anyone?).  Hope that
> helps.
Given that these SYN packets are dropped by the f/w
(in most cases), they simply seem to be scans at this
point.   As far as vulnerabilities are concerned, they
may or may not be...but if there's a trojan installed
on a system, the admin has more to worry about than
vulnerabilities.



__________________________________________________
Do You Yahoo!?
HotJobs - Search Thousands of New Jobs
http://www.hotjobs.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com