Re: Increase in Sub7 scans

[Daniel Martin <dtmartin24 () home com>]

"Obert, Jack E." <JObert () sprg smhs com> writes:

> Since February, I've been receiving tcp port scans for the default sub7 port
> (27374) at a rate of approximately 3-4 per day.  Starting on June 8th to
> present, I've been receiving them at 9 times that rate.  

Can you check the time of day for those scans?  I'd hazard a guess that
what you'll see is not a general increase in sub7 scans but rather the
three-four spaced out scans together with bursts of up to 20 scans
occurring in a 1-2 minute time frame.

I observe this pattern whenever I get scanned by someone's IRC botnet
- basically, the way some of these botnets work is that first all the
bots join some irc channel.  Then, a special bot starts spitting out
IP addresses and each of the other bots will then go scan that
address.  Sometimes the process spitting out IP addresses will first
probe the target IP before telling all the bots to go run their
exploits against it, sometimes not.

For what it's worth, my subseven honeypot has not recorded any
significant increase in scanning activity recently (in fact, I got no
scans on Saturday).