-----BEGIN PGP SIGNED MESSAGE-----
At 09:27 AM 1/18/01 +1100, Dave Horsfall wrote:
>Apart from the usual SunRPC, FTP, etc portscans (don't these kiddies
>have anything better to do?), I've started seeing probes like this:
>
>[207.172.150.150] resolves to
>"207-172-150-150.s23.as10.anp.md.dialup.rcn.com"
>
>Jan 17 17:12:30 denied tcp 207.172.150.150(1741) ->
>192.84.230.1(27374), 1 packet Jan 17 17:12:30 denied tcp
>207.172.150.150(1742) -> 192.84.230.1(12345), 1 packet Jan 17
>17:12:30 denied tcp 207.172.150.150(1745) -> 192.84.230.2(27374), 1
>packet Jan 17 17:12:30 denied tcp 207.172.150.150(1746) ->
>192.84.230.2(12345), 1 packet
>
>Etc.
>
>12345 is "Netbus, Pie-Bill-Gates" etc, but what's 27374? Some new
>trojan?
>
>And more to the point, why is this lamer using TCP, when most
>trojans are UDP? Or did I answer my own question?
27374 is sometimes Sub Seven but your post is more indicative of the
Ramen worm. There's a reasonably good discussion of it running on
Securityfocus' Incidents list:
http://www.securityfocus.com/archive/75/156356 (one of many posts on
the subject).
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.8
Comment: How long has it been since you backed up your hard drive?
iQCVAwUBOmYobfGfiIQsciJtAQHvZQQAtZYvrQNjiZrA1mVwKfJ1wc+kFHNRjICo
FLh0qu7ZEhjKiTLicEvJGZt+HRmfJPCMfGZnUf7YwwtPS/Kj3p1gseuhEgfvRH9f
BcDvmShZt/WcH3l9Krb9kbp74XU6pvxqyVc62b3PJ+vkuVfjLa49uKlHQ6SnxNXk
BC71UB5aUcQ=
=te/8
-----END PGP SIGNATURE-----
--
Regards,
David Kennedy CISSP
Director of Research Services, TruSecure Corp. http://www.trusecure.com
Protect what you connect.
Look both ways before crossing the Net.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
