[Dshield] Re.: More stuff from Korea

Johannes B. Ullrich 7ellerton at mediaone.net
Mon May 14 22:46:58 GMT 2001


*** PGP Signature Status: good
*** Signer: Johannes B. Ullrich <jullrich at euclidian.com> 
*** Signed: 5/14/2001 6:33:03 PM
*** Verified: 5/14/2001 6:45:41 PM
*** BEGIN PGP VERIFIED MESSAGE ***

yes. I am seeing these scans quite a bit in DShield's database.
Actually, hosts that scan 10008 usually scan a number of other
ports as well (1008, 2400) but lately, I see a lot of scans just
for 10008. Most of these ports are used by Trojans
to install back doors. So the current theory is that these scans
looks for machines made vulnerable by the earlier wave of worms.
(kind of a parasitic scan). The change from 'scan 20 ports' to
just 'scan 10008' may be an evolving tool?

http://www1.dshield.org/port_report.php?port=10008
(see the peak of 500+ scans just today so far)

also see the handler diary for 5/10/2001
http://www.incidents.org/react/diary.php 


---
Johannes Ullrich            Join http://www.dshield.org
jullrich at euclidian.com
GPG Key ID: AE692033  Key: http://johannes.homepc.org/pgp.htm
---


-----Original Message-----
From: dshield-admin at dshield.org [mailto:dshield-admin at dshield.org]On
Behalf Of Tench, Michael
Sent: Monday, May 14, 2001 10:58 AM
To: 'dshield at dshield.org'
Subject: [Dshield] More stuff from Korea


As you know, last week a great deal of scans to 111 and 80 were
originating
from Asia. As it moved to other networks, it was evident that a worm
was on
the loose.

I have noticed scans from many of these Asian networks looking for
port
10008. Is there a connection? 

_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www1.dshield.org/mailman/listinfo/dshield


*** END PGP VERIFIED MESSAGE ***




More information about the list mailing list