[Dshield] Re.: More stuff from Korea
Johannes B. Ullrich
7ellerton at mediaone.net
Mon May 14 22:46:58 GMT 2001
*** PGP Signature Status: good
*** Signer: Johannes B. Ullrich <jullrich at euclidian.com>
*** Signed: 5/14/2001 6:33:03 PM
*** Verified: 5/14/2001 6:45:41 PM
*** BEGIN PGP VERIFIED MESSAGE ***
yes. I am seeing these scans quite a bit in DShield's database.
Actually, hosts that scan 10008 usually scan a number of other
ports as well (1008, 2400) but lately, I see a lot of scans just
for 10008. Most of these ports are used by Trojans
to install back doors. So the current theory is that these scans
looks for machines made vulnerable by the earlier wave of worms.
(kind of a parasitic scan). The change from 'scan 20 ports' to
just 'scan 10008' may be an evolving tool?
(see the peak of 500+ scans just today so far)
also see the handler diary for 5/10/2001
Johannes Ullrich Join http://www.dshield.org
jullrich at euclidian.com
GPG Key ID: AE692033 Key: http://johannes.homepc.org/pgp.htm
From: dshield-admin at dshield.org [mailto:dshield-admin at dshield.org]On
Behalf Of Tench, Michael
Sent: Monday, May 14, 2001 10:58 AM
To: 'dshield at dshield.org'
Subject: [Dshield] More stuff from Korea
As you know, last week a great deal of scans to 111 and 80 were
from Asia. As it moved to other networks, it was evident that a worm
I have noticed scans from many of these Asian networks looking for
10008. Is there a connection?
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
*** END PGP VERIFIED MESSAGE ***
More information about the list