[Dshield] RE: [LOGS] tcp:27374 upsurge? - ACID Incident Report

James C. Slora, Jr. Jim.Slora at phra.com
Fri Jul 5 15:16:05 GMT 2002


John Sage wrote Tuesday, July 02, 2002 8:59 AM:

>When looking back over the last week's records, nothing for tcp:27374
>until yesterday, and then quite a few...

I've had a little uptick in 27374 probes in the past few days, plus probes
for other backdoors that have had no activity for quite a while.

17300 (Kuang2 and derivatives) - one spray and pray probe.

1524 (Trinoo) - several targeted attempts on a single host. A couple of them
are from an International Volleyball Federation web server that appears to
have been converted to a DDOS zombie controller, based on the odd http
content it serves up. It appears to probe for trinoo clients when a user
visits another related site. One other server probed us for Trinoo - also
targeted against one host, no relationship found to user activity.

Maybe these are related to the DDOS tool payloads installed by the Scalper
worm and other tools that might be installed on chunk-vulnerable web
servers.




More information about the list mailing list