[Dshield] RE: [LOGS] tcp:27374 upsurge? - ACID Incident Report

Smith, Donald Donald.Smith at qwest.com
Fri Jul 5 15:27:40 GMT 2002


Do you have any packet details on the 1524 packets?

> -----Original Message-----
> From: James C. Slora, Jr. [mailto:Jim.Slora at phra.com]
> Sent: Friday, July 05, 2002 9:16 AM
> To: John Sage; list at dshield.org; intrusions at incidents.org
> Subject: RE: [LOGS] tcp:27374 upsurge? - ACID Incident Report
> 
> 
> John Sage wrote Tuesday, July 02, 2002 8:59 AM:
> 
> >When looking back over the last week's records, nothing for tcp:27374
> >until yesterday, and then quite a few...
> 
> I've had a little uptick in 27374 probes in the past few 
> days, plus probes
> for other backdoors that have had no activity for quite a while.
> 
> 17300 (Kuang2 and derivatives) - one spray and pray probe.
> 
> 1524 (Trinoo) - several targeted attempts on a single host. A 
> couple of them
> are from an International Volleyball Federation web server 
> that appears to
> have been converted to a DDOS zombie controller, based on the odd http
> content it serves up. It appears to probe for trinoo clients 
> when a user
> visits another related site. One other server probed us for
Interesting so visit this site to be probed for trinoo?
Got a link? 
> Trinoo - also
> targeted against one host, no relationship found to user activity.
> 
> Maybe these are related to the DDOS tool payloads installed 
> by the Scalper
> worm and other tools that might be installed on chunk-vulnerable web
> servers.
> 




More information about the list mailing list