[Dshield] Increase in Sub Seven's

Paul Marsh pmarsh at nmefdn.org
Tue Jun 18 17:57:56 GMT 2002

Speaking of honeypots, I want to create one.  Are there any sites out there
that talk about configuring one and what tools I should use to capture any
and all data.

Thanx, Paul
-----Original Message-----
From: Johannes Ullrich [mailto:jullrich at sans.org]
Sent: Tuesday, June 18, 2002 10:12 AM
To: list at dshield.org
Cc: Mdlijster at prioritytelecom.com
Subject: Re: [Dshield] Increase in Sub Seven's

> Yes, I get them too, but since may and from all over the globe.
> But it seems they come in "batches". Some day's I see five to ten of them,
some days none.
> In May I even had Sub Seven's arriving, directly followed by Netbus's from
the same addresses.

Does anybody have honeypot captures of this activity? If you
need my good old perl honeypot, let me know. Subseven probes
usually come from IRC bots and try to get SubSeven to download
some other piece of malware.

jullrich at sans.org             Collaborative Intrusion Detection
                                    join http://www.dshield.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.dshield.org/pipermail/list/attachments/20020618/139bf4bb/attachment.htm

More information about the list mailing list