[Dshield] weird: tcp 901

Joe Stewart jstewart at lurhq.com
Tue Sep 9 01:49:52 GMT 2003

On Mon Sep 8 19:05:20 EDT 2003, *Hobbit* wrote:
> Why would so many different sources be interested in TCP 901?
> Nothing of note to see in the dshield ports-report rundown, although
> its supposed mapping to "realsecure sensor" and "samba-swat" is vaguely
> interesting.  Haven't had time/motivation to trap it yet, figured
> I'd ask first...

It's a mIRC-based bot that spreads by scanning for and utilizing previous
Net-devil installations on port 901 along with Subseven and Kuang2. Since
Subseven and Kuang2 have been scanned to death, Net-devil is a more
attractive target for the kiddies now.

See http://www.dshield.org/pipermail/list/2003-June/008480.php


Joe Stewart, GCIH 
Senior Security Researcher
LURHQ Corporation

More information about the list mailing list