[Dshield] weird: tcp 901
jstewart at lurhq.com
Tue Sep 9 01:49:52 GMT 2003
On Mon Sep 8 19:05:20 EDT 2003, *Hobbit* wrote:
> Why would so many different sources be interested in TCP 901?
> Nothing of note to see in the dshield ports-report rundown, although
> its supposed mapping to "realsecure sensor" and "samba-swat" is vaguely
> interesting. Haven't had time/motivation to trap it yet, figured
> I'd ask first...
It's a mIRC-based bot that spreads by scanning for and utilizing previous
Net-devil installations on port 901 along with Subseven and Kuang2. Since
Subseven and Kuang2 have been scanned to death, Net-devil is a more
attractive target for the kiddies now.
Joe Stewart, GCIH
Senior Security Researcher
More information about the list