lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
From: jlevitsk at joshie.com (Joshua Levitsky)
Subject: Port 27347 concerns

Has anyone here captured any of this traffic? It's come up last week, but I didn't see anyone actually say they had a sample of the traffic or a honeypot they let get infected. Someone has to have a sample or a log they can share that has more detail than just blocking the attacker. 

http://isc.incidents.org/port_details.html?port=27347

If you look at the table below you will see this is something building that will explode soon. 11/01 - Saturday is low because it is a weekend and less machines are on. The 11/02 - Sunday stats will be low as well I believe. 10/25 and 10/26 you can see the same weekend dip. 

If on 10/24 we have 389 sources, and on 10/31 there are 709 sources then we should be well over 1000 sources by next Friday. This trend is concerning me because it could become very bad rapidly. Just don't want us all to be caught off guard by whatever this is. Some people seem to think it's a SubSeven trojan that has the port number flipped from 27374 to 27347, but if it is then someone has a delivery mechanism that is working very well if you look at the table below which goes from 7 hosts to 709 hosts on Friday.


      Date Sources Targets Records 
      2003-11-02 33  33399 33518 
      2003-11-01 456  68165 320465 
      2003-10-31 709  68764 323829 
      2003-10-30 699  68522 658366 
      2003-10-29 580  67878 802494 
      2003-10-28 356  67157 1362930 
      2003-10-27 204  67643 781985 
      2003-10-26 135  733 7830 
      2003-10-25 216  736 11622 
      2003-10-24 389  1068 13989 
      2003-10-23 244  328 2539 
      2003-10-22 7  4 78 


--
Joshua Levitsky, MCSE, CISSP
System Engineer
Time Inc. Information Technology
[5957 F27C 9C71 E9A7 274A 0447 C9B9 75A4 9B41 D4D1]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20031101/3924bb0f/attachment.html

Powered by blists - more mailing lists