Incident 02-18-02 22:17pm

A probe for boxes compromised by the SubSeven trojan, by an AOL'er..


Unusual System Events
=-=-=-=-=-=-=-=-=-=-=
Feb 18 22:17:10 greatwall snort: [1:0:0] TCP to 27374 SubSeven {TCP}
 172.141.44.226:2242 -> 12.82.135.84:27374

Feb 18 22:17:20 greatwall last message repeated 2 times


Feb 18 22:17:10 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 172.141.44.226:2242 12.82.135.84:27374
 L=48 S=0x00 I=55211 F=0x4000 T=112 SYN (#64)
Feb 18 22:17:14 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 172.141.44.226:2242 12.82.135.84:27374
 L=48 S=0x00 I=55536 F=0x4000 T=112 SYN (#64)
Feb 18 22:17:20 greatwall kernel: Packet log: input DENY ppp0 PROTO=6
 172.141.44.226:2242 12.82.135.84:27374
 L=48 S=0x00 I=56150 F=0x4000 T=112 SYN (#64)


Mon Feb 18 22:17:10 2002 172.141.44.226: UNKNOWN [8760:112:1432:1:-1:1:1:48].
 172.141.44.226:2242 -> 12.82.135.84:27374
Mon Feb 18 22:17:14 2002 172.141.44.226: UNKNOWN [8760:112:1432:1:-1:1:1:48].
 172.141.44.226:2242 -> 12.82.135.84:27374
Mon Feb 18 22:17:20 2002 172.141.44.226: UNKNOWN [8760:112:1432:1:-1:1:1:48].
 172.141.44.226:2242 -> 12.82.135.84:27374


BW whois 2.9 by Bill Weinman (http://whois.bw.org/)
 1999-2001 William E. Weinman 

America Online, Inc. (NETBLK-AOL-172BLK)
   12100 Sunrise Valley Drive
   Reston, VA 20191
   US    

Netname: AOL-172BLK
   Netblock: 172.128.0.0 - 172.191.255.255
   Maintainer: AOL    

Coordinator:
      America Online, Inc.  (AOL-NOC-ARIN)  domains@AOL.NET
      703-265-4670    

Domain System inverse mapping provided by: 
   DAHA-01.NS.AOL.COM152.163.159.233
   DAHA-02.NS.AOL.COM205.188.157.233

jsage@finchhaven.com
Last modified: Fri Feb 22 14:54:23 2002