<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<META content="MSHTML 6.00.2800.1264" name=GENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=#ffffff>
<DIV><FONT face=Arial size=2>Has anyone here captured any of this traffic? It's
come up last week, but I didn't see anyone actually say they had a sample of the
traffic or a honeypot they let get infected. Someone has to have a sample or a
log they can share that has more detail than just blocking the attacker.
</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2><A
href="http://isc.incidents.org/port_details.html?port=27347">http://isc.incidents.org/port_details.html?port=27347</A></FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>If you look at the table below you will see this is
something building that will explode soon. 11/01 - Saturday is low because it is
a weekend and less machines are on. The 11/02 - Sunday stats will be low as well
I believe. 10/25 and 10/26 you can see the same weekend dip. </FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2>If on 10/24 we have 389 sources, and on 10/31 there
are 709 sources then we should be well over 1000 sources by next Friday. This
trend is concerning me because it could become very bad rapidly. Just don't want
us all to be caught off guard by whatever this is. Some people seem to think
it's a SubSeven trojan that has the port number flipped from 27374 to 27347, but
if it is then someone has a delivery mechanism that is working very well if you
look at the table below which goes from 7 hosts to 709 hosts on
Friday.</FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV>
<TABLE bgColor=#eeeeff border=1>
<TBODY>
<TR>
<TH>Date</TH>
<TH>Sources</TH>
<TH>Targets</TH>
<TH>Records</TH></TR>
<TR>
<TD><A
href="http://isc.incidents.org/port_report.html?date=2003-11-02">2003-11-02</A></TD>
<TD>33 </TD>
<TD>33399</TD>
<TD>33518</TD></TR>
<TR>
<TD><A
href="http://isc.incidents.org/port_report.html?date=2003-11-01">2003-11-01</A></TD>
<TD>456 </TD>
<TD>68165</TD>
<TD>320465</TD></TR>
<TR>
<TD><A
href="http://isc.incidents.org/port_report.html?date=2003-10-31">2003-10-31</A></TD>
<TD>709 </TD>
<TD>68764</TD>
<TD>323829</TD></TR>
<TR>
<TD><A
href="http://isc.incidents.org/port_report.html?date=2003-10-30">2003-10-30</A></TD>
<TD>699 </TD>
<TD>68522</TD>
<TD>658366</TD></TR>
<TR>
<TD><A
href="http://isc.incidents.org/port_report.html?date=2003-10-29">2003-10-29</A></TD>
<TD>580 </TD>
<TD>67878</TD>
<TD>802494</TD></TR>
<TR>
<TD><A
href="http://isc.incidents.org/port_report.html?date=2003-10-28">2003-10-28</A></TD>
<TD>356 </TD>
<TD>67157</TD>
<TD>1362930</TD></TR>
<TR>
<TD><A
href="http://isc.incidents.org/port_report.html?date=2003-10-27">2003-10-27</A></TD>
<TD>204 </TD>
<TD>67643</TD>
<TD>781985</TD></TR>
<TR>
<TD><A
href="http://isc.incidents.org/port_report.html?date=2003-10-26">2003-10-26</A></TD>
<TD>135 </TD>
<TD>733</TD>
<TD>7830</TD></TR>
<TR>
<TD><A
href="http://isc.incidents.org/port_report.html?date=2003-10-25">2003-10-25</A></TD>
<TD>216 </TD>
<TD>736</TD>
<TD>11622</TD></TR>
<TR>
<TD><A
href="http://isc.incidents.org/port_report.html?date=2003-10-24">2003-10-24</A></TD>
<TD>389 </TD>
<TD>1068</TD>
<TD>13989</TD></TR>
<TR>
<TD><A
href="http://isc.incidents.org/port_report.html?date=2003-10-23">2003-10-23</A></TD>
<TD>244 </TD>
<TD>328</TD>
<TD>2539</TD></TR>
<TR>
<TD><A
href="http://isc.incidents.org/port_report.html?date=2003-10-22">2003-10-22</A></TD>
<TD>7 </TD>
<TD>4</TD>
<TD>78</TD></TR></TBODY></TABLE></DIV>
<DIV><FONT face=Arial size=2><BR>--<BR>Joshua Levitsky, MCSE, CISSP<BR>System
Engineer<BR>Time Inc. Information Technology<BR>[5957 F27C 9C71 E9A7 274A 0447
C9B9 75A4 9B41 D4D1]<BR></FONT></DIV></BODY></HTML>