One possibility I have recently read refers to port 12345 also being used by TrendMicro's OfficeScan using 12345 (NetBus's port) to listen for updates. This product apparently has some major vuln. (check Bugtraq), so maybe these guys are scanning for Trend customers? What do the rest of you think? Blevins
-----Original Message----- From: Kev [mailto:[EMAIL PROTECTED]] Sent: Tuesday, January 22, 2002 12:17 PM To: [EMAIL PROTECTED] Subject: Netbus Trojan Scans seen in Dec/Jan Hi there, I am interested to know why we see so many incidents of the Netbus Trojan scans on the network around this time of year. We saw exactly the same on the network last year. Why this particular Trojan scan and not some other like Sub7 or BackOrifice? Is it just that Netbus is more popular with the script kiddies? Also approximately 80% of the source IP's trace back to ISP's in Korea. The ISP "Thrunet" tops the list. Again we saw the same last year. Any particular reason why the majority come from Korea? Emails re incidents to ISP's in Korea, (and also China), very rarely receive a response in my experience, although I guess this may be attributed to the language factor. Thanks in advance Kev