Solve the puzzle....
Results 1 to 8 of 8

Thread: Solve the puzzle....

  1. #1
    Junior Member
    Join Date
    Apr 2002
    Posts
    10

    Solve the puzzle....

    I thought the following example might be a great learning example for
    newbies...
    So I'm hanging down at my buddy's house, and he's on his computer and
    an alert goes off on his Norton Anti Virus/Firewall - whatever. If I
    remember, the note in the Norton log was something to the effect of
    'blocked trojan Sub7' and there were addresses from
    where it was coming from.
    I looked over the Norton log and it appears he's been 'attacked' over a period
    of weeks by the same Subnet trojan coming from or through 3 different IP
    addresses. All were blocked.
    I plugged the three addresses into the 'R Whois' field over at
    SamSpade.com and I got a ton of info, most of which I don't understand.
    But it appears as far as I can read, that one of the IP's is a service
    provider in Kentucky and the other is Bredband.com (Broadband
    communication company in Sweden). I'm interested in computer security
    and for me, this is a great 'whodunnit' mysteryas well as a great learning
    tool. I've got some clues here, but what do I do now?
    Should he contact the Sysadmin at the addresses I've been able to
    track and tell them someone's using them to send Sub7's?
    How can the addresses be plugged into SamSpade to learn more?
    What else should I look for when an attack comes in to his computer?
    Is there a way a trap can be laid so that when the Sub7 attack comes
    in, more information can be found?
    I may not have enough info here, if not, just ask and I'll get whatever
    you need from his Norton logs.

  2. #2
    Senior Member
    Join Date
    Apr 2002
    Posts
    1,050
    ucould put up a sub7 hunny pot try a search on google.com
    By the sacred **** of the sacred psychedelic tibetan yeti ....We\'ll smoke the chinese out
    The 20th century pharoes have the slaves demanding work
    http://muaythaiscotland.com/

  3. #3
    Junior Member
    Join Date
    Apr 2002
    Posts
    10
    Prodikal,

    Thank you for taking the time to answer my post. I went over to Google and found this...

    http://www.groovyweb.uklinux.net/ind...ur%20enemy%203

    Which is a great resource for honeypots in general, and takes you to a million other honeypot related resources.

    Now, I have an awful lot of reading to do over the next few days for this topic, which I WILL do, but in the meantime, let me try to narrow this down a bit. Are there any programs out there primarily created to detect but mostly TRACK Sub7 attacks from their origin?

    Again, thanks for your help!

  4. #4
    AntiOnline Newbie
    Join Date
    Aug 2001
    Posts
    28
    http://packetstorm.decepticons.org/t.../00Sub7_20.zip

    00[Sub]7 - The Ultimate SubSeven Logging Tool. Sets up a fake sub7 server on the default port which can send all sorts of false information to the client. Homepage: http://www.rendo.dekooi.nl/~jeff/00Sub7.htm.

    i dont know if it will be any help. just another thing look at

  5. #5
    Senior Member
    Join Date
    Dec 2001
    Posts
    151
    or i guess you could just remove the server and get on with life...
    -[h3llbringer] is back, again.
    -MSN CLoNE.

  6. #6
    Senior Member
    Join Date
    Apr 2002
    Posts
    1,050
    well u r fire wall logs the attack and u can use the cleaner which is available at http://www.moosoft.com or lock down millenium pro (cant remeber the url) just try google again that detects over 200 trojans but u need 2 buy the proggrame for it 2 remove them hope this is some help 2 u
    By the sacred **** of the sacred psychedelic tibetan yeti ....We\'ll smoke the chinese out
    The 20th century pharoes have the slaves demanding work
    http://muaythaiscotland.com/

  7. #7
    Senior Member
    Join Date
    Apr 2002
    Posts
    1,050
    i ment 2000 trojans
    By the sacred **** of the sacred psychedelic tibetan yeti ....We\'ll smoke the chinese out
    The 20th century pharoes have the slaves demanding work
    http://muaythaiscotland.com/

  8. #8
    Senior Member
    Join Date
    Aug 2001
    Posts
    485
    If you are sure that you have the correct IP address for where the attack is originating from, then emailing the sysadmin is a good idea. Setting up a honeypot may help you further here, as when you detect an attack, you can trace it back.
    In the past I have recorded attacks originating from large companies, which I am fairly sure in some cases was due to their server having been compromised. Sometimes you receive a vague response stating something along the lines of "we had a minor technical problem, which has now been corrected" ....... Hmmm.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •