Norton Firewall Help
Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: Norton Firewall Help

  1. #1
    Banned
    Join Date
    Oct 2002
    Posts
    121

    Norton Firewall Help

    Just wanted to know if i have a trojan horse on my computer and how do i get rid of it. Ever since i installed Nortan Firewall, i get an intrusion attempt at least 5 times per day, from a range of IP addresses (here are a few examples):-


    Date: 11/03/2003 Time: 14:39:38
    Intrusion attempt detected from address 213.54.73.26 by rule "Default Block Backdoor/SubSeven Trojan horse".
    Blocked further access for 30 minutes.


    Date: 11/03/2003 Time: 14:02:28
    Intrusion attempt detected from address 213.54.73.26 by rule "Default Block Backdoor/SubSeven Trojan horse".
    Blocked further access for 30 minutes.

    Date: 11/03/2003 Time: 12:52:25
    Intrusion attempt detected from address 213.54.73.26 by rule "Default Block Backdoor/SubSeven Trojan horse".
    Blocked further access for 30 minutes.

    Date: 10/03/2003 Time: 14:25:20
    Intrusion attempt detected from address 217.120.249.181 by rule "Default Block Backdoor/SubSeven Trojan horse".
    Blocked further access for 30 minutes.


    Date: 05/03/2003 Time: 22:09:59
    Intrusion attempt detected from address 213.54.89.2 by rule "Default Block Backdoor/SubSeven Trojan horse".
    Blocked further access for 30 minutes.

    Date: 05/03/2003 Time: 16:21:09
    Intrusion attempt detected from address 213.54.88.169 by rule "Default Block Backdoor/SubSeven Trojan horse".
    Blocked further access for 30 minutes.


    I have ran Trojan Remover, but that has said my system is fine- can any1 help me out?

  2. #2
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    I don't think you are infected but rather that someone is attempting to connect to your machine via ports identified as SubSeven Ports. You can try another one know as The Cleaner as a double-check.

    If I were in your position, I'd find out who owns the IPs by visiting Sam Spade and finding out who their ISP is. Then sending the ISP a complaint.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  3. #3
    Senior Member tampabay420's Avatar
    Join Date
    Aug 2002
    Posts
    953
    hmm, maybe it's just someone scanning for subseven hosts?
    there are quite a few scripts for kids that scan for these trojan kits...
    in fact you can find a pretty decent list of the trojans (and thier default ports) >>
    http://www.simovits.com/sve/nyhetsar...heter9902.html
    http://www.google.com/search?q=Troja...utf-8&oe=utf-8

    /edit
    p213.54.88.169.tisdip.tiscali.de (213.54.88.169) is located in Amsterdam, Netherlands.
    yeah, I\'m gonna need that by friday...

  4. #4
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,786
    looks like the IPs you've given are @home cable accounts. so it probably is some kiddies looking for installed sub7 servers to log onto. this is usually done by scanning an entire ip range for something listening on that port so if your in the range thats being scanned your going to record an intrusion attempt wether you have the sub7 server on your system or not. if you have good updated virus protection its nothing to worry about. ever AV is set to detect that toy. you could of course report them to their ISP: abuse@home.nl

    If you would rather not turn them in you can have some fun with them instead and possibly put an early end to their life of crime. write a batch file named netbus.bat:

    call netstat -n >>letter.txt
    @echo Ha ha I got you!
    @echo mail sent agent741@fbi.gov (or whatever law inforcement group handles things like this for you)

    not get a copy of netcat and start it listening on port 12345 (or whatever port is being reported) and and set it to run netcat.bat on connect kike this:

    nc -L -p12345 -enetbus.bat

    this will record their ip address in letter.txt and print to their screen:
    "Ha ha I got you"
    mail sent agent741@fbi.gov

    or if youd rather see what it is their doing set netcat to record the commands they send like this:

    nc -L -p12345 >>netbus.txt

    every command passed will be recorded in netbus.txt
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  5. #5
    Banned
    Join Date
    Oct 2002
    Posts
    121
    Thanks for the advice - i downloaded "The Cleaner" and ran that, but it came out clean again. I run Norton Antivirus 2002 & Norton Firewall continuously, and Trojan Remover say once a week, and i will set The Cleaner's tools to run every time i start the computer, think that will be OK????

    Its just annoying more than anything, can any1 explain what this sub seven trojan is and what these "kiddies" can do if they find a computer with 1 on?

    Thanks


    Hey Ted, i would like to end their little "game" and totally mess them up, any chance of explaining wat u mean step by step - cheers m8

  6. #6
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    Tedob1:

    That is just plain mean... I love it!

    Now do you have to start NC at every boot? Or, can you just place it in a batch file and have that startup too? I've read your NC tutorials, but haven't found time to play around with it yet.

    /action bumps netcat to top of todo/tolearn list

    ChrisWuk: Check out the tutorial forum for Tedob1's tutorials on netcat. I think there are two part to it... but don't quote me on that.

  7. #7
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    SubSeven is a remote control application. It allows for complete control over a machine as well as potentially garnering personal information.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  8. #8
    Senior Member tampabay420's Avatar
    Join Date
    Aug 2002
    Posts
    953
    1st, for any of these trojans to work- your network has to be compromised... (this can also be done physically/in person) - the kid will infect your system/PC with the servers (sub7, bo2k, etc...) then the trojan will run (just like a telnet server) waiting for the kid to call back... when he/she does log into the sub7 servers, they will have all the rights/abilities that the infected user/pc has... if you'd like to know a lil more about this, i'm sure you could find something on Google.com
    yeah, I\'m gonna need that by friday...

  9. #9
    Senior Member
    Join Date
    Sep 2001
    Posts
    1,027
    Don't worry about it too much, this is quite frequent stuff. Even more so if you're on broadband...
    Since this morning at 8:00, I have 19 such "scans" logged... This goes on all the time...

    I do agree that setting up netcat to log or report them is kinda cool
    It's sort of the poorman's honeypot

    Ammo
    Credit travels up, blame travels down -- The Boss

  10. #10
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,786
    yeah phish it could even be placed in autoexec.bat and run every time you boot up...it you so desired.

    ok m8 the first "intrusion attempt" will just be a scan recording any listening servers it finds. after a while they'll come back to investigate.

    an NT bin of NetCat can be downloaded here: http://www.atstake.com/research/tool...ork_utilities/

    put it in the path like in system32

    netcat can be set to run a file every time it is connected to. a batch file is an exececutable, so open note pad and paste in:

    call netstat -n >>letter.txt
    @echo Ha ha I got you!
    @echo mail sent agent741@fbi.gov

    save the file as netbus.bat in c:\

    open a command prompt in c:\ and type in:

    nc -L -p12345 -enetbus.bat

    nc calls NetCat

    -L = listen and keep on listening otherwise it would close after the first connection (-l)

    -p = port number to listen on notice there is no space between the option and the argument

    -e = execute a file when connected to

    now i don't really know why this happen but it does, the output of the file you run gets sent to the client. you could of course have nc run any file so it could use a dos emailer if you included that in the bat file but were just recording their connection doing a netstat with the output redirected to a text file. you could really do anything you wanted to them but i wouldn't recommend doing anything malicious as you'd be breaking more laws than they were.

    (whatever you do dont make the file you run cmd.exe or everyone that connects will get a command prompt on your box....not good)



    either report them, have fun with them or ignore them but dont break any laws or you'll go to jail quicker than they will. every judge can understand kids up to mischive but everyone of those judges frowns on vigilantism for some reason.
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •