July 12th, 2003, 09:21 PM
I have Norton 2003 firewall/viri scan....always updated. a linksys router. the cleaner ....of which seem to be configured correctly.
Norton allerted me that there was a intrusion attempt made to port 3000 something (i forget).
And that it had blocked it . The culprit was the subseven trojan horse.
I then checked my registry to see if entries were made . (run services)
I checked netstat....nothing.....and did a virus scan.
I didn`t think that i had opened any mail with the trojan in it (subseven).
Anyways i guess my question is what happened here was his an attempt to deploy the subseven server on my machine by someone? and if that`s the case it would seem this person knows what they are doing? How did they get by my router? any help would be great....
Thanks in advance.
July 12th, 2003, 09:40 PM
This prolly means someone tried to connect to your system with a subseven client. If your system isn't running a subseven server then this was moot on the part of the attacker, as there is nothing to connect to.
This is another thing that annoys me about application level filtering firewalls (ZA, Norton, Sygate, etc) is that as far as firewalls go, there are the worst of the worst. Why is this? Because all the effort on the part of their developers seems to have been focused in letting the user know what they were "protected" from and not actually protecting the system. (All spin, no real value)
As for your router, I am not familiar with that particular router, but unless it has and you configured its filtering ACL's it will simply do its primary job of routing, aka not "protecting" you. The linksys routers I suspect ship in the most functional, that is least restricted configuration.
Use netstat, and your component manager to see what services you are running, now disable or filter those and don't worry about the zillions of "attacks" told to you by Norton.
July 12th, 2003, 11:18 PM
scanners attempt to make a connection on a given port to see if a service is running. these scans will show up as an intrusion attempt wether you have that service running or not simply because an attempt to connect is made. this does not imply that there is a service sitting on that port waiting for a connection
its very common for SKs to scan a group of ip addys to see if they can find a box that is nfected. as i said above the scanner attempts to make a connection to see if the trojan they are looking for is there. if no connection is made the scanner moves on to the next ip address.
i guess what im trying to say is its nothing to worry about
Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”
July 13th, 2003, 01:12 AM
Thanks alot for answering my questions....