Sub Seven Attack
Page 1 of 3 123 LastLast
Results 1 to 10 of 26

Thread: Sub Seven Attack

  1. #1

    Question Sub Seven Attack

    Ok folks, I need some education on this one.

    My SonicWALL log shows that a sub seven trojan attack was dropped. Can't say I've run into a sub seven attack before, but at least it didn't succeed. What do I need to know about this? Does this mean someone has targeted us, or rather is it the result of typical random scanning? Should I do anything other than just note its occurance?

  2. #2
    Typical random scanning. Someone is looking for a infected computer with subseven.

    As long as you don't have sub7, and the firewall blocks it, no big deal.
    btw, it's a trojan, not a exploit.

  3. #3
    I said trojan, not exploit.

    Thanks for the answer, just wanted to check since that was new on me.

  4. #4
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Was it an actual attack or was it a scan..... I have $5 says it was a scan for it. The problem with all these systems is that thet "sensationalize" the issue. For example some guys scans your subnet for subseven on whatever the default port for that is..... All he's doing is sending a SYN to see if he gets a SYN/ACK back.... No SYN/ACK he moves on..... Now... Note.... It's a scan for a response on port x.... that's all. But your sonicwall has taken a scan, and because it is on a specific port, (SubSeven's default), it categorizes it as an attack.... Frankly that's BS.... It would be a tad more useful if it reacted when it saw the final ACK, then you could say an attack is taking place..... but then again, if that happened Sonicwall would sorta be telling you it sucked......
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  5. #5
    But your sonicwall has taken a scan, and because it is on a specific port, (SubSeven's default), it categorizes it as an attack
    Exactly the issue, and that's indeed all it's telling me, so it's anybody's guess. My hunch, however, since it was dropped, is that surely is was a SYN and not a SYN/ACK. In any case, just wanted to be on the safe side.

    So, new terminology time, what exactly does "SYN" and "ACK" stand for anyway?

  6. #6
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    SYN: Synchronize
    SYN/ACK: Synchronize Acknowledged
    ACK: Acknowledged, (let's talk)

    It's kinda like military radio procedure..... Except different....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  7. #7
    Sorry bud, I didn't mean it as a correction. I was just making sure you knew what sub7 was. It would have to be on your system for the scan to be worth anything, but you already knew that. An remote exploit wouldn't need any type of server, in that case you would sorta have something to worry about.

  8. #8
    Member
    Join Date
    Mar 2003
    Posts
    90
    The SYN, ACK and SYN/ACK form the three-way habdshake that computers use to identify and connect to each other. It is used in SYNflooding (or is it DOSing) by sending high number of SYN requests to the target computer, which answers back with the SYN/ACK and waits some time for the SYN/ACK that's never coming. Due to the high numbers of requests the queue gets longer and eventually takes up the whole bandwidth.
    Anybody correct me if I'm wrong.
    \"Great spirits always encounter strong opposition from mediocre minds.\"
    Albert Einstein

  9. #9
    @ΜĮЙǐЅŦГǻţΩЯ D0pp139an93r's Avatar
    Join Date
    May 2003
    Location
    St. Petersburg, FL
    Posts
    1,696
    A SYN flood is a type of DOS attack.


    DoS is just any attack that deny's use of a service or machine. My GF used a hammer to DoS my network after she discovered many gigs of pr0n.
    Real security doesn't come with an installer.

  10. #10
    Regal Making Handler
    Join Date
    Jun 2002
    Posts
    1,668
    GF used a hammer to DoS my network after she discovered many gigs of pr0n.
    Now i'll challenge any firewall to defende against that.
    What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •