Kerio/scotty/wp/ms/subseven???
Page 1 of 3 123 LastLast
Results 1 to 10 of 22

Thread: Kerio/scotty/wp/ms/subseven???

  1. #1
    Banned
    Join Date
    Aug 2001
    Location
    Yes
    Posts
    4,424

    Kerio/scotty/wp/ms/subseven???

    I'm putting this in the Newbie section because I am

    I just reinstalled Windows (XP Pro)... did all the service packs/updates before connecting to the Internet... Scotty installed, MS anti-spyware, Kerio PF, Tauscan, S&D.... disabled Netbios... all that stuff.

    And this may be a retarded question, but why do I have this in my logs? Can't copy&paste from Kerio, but I have everything from BackdoorSubSeven DefCon 8.21 to Phasezero... every backdoor that's ever been invented, it's in those logs. POR QUE? Why? Waarom? Warum? Pourquoi? Trojan-this, trojan-that... all of them... class:succesul-user... QUE?

  2. #2
    Senior Member
    Join Date
    Dec 2004
    Posts
    320
    Using kerio ? Sounds like a bug. Is your kerio up-to-date ? Type (in a DOS shell) 'netstat -a' and see if any unusual ports are up/listening/established. If nothing but the usual is up (ie; the loopbacks and www connections) then it is deffinatly a bug. If you see something like port 27374 (default sub7 port) or 31337 (default back orafice port) open, then it is time to get worried. For now, I'd just recommend updating kerio, or gettin another firewall.
    The fool doth think he is wise, but the wiseman knows himself to be a fool - Good Ole Bill Shakespeare

  3. #3
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,743
    inbound traffic? are you on a fixed IP (or atleast a semi fixed)
    I am assuming that Kerio blocked the traffic
    How persistant are the incidents, are these hammering at the door, or just passing bell ringers.. what I am asking is there a pattern ie port 1234, 129, 11234 14789 33000 etc and repeating from the one IP.. some one hammering at the door.. the one to look i nto..
    or a scann from one ip, then another IP from random domains,but similar ports.. the passing doorbell ringer, worm activity.. some worms do scan various ports and a few firewalls will report them as the various trojans ..

    Neg is it possable to export the Log to a txt file, or just brows to the Prog file dir and open in notebook..

    **** wher have I got a machine with Kerio on it,..

    Cheers
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  4. #4
    Banned
    Join Date
    Aug 2001
    Location
    Yes
    Posts
    4,424
    Don't know how to export the logs, but here's a screen shot...

  5. #5
    Senior Member
    Join Date
    Apr 2002
    Posts
    1,050
    Neg: im getting the exact same thing at least its dropping the traffic even stranger im behind a hardware firewall/router
    By the sacred **** of the sacred psychedelic tibetan yeti ....We\'ll smoke the chinese out
    The 20th century pharoes have the slaves demanding work
    http://muaythaiscotland.com/

  6. #6
    Banned
    Join Date
    Aug 2001
    Location
    Yes
    Posts
    4,424
    I'm behind what you could call a firewall, too, I guess (Linksys wireless)

    What really bothers me is that this box is fresh... installed XP Pro on it, installed all service packs from CD, Kerio, WinPatrol, MS Anti-spyware, Spybot's Tea-timer - all from CD. I connect to the Internet and this stuff starts happening. It looks like it's isolated though (only happened once last night)...

  7. #7
    Senior Member Spyrus's Avatar
    Join Date
    Oct 2002
    Posts
    741
    Sounds like one of 2 things were happening, either there were a lot of scans going on last night that make sense since both of you were seeing issues.

    I would really hate to think that a firewall/IDS like Kerio would come up with false positives but its a possibility.
    Duct tape.....A whole lot of Duct Tape
    Spyware/Adaware problem click
    here

  8. #8
    It looks like the "Script Kiddies" were out in full force last night as my logs also had a number of these type scans. Sounds like a kid found a prog and was hitting on different ip ranges.

  9. #9
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Neg:

    ROFLMAO.......www.whitehats.com.....

    Your box is just fine..... Something, possibly Kerio, is downloading the defs and info for all the different signatures up there on whitehats......

    Go kiss Mel for me and quit worrying.....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  10. #10
    Regal Making Handler
    Join Date
    Jun 2002
    Posts
    1,668
    Internal loop backs???
    What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •