Sub Seven Attack

***AngelicKnight*** · May 25th, 2004, 10:06 PM

Ok folks, I need some education on this one.

My SonicWALL log shows that a sub seven trojan attack was dropped. Can't say I've run into a sub seven attack before, but at least it didn't succeed. What do I need to know about this? Does this mean someone has targeted us, or rather is it the result of typical random scanning? Should I do anything other than just note its occurance?

***Soda_Popinsky*** · May 25th, 2004, 10:15 PM

Typical random scanning. Someone is looking for a infected computer with subseven.

As long as you don't have sub7, and the firewall blocks it, no big deal.

btw, it's a trojan, not a exploit.

***AngelicKnight*** · May 25th, 2004, 10:17 PM

I said trojan, not exploit.

Thanks for the answer, just wanted to check since that was new on me.

***Tiger Shark*** · May 25th, 2004, 10:19 PM

Was it an actual attack or was it a scan..... I have $5 says it was a scan for it. The problem with all these systems is that thet "sensationalize" the issue. For example some guys scans your subnet for subseven on whatever the default port for that is..... All he's doing is sending a SYN to see if he gets a SYN/ACK back.... No SYN/ACK he moves on..... Now... Note.... It's a scan for a response on port x.... that's all. But your sonicwall has taken a scan, and because it is on a specific port, (SubSeven's default), it categorizes it as an attack.... Frankly that's BS.... It would be a tad more useful if it reacted when it saw the final ACK, then you could say an attack is taking place..... but then again, if that happened Sonicwall would sorta be telling you it sucked......

***AngelicKnight*** · May 25th, 2004, 10:25 PM

But your sonicwall has taken a scan, and because it is on a specific port, (SubSeven's default), it categorizes it as an attack

Exactly the issue, and that's indeed all it's telling me, so it's anybody's guess. My hunch, however, since it was dropped, is that surely is was a SYN and not a SYN/ACK. In any case, just wanted to be on the safe side.

So, new terminology time, what exactly does "SYN" and "ACK" stand for anyway?

***Tiger Shark*** · May 25th, 2004, 10:42 PM

SYN: Synchronize
SYN/ACK: Synchronize Acknowledged
ACK: Acknowledged, (let's talk)

It's kinda like military radio procedure..... Except different....

***Soda_Popinsky*** · May 25th, 2004, 11:25 PM

Sorry bud, I didn't mean it as a correction. I was just making sure you knew what sub7 was. It would have to be on your system for the scan to be worth anything, but you already knew that. An remote exploit wouldn't need any type of server, in that case you would sorta have something to worry about.

**vercetti** · May 25th, 2004, 11:41 PM

The SYN, ACK and SYN/ACK form the three-way habdshake that computers use to identify and connect to each other. It is used in SYNflooding (or is it DOSing) by sending high number of SYN requests to the target computer, which answers back with the SYN/ACK and waits some time for the SYN/ACK that's never coming. Due to the high numbers of requests the queue gets longer and eventually takes up the whole bandwidth.
Anybody correct me if I'm wrong.

***D0pp139an93r*** · May 26th, 2004, 12:00 AM

A SYN flood is a type of DOS attack.

DoS is just any attack that deny's use of a service or machine. My GF used a hammer to DoS my network after she discovered many gigs of pr0n.

***jinxy*** · May 26th, 2004, 12:22 AM

GF used a hammer to DoS my network after she discovered many gigs of pr0n.

Now i'll challenge any firewall to defende against that.

Thread: Sub Seven Attack

Thread Tools

Display

Sub Seven Attack

Posting Permissions