I thought the following example might be a great learning example for
newbies...
So I'm hanging down at my buddy's house, and he's on his computer and
an alert goes off on his Norton Anti Virus/Firewall - whatever. If I
remember, the note in the Norton log was something to the effect of
'blocked trojan Sub7' and there were addresses from
where it was coming from.
I looked over the Norton log and it appears he's been 'attacked' over a period
of weeks by the same Subnet trojan coming from or through 3 different IP
addresses. All were blocked.
I plugged the three addresses into the 'R Whois' field over at
SamSpade.com and I got a ton of info, most of which I don't understand.
But it appears as far as I can read, that one of the IP's is a service
provider in Kentucky and the other is Bredband.com (Broadband
communication company in Sweden). I'm interested in computer security
and for me, this is a great 'whodunnit' mysteryas well as a great learning
tool. I've got some clues here, but what do I do now?
Should he contact the Sysadmin at the addresses I've been able to
track and tell them someone's using them to send Sub7's?
How can the addresses be plugged into SamSpade to learn more?
What else should I look for when an attack comes in to his computer?
Is there a way a trap can be laid so that when the Sub7 attack comes
in, more information can be found?
I may not have enough info here, if not, just ask and I'll get whatever
you need from his Norton logs.