Solve the puzzle....

[dmedici]

I thought the following example might be a great learning example for
newbies...
So I'm hanging down at my buddy's house, and he's on his computer and
an alert goes off on his Norton Anti Virus/Firewall - whatever. If I
remember, the note in the Norton log was something to the effect of
'blocked trojan Sub7' and there were addresses from
where it was coming from.
I looked over the Norton log and it appears he's been 'attacked' over a period
of weeks by the same Subnet trojan coming from or through 3 different IP
addresses. All were blocked.
I plugged the three addresses into the 'R Whois' field over at
SamSpade.com and I got a ton of info, most of which I don't understand.
But it appears as far as I can read, that one of the IP's is a service
provider in Kentucky and the other is Bredband.com (Broadband
communication company in Sweden). I'm interested in computer security
and for me, this is a great 'whodunnit' mysteryas well as a great learning
tool. I've got some clues here, but what do I do now?
Should he contact the Sysadmin at the addresses I've been able to
track and tell them someone's using them to send Sub7's?
How can the addresses be plugged into SamSpade to learn more?
What else should I look for when an attack comes in to his computer?
Is there a way a trap can be laid so that when the Sub7 attack comes
in, more information can be found?
I may not have enough info here, if not, just ask and I'll get whatever
you need from his Norton logs.

[prodikal]

ucould put up a sub7 hunny pot try a search on google.com

[dmedici]

Prodikal,

Thank you for taking the time to answer my post. I went over to Google and found this...

http://www.groovyweb.uklinux.net/ind...ur%20enemy%203

Which is a great resource for honeypots in general, and takes you to a million other honeypot related resources.

Now, I have an awful lot of reading to do over the next few days for this topic, which I WILL do, but in the meantime, let me try to narrow this down a bit. Are there any programs out there primarily created to detect but mostly TRACK Sub7 attacks from their origin?

Again, thanks for your help!

[cgi_bin]

http://packetstorm.decepticons.org/t.../00Sub7_20.zip

00[Sub]7 - The Ultimate SubSeven Logging Tool. Sets up a fake sub7 server on the default port which can send all sorts of false information to the client. Homepage: http://www.rendo.dekooi.nl/~jeff/00Sub7.htm.

i dont know if it will be any help. just another thing look at

[hellbringer87]

or i guess you could just remove the server and get on with life...

[prodikal]

well u r fire wall logs the attack and u can use the cleaner which is available at http://www.moosoft.com or lock down millenium pro (cant remeber the url) just try google again that detects over 200 trojans but u need 2 buy the proggrame for it 2 remove them hope this is some help 2 u

[prodikal]

i ment 2000 trojans

[darkes]

If you are sure that you have the correct IP address for where the attack is originating from, then emailing the sysadmin is a good idea. Setting up a honeypot may help you further here, as when you detect an attack, you can trace it back.
In the past I have recorded attacks originating from large companies, which I am fairly sure in some cases was due to their server having been compromised. Sometimes you receive a vague response stating something along the lines of "we had a minor technical problem, which has now been corrected" ....... Hmmm.