Norton Firewall Help

**ChrisWuk** · March 11th, 2003, 05:27 PM

Just wanted to know if i have a trojan horse on my computer and how do i get rid of it. Ever since i installed Nortan Firewall, i get an intrusion attempt at least 5 times per day, from a range of IP addresses (here are a few examples):-

Date: 11/03/2003 Time: 14:39:38
Intrusion attempt detected from address 213.54.73.26 by rule "Default Block Backdoor/SubSeven Trojan horse".
Blocked further access for 30 minutes.

Date: 11/03/2003 Time: 14:02:28
Intrusion attempt detected from address 213.54.73.26 by rule "Default Block Backdoor/SubSeven Trojan horse".
Blocked further access for 30 minutes.

Date: 11/03/2003 Time: 12:52:25
Intrusion attempt detected from address 213.54.73.26 by rule "Default Block Backdoor/SubSeven Trojan horse".
Blocked further access for 30 minutes.

Date: 10/03/2003 Time: 14:25:20
Intrusion attempt detected from address 217.120.249.181 by rule "Default Block Backdoor/SubSeven Trojan horse".
Blocked further access for 30 minutes.

Date: 05/03/2003 Time: 22:09:59
Intrusion attempt detected from address 213.54.89.2 by rule "Default Block Backdoor/SubSeven Trojan horse".
Blocked further access for 30 minutes.

Date: 05/03/2003 Time: 16:21:09
Intrusion attempt detected from address 213.54.88.169 by rule "Default Block Backdoor/SubSeven Trojan horse".
Blocked further access for 30 minutes.

I have ran Trojan Remover, but that has said my system is fine- can any1 help me out?

***MrLinus*** · March 11th, 2003, 05:31 PM

I don't think you are infected but rather that someone is attempting to connect to your machine via ports identified as SubSeven Ports. You can try another one know as The Cleaner as a double-check.

If I were in your position, I'd find out who owns the IPs by visiting Sam Spade and finding out who their ISP is. Then sending the ISP a complaint.

***tampabay420*** · March 11th, 2003, 05:48 PM

hmm, maybe it's just someone scanning for subseven hosts?
there are quite a few scripts for kids that scan for these trojan kits...
in fact you can find a pretty decent list of the trojans (and thier default ports) >>
http://www.simovits.com/sve/nyhetsar...heter9902.html
http://www.google.com/search?q=Troja...utf-8&oe=utf-8

/edit
p213.54.88.169.tisdip.tiscali.de (213.54.88.169) is located in Amsterdam, Netherlands.

***Tedob1*** · March 11th, 2003, 05:53 PM

looks like the IPs you've given are @home cable accounts. so it probably is some kiddies looking for installed sub7 servers to log onto. this is usually done by scanning an entire ip range for something listening on that port so if your in the range thats being scanned your going to record an intrusion attempt wether you have the sub7 server on your system or not. if you have good updated virus protection its nothing to worry about. ever AV is set to detect that toy. you could of course report them to their ISP: [email protected]

If you would rather not turn them in you can have some fun with them instead and possibly put an early end to their life of crime. write a batch file named netbus.bat:

call netstat -n >>letter.txt
@echo Ha ha I got you!
@echo mail sent [email protected] (or whatever law inforcement group handles things like this for you)

not get a copy of netcat and start it listening on port 12345 (or whatever port is being reported) and and set it to run netcat.bat on connect kike this:

nc -L -p12345 -enetbus.bat

this will record their ip address in letter.txt and print to their screen:
"Ha ha I got you"
mail sent [email protected]

or if youd rather see what it is their doing set netcat to record the commands they send like this:

nc -L -p12345 >>netbus.txt

every command passed will be recorded in netbus.txt

**ChrisWuk** · March 11th, 2003, 06:47 PM

Thanks for the advice - i downloaded "The Cleaner" and ran that, but it came out clean again. I run Norton Antivirus 2002 & Norton Firewall continuously, and Trojan Remover say once a week, and i will set The Cleaner's tools to run every time i start the computer, think that will be OK????

Its just annoying more than anything, can any1 explain what this sub seven trojan is and what these "kiddies" can do if they find a computer with 1 on?

Thanks

Hey Ted, i would like to end their little "game" and totally mess them up, any chance of explaining wat u mean step by step - cheers m8

***phishphreek*** · March 11th, 2003, 06:52 PM

Tedob1:

That is just plain mean... I love it!

Now do you have to start NC at every boot? Or, can you just place it in a batch file and have that startup too? I've read your NC tutorials, but haven't found time to play around with it yet.

/action bumps netcat to top of todo/tolearn list

ChrisWuk: Check out the tutorial forum for Tedob1's tutorials on netcat. I think there are two part to it... but don't quote me on that.

***MrLinus*** · March 11th, 2003, 06:53 PM

SubSeven is a remote control application. It allows for complete control over a machine as well as potentially garnering personal information.

***tampabay420*** · March 11th, 2003, 06:54 PM

1st, for any of these trojans to work- your network has to be compromised... (this can also be done physically/in person) - the kid will infect your system/PC with the servers (sub7, bo2k, etc...) then the trojan will run (just like a telnet server) waiting for the kid to call back... when he/she does log into the sub7 servers, they will have all the rights/abilities that the infected user/pc has... if you'd like to know a lil more about this, i'm sure you could find something on Google.com

***ammo*** · March 11th, 2003, 09:45 PM

Don't worry about it too much, this is quite frequent stuff. Even more so if you're on broadband...
Since this morning at 8:00, I have 19 such "scans" logged... This goes on all the time...

I do agree that setting up netcat to log or report them is kinda cool

It's sort of the poorman's honeypot

Ammo

***Tedob1*** · March 11th, 2003, 10:23 PM

yeah phish it could even be placed in autoexec.bat and run every time you boot up...it you so desired.

ok m8 the first "intrusion attempt" will just be a scan recording any listening servers it finds. after a while they'll come back to investigate.

an NT bin of NetCat can be downloaded here: http://www.atstake.com/research/tool...ork_utilities/

put it in the path like in system32

netcat can be set to run a file every time it is connected to. a batch file is an exececutable, so open note pad and paste in:

call netstat -n >>letter.txt
@echo Ha ha I got you!
@echo mail sent [email protected]

save the file as netbus.bat in c:\

open a command prompt in c:\ and type in:

nc -L -p12345 -enetbus.bat

nc calls NetCat

-L = listen and keep on listening otherwise it would close after the first connection (-l)

-p = port number to listen on notice there is no space between the option and the argument

-e = execute a file when connected to

now i don't really know why this happen but it does, the output of the file you run gets sent to the client. you could of course have nc run any file so it could use a dos emailer if you included that in the bat file but were just recording their connection doing a netstat with the output redirected to a text file. you could really do anything you wanted to them but i wouldn't recommend doing anything malicious as you'd be breaking more laws than they were.

(whatever you do dont make the file you run cmd.exe or everyone that connects will get a command prompt on your box....not good)

either report them, have fun with them or ignore them but dont break any laws or you'll go to jail quicker than they will. every judge can understand kids up to mischive but everyone of those judges frowns on vigilantism for some reason.

Thread: Norton Firewall Help

Thread Tools

Display

Norton Firewall Help

Posting Permissions