Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

I think my ISP tried to use a SubSeven Trojan on my system

  • 25-06-2001 12:36am
    #1
    Closed Accounts Posts: 1,322 ✭✭✭


    Guys,

    I am not too well up on the practices of hacking etc. But I do know the fundamentals of comp. networks and all that. Just a few mins ago my ISP (IOL) tried a SubSeven port probe on my system. Luckily for me I am running some security software that gave me all the details of the hack attempt (IP, DNS, Node, Group, and even MAC address) of the origin.

    When I asked my security software, what the **** happened.

    It said:
    Somebody has tried to access your machine with the "SubSeven Trojan Horse" and failed.

    Can anyone shed any light on the subject as to why my ISP would do such a thing. I know it was only a port probe, but why that port?, what interest would that have in SubSeven that is not illegal.

    Also over the past number of days I have recorded my ISP do a:
    TCP OS Fingerprint (To find out my OS!)
    Telnet port probe
    Net BIOS port probe (Is there any other reason apart from checking to see if I had file or print sharing enabled, that they would probe that port).

    I just find it all too suspicious, and will remain to monitor and log future activities.

    What do u think??

    ;-phobos-)


Comments

  • Closed Accounts Posts: 2,682 ✭✭✭chernobyl


    it was probably some script kiddy doing a scan and your ip was in the range specified.

    Britany Spears Looking incredible


  • Registered Users, Registered Users 2 Posts: 6,265 ✭✭✭MiCr0


    post up the actual details?


  • Closed Accounts Posts: 611 ✭✭✭Gladiator


    tehy areways do that, their just port scaning your system, i dont know why but they do


  • Closed Accounts Posts: 28 teac!


    <font face="Verdana, Arial" size="2">Originally posted by phobos:


    Somebody has tried to access your machine with the "SubSeven Trojan Horse" and failed.

    Can anyone shed any light on the subject as to why my ISP would do such a thing. I know it was only a port probe, but why that port?, what interest would that have in SubSeven that is not illegal.

    Also over the past number of days I have recorded my ISP do a:
    TCP OS Fingerprint (To find out my OS!)
    Telnet port probe
    Net BIOS port probe (Is there any other reason apart from checking to see if I had file or print sharing enabled, that they would probe that port).
    </font>

    NetBIOS probes on port 137 are harmless, and are probably the result of NetBIOS broadcasts. I'm not aware of this SubSeven package but needless to say, it's not comprehensive. It seems to take a maximist extreme, and insodoing, causes probes on ports you know very little information about to get you paranoid.

    A Telnet port probe? How do you know these are being directed from your ISP?
    Phil.


  • Closed Accounts Posts: 1,193 ✭✭✭Kix


    <font face="Verdana, Arial" size="2">Originally posted by phobos:
    my ISP (IOL) tried a SubSeven port probe on my system. </font>

    Hi phobos,

    Why do you think that it was IOL themselves rather than another IOL customer?

    K



  • Advertisement
  • Registered Users, Registered Users 2 Posts: 2,051 ✭✭✭mayhem#


    Of course it was not IOL doing this, it was just someone dailed into an IOL POP port scanning a range of IP addy's.
    NMothing to worry about...


  • Closed Accounts Posts: 1,322 ✭✭✭phobos


    K,

    Here is the logged details from the SubSeven port probe last night.

    IP: 194.165.169.121
    DNS: p-airlock121.esatclear.ie
    Node: PBN_COMPUTER
    Group: PBN_WORKGROUP
    MAC: 444553540000

    Also some of you wanted to know about SubSeven. SubSeven is a client/server software system that lets a client remotely hijack a host system. The client is able to do things like execute port scans from the host system, complete FTP (read/write from root), Hijack the mouse, Keystroke logger, to mention but a few. It is a crazy piece of software and is probably the most common backdoor server for a Win9x system. By default SubSevenServer listens on port 27374.

    I probed the attacking system myself just to see what it was. It is listening on port 139 (only). So it is probably a Win9x machine. But that workgroup stuff has me suspicious that is part of a larger network, that is not privately owned.

    I just want to know is there illegal activities going on here from IOL's behalf. Even though I was not one of the ppl who got kicked from No Limits, I know ppl who were and it totally sucks. So I don't want to see them getting away with anything else.

    :-phobos-)


  • Closed Accounts Posts: 65 ✭✭wintermute



    It is a dial-up customer using the Esatclear service who is doing the portscanning.

    This is what RIPE says about the range...

    inetnum: 194.165.160.0 - 194.165.175.255
    netname: ESATNET-ROUTE6
    descr: Esat Net Consumer Dialup Modem Bank
    country: IE
    admin-c: CA1690
    tech-c: CC1276-RIPE
    tech-c: GP1184-RIPE
    status: ASSIGNED PA
    remarks: For SPAM/UCE complaints, please email "abuse@esatclear.ie"
    notify: noc@esat.net
    mnt-by: RIPE-NCC-NONE-MNT
    changed: chris@esat.net 19991207
    changed: colma@esat.net 20010128
    source: RIPE

    Why not use the email address provided to complain?

    I seriously doubt that you are the victim of a conspiracy, just a social degenerate will too much time on their hands.



  • Closed Accounts Posts: 1,322 ✭✭✭phobos


    Nobody mentioned CONSPIRACY.

    Somebody with too much time on their hands: YES

    Cheers for the feedback lads.
    ;-phobos-)


  • Moderators, Social & Fun Moderators Posts: 10,501 Mod ✭✭✭✭ecksor


    What is the story with that MAC info that BlackIce reports? Assuming that is BlackIce of course, but it looks similar to a report I was presented with before.

    The owner of that particular machine immediately thought it was the remote ethernet MAC address of his attackers, which obviously makes no sense.


  • Advertisement
  • Closed Accounts Posts: 28 teac!


    <font face="Verdana, Arial" size="2">Originally posted by X_OR:
    What is the story with that MAC info that BlackIce reports? Assuming that is BlackIce of course, but it looks similar to a report I was presented with before.
    </font>

    It is meant to be the MAC address of the supposed attacker.

    Generally the MAC address is going to be the MAC address of the gateway, however MAC addresses can be gotten via NetBIOS.

    Phil.


  • Closed Accounts Posts: 1,322 ✭✭✭phobos


    OK, now I ****ed off!!

    That little **** has tried the same thing on me again. Sorry about before, I know it's not my ISP (rather one if it's other customers). But another SubSeven port probe

    IP: 194.165.162.7
    DNS: i-airlock007.esatclear.ie
    Node: PBN_COMPUTER
    Group: PBN_WORKGROUP
    MAC: 444553540000

    here is his new info. This time I think I will report him. Any ideas!!. I know that this attack is not targetted @ me (alone), because it is the only service this guy seems to be interested in. Bloody script kiddies get new toys and waste no time.

    But I think he is sweeping a range of IPs. to see if anyone is listening on that port. I would hate to think, what would go on if he was able to connect to someones system.

    >:-phobos-#


  • Closed Accounts Posts: 2,682 ✭✭✭chernobyl


    call esat now and report his ip now!!

    Britany Spears Looking incredible


  • Registered Users, Registered Users 2 Posts: 125 ✭✭tmcd


    I deal in In-memoriam cards if you catch him.


  • Registered Users, Registered Users 2 Posts: 2,051 ✭✭✭mayhem#


    Get proper anti-virus software and a good firewall and spend your time doing more pleasant things....


  • Registered Users, Registered Users 2 Posts: 326 ✭✭ConUladh


    I messed around with Sub7 a couple of years ago out of curiosity (I was getting port scans hitting my machine every few minutes some nights and wanted to see what the fuss was about), I was on SNL so I scanned the Esatclear range of addresses, there was a lot of infected machines (mainly password protected so that only the person who infected them could access), no matter when you scanned

    As long as you've decent AV and you're careful with e-mail attachments I wouldn't lose sleep over it, I'm amazed you're not getting hit by scans more often

    If it's a free ISP (IOL/Esatclear Free) how are you going to get them kicked?

    There's also the remote possibility (and I don't really buy this) that they're scanning for another service, it's being reported to you as Sub7 because of the port number, for example Sub7 can be changed to listen at a different port than it's default

    As a final note it is scarey the control this program gives over someone's machine (good as a personal remote control tool unless you're worried they can get past the pwd protection - and there was a workaround for older versions), be careful




  • Closed Accounts Posts: 1,322 ✭✭✭phobos


    K,

    I am not running Sub7 on my system, so there is no way that they could do anything more than a port scan. The main reason I am posting is because since I decided to setup a firewall, I have seen several suspicious activities, and just want to make it clear to other IOL customers that someone is scanning our machines. Like I know for a fact that this person probably knows my OS, from doing a footprint. I have taken all the standard precautions (I am not listening on any ports).

    Also I would assume that it is possible for any server software to be configured to listen on "another" port. But I would assume that firewall and intrusion detection software would have to be smarter than simply associating services with their default ports. I would say that they would read the header information on the incomming packets, and ID the required service then, rather than simply checking what port the client wants to connect to.

    Sorry chernobyl, I am only after coming back online now. He is probably gone. But I have some ideas on how I might get more info on this kid. He himself is only listening on 139, and nothing else. What if I was to write some socket tool to listen on the default Sub7 port, it's only purpose to accept a connection, get as much info about the client as I can, then kick them off.

    Anyway I suspect that he will be back again.

    ;-phobos-)


  • Closed Accounts Posts: 1,322 ✭✭✭phobos


    I think our little friend has an accomplice, or else this is another system on his home/office network.

    IP: 194.165.170.3
    Node: PIII700
    Group: WORKGROUP
    MAC: 444553540000
    DNS: q-airlock003.esatclear.ie

    He is still trying the Sub7 port. Determined little bugger isn't he.

    ;-phobos-)


  • Closed Accounts Posts: 1,193 ✭✭✭Kix


    Phobos,

    Don't waste any more time mate, email abuse@esatclear.ie asap with the details you have. If you're lucky it'll be a SNL customer (there are still a few of us left smile.gif) and they'll know his phone number.

    K


  • Registered Users, Registered Users 2 Posts: 326 ✭✭ConUladh


    As I said before this has been happening for a long time, the computer you've noted is prob a diff unrelated person (not necssarily but probably), lot of script kiddies out there and these tools are so user friendly that a new one's born every minute

    If you set up a dummy server surely all it's going to get is the standard Sub7 commands (and IP which you already have)

    The only way I can think of that you can track the guy down is if you connect to someone's who's been caught by him (if not pwd protected), connect using a Sub7 client and see if there's any notification details (Sub7 allows you to set up e-mail, ICQ and/or IRC notfication) or install it on your machine a nd let him set up the notification details

    It'd be a lot easier if you contacted IOL and got his phone number, that is if he has caller-id switched on and IOL give out the info which I suppose is very unlikely

    He's going to be using something like Superscan to scan a range of IP's, all that does is check if the port's open, it doesn't say it's looking for a Subseven Server at a particular port, so I would think that your firewall is in fact reacting to the port number, let me know if you find out I'm wrong

    Edited/Added bit: I'd agree with Kix, hopefully IOL will give a toss as well, you may find you start ignoring these after a while, you'll prob be getting them from someone on EircomNet next week


    [This message has been edited by ConUladh (edited 28-06-2001).]


  • Advertisement
  • Closed Accounts Posts: 517 ✭✭✭hacktavist


    he is scanning look he scans me nearly everyday look at this list
    Connection From 194.145.135.187. At 22:56:00, 28/05/01, Monday Sent Message:
    -
    Connection From 194.145.135.187. At 22:56:47, 28/05/01, Monday Sent Message:
    -
    Connection From 194.145.135.187. At 22:58:01, 28/05/01, Monday Sent Message:
    -
    Connection From 194.165.171.160. At 23:16:37, 30/05/01, Wednesday Sent Message:
    -
    Connection From 194.165.171.160. At 23:17:57, 30/05/01, Wednesday Sent Message:
    -
    Connection From 194.145.131.173. At 19:12:41, 13/06/01, Wednesday Sent Message:
    -
    Connection From 194.165.170.3. At 23:59:17, 27/06/01, Wednesday Sent Message:
    -
    Connection From 194.165.162.7.<--[ip of your guy] At 22:59:59, 28/06/01, Thursday Sent Message:
    -
    Connection From 194.165.172.165. At 19:34:47, 03/07/01, Tuesday Sent Message:
    -
    Connection From 194.165.172.165. At 19:35:14, 03/07/01, Tuesday Sent Message:
    -
    Connection From 194.165.172.165. At 19:36:01, 03/07/01, Tuesday Sent Message:
    -
    Connection From 194.165.172.165. At 19:36:45, 03/07/01, Tuesday Sent Message:
    -
    Connection From 194.165.172.165. At 19:46:05, 03/07/01, Tuesday Sent Message:
    -
    Connection From 194.165.172.165. At 19:47:43, 03/07/01, Tuesday Sent Message:
    -
    Connection From 194.165.172.165. At 19:49:42, 03/07/01, Tuesday Sent Message:
    -
    Connection From 194.165.173.139. At 20:34:58, 03/07/01, Tuesday Sent Message:
    -
    Connection From 194.165.173.139. At 20:36:50, 03/07/01, Tuesday Sent Message:


  • Closed Accounts Posts: 74 ✭✭root


    who cares about reporting him to esat.
    They dont give a ****.Install a firewall and forget about wasting esats time.


  • Closed Accounts Posts: 3,859 ✭✭✭logic1


    Exactly.. Esat don't care and as far as I'm aware port scanning pc's is not illegal. I can't believe so many of you are taking this so seriously. He hasn't done anything.. sure maybe if he found a pc with sub seven installed and non-p-protected he might but then again America might drop an atom bomb at any minute. Why not just sit back and relax... if your comfortable with your pcs security then this is no big deal.

    .logic.


  • Closed Accounts Posts: 95 ✭✭Jademan


    A good info site is grc.com for firewalls and general internet security.


  • Closed Accounts Posts: 1,322 ✭✭✭phobos


    K,

    I had decided to leave the topic alone, since my truma only involved port probes. But last night my firewall's bells and alarms triggered, because someone just penetrated it!. I got the person's IP/hostname and I'd swear it was that same guy from before. But this time he succeeded in doing more than a probe.

    Now I reported this activity to IOL before and they did nothing about it. So any ideas a to what I should do now. I doesn't feel right to just forget about it. I have to do something. Is there a phone number or something where I can actually corner a technician to look in to it?

    ;-phobos-)

    Finally @ my 100th Post, Happy PostDay to Me


  • Registered Users, Registered Users 2 Posts: 1,562 ✭✭✭Snaga


    If he did more than a probe, what was it?

    Theres very little that these guys can do to you if you arent infected with anything in the first place and your running good monitoring/blocking software.

    As for your system, are you on dialup yourself? If your ip address is changing all the time and your still getting hit a lot, either

    a) hes scanning a huge range of ip addies nightly, or
    b) you are already infected with something thats broadcasting your ip addy to him.

    Generally, as has been said before, it would be (a) cos the worlds full of hacker wannabes.


  • Closed Accounts Posts: 1,322 ✭✭✭phobos


    He did an ICMP Flood (trying to crash my machine), but I stopped him. I am logging all details. Will get in contact with IOL if problem gets any worse.

    ;-phobos-)


Advertisement