I think my ISP tried to use a SubSeven Trojan on my system

phobos

Guys,

I am not too well up on the practices of hacking etc. But I do know the fundamentals of comp. networks and all that. Just a few mins ago my ISP (IOL) tried a SubSeven port probe on my system. Luckily for me I am running some security software that gave me all the details of the hack attempt (IP, DNS, Node, Group, and even MAC address) of the origin.

When I asked my security software, what the **** happened.

It said:
Somebody has tried to access your machine with the "SubSeven Trojan Horse" and failed.

Can anyone shed any light on the subject as to why my ISP would do such a thing. I know it was only a port probe, but why that port?, what interest would that have in SubSeven that is not illegal.

Also over the past number of days I have recorded my ISP do a:
TCP OS Fingerprint (To find out my OS!)
Telnet port probe
Net BIOS port probe (Is there any other reason apart from checking to see if I had file or print sharing enabled, that they would probe that port).

I just find it all too suspicious, and will remain to monitor and log future activities.

What do u think??

;-phobos-)

chernobyl

it was probably some script kiddy doing a scan and your ip was in the range specified.

---

Britany Spears Looking incredible

MiCr0

post up the actual details?

Gladiator

tehy areways do that, their just port scaning your system, i dont know why but they do

teac!

<font face="Verdana, Arial" size="2">Originally posted by phobos:


Somebody has tried to access your machine with the "SubSeven Trojan Horse" and failed.

Can anyone shed any light on the subject as to why my ISP would do such a thing. I know it was only a port probe, but why that port?, what interest would that have in SubSeven that is not illegal.

Also over the past number of days I have recorded my ISP do a:
TCP OS Fingerprint (To find out my OS!)
Telnet port probe
Net BIOS port probe (Is there any other reason apart from checking to see if I had file or print sharing enabled, that they would probe that port).
</font>

NetBIOS probes on port 137 are harmless, and are probably the result of NetBIOS broadcasts. I'm not aware of this SubSeven package but needless to say, it's not comprehensive. It seems to take a maximist extreme, and insodoing, causes probes on ports you know very little information about to get you paranoid.

A Telnet port probe? How do you know these are being directed from your ISP?
Phil.

Kix

<font face="Verdana, Arial" size="2">Originally posted by phobos:
my ISP (IOL) tried a SubSeven port probe on my system. </font>

Hi phobos,

Why do you think that it was IOL themselves rather than another IOL customer?

K

mayhem#

Of course it was not IOL doing this, it was just someone dailed into an IOL POP port scanning a range of IP addy's.
NMothing to worry about...

phobos

K,

Here is the logged details from the SubSeven port probe last night.

IP: 194.165.169.121
DNS: p-airlock121.esatclear.ie
Node: PBN_COMPUTER
Group: PBN_WORKGROUP
MAC: 444553540000

Also some of you wanted to know about SubSeven. SubSeven is a client/server software system that lets a client remotely hijack a host system. The client is able to do things like execute port scans from the host system, complete FTP (read/write from root), Hijack the mouse, Keystroke logger, to mention but a few. It is a crazy piece of software and is probably the most common backdoor server for a Win9x system. By default SubSevenServer listens on port 27374.

I probed the attacking system myself just to see what it was. It is listening on port 139 (only). So it is probably a Win9x machine. But that workgroup stuff has me suspicious that is part of a larger network, that is not privately owned.

I just want to know is there illegal activities going on here from IOL's behalf. Even though I was not one of the ppl who got kicked from No Limits, I know ppl who were and it totally sucks. So I don't want to see them getting away with anything else.

:-phobos-)

wintermute

It is a dial-up customer using the Esatclear service who is doing the portscanning.

This is what RIPE says about the range...

inetnum: 194.165.160.0 - 194.165.175.255
netname: ESATNET-ROUTE6
descr: Esat Net Consumer Dialup Modem Bank
country: IE
admin-c: CA1690
tech-c: CC1276-RIPE
tech-c: GP1184-RIPE
status: ASSIGNED PA
remarks: For SPAM/UCE complaints, please email "abuse@esatclear.ie"
notify: noc@esat.net
mnt-by: RIPE-NCC-NONE-MNT
changed: chris@esat.net 19991207
changed: colma@esat.net 20010128
source: RIPE

Why not use the email address provided to complain?

I seriously doubt that you are the victim of a conspiracy, just a social degenerate will too much time on their hands.

phobos

Nobody mentioned CONSPIRACY.

Somebody with too much time on their hands: YES

Cheers for the feedback lads.
;-phobos-)

ecksor

What is the story with that MAC info that BlackIce reports? Assuming that is BlackIce of course, but it looks similar to a report I was presented with before.

The owner of that particular machine immediately thought it was the remote ethernet MAC address of his attackers, which obviously makes no sense.

teac!

<font face="Verdana, Arial" size="2">Originally posted by X_OR:
What is the story with that MAC info that BlackIce reports? Assuming that is BlackIce of course, but it looks similar to a report I was presented with before.
</font>

It is meant to be the MAC address of the supposed attacker.

Generally the MAC address is going to be the MAC address of the gateway, however MAC addresses can be gotten via NetBIOS.

Phil.

phobos

OK, now I ****ed off!!

That little **** has tried the same thing on me again. Sorry about before, I know it's not my ISP (rather one if it's other customers). But another SubSeven port probe

IP: 194.165.162.7
DNS: i-airlock007.esatclear.ie
Node: PBN_COMPUTER
Group: PBN_WORKGROUP
MAC: 444553540000

here is his new info. This time I think I will report him. Any ideas!!. I know that this attack is not targetted @ me (alone), because it is the only service this guy seems to be interested in. Bloody script kiddies get new toys and waste no time.

But I think he is sweeping a range of IPs. to see if anyone is listening on that port. I would hate to think, what would go on if he was able to connect to someones system.

>:-phobos-#

chernobyl

call esat now and report his ip now!!

---

Britany Spears Looking incredible

tmcd

I deal in In-memoriam cards if you catch him.

mayhem#

Get proper anti-virus software and a good firewall and spend your time doing more pleasant things....

ConUladh

I messed around with Sub7 a couple of years ago out of curiosity (I was getting port scans hitting my machine every few minutes some nights and wanted to see what the fuss was about), I was on SNL so I scanned the Esatclear range of addresses, there was a lot of infected machines (mainly password protected so that only the person who infected them could access), no matter when you scanned

As long as you've decent AV and you're careful with e-mail attachments I wouldn't lose sleep over it, I'm amazed you're not getting hit by scans more often

If it's a free ISP (IOL/Esatclear Free) how are you going to get them kicked?

There's also the remote possibility (and I don't really buy this) that they're scanning for another service, it's being reported to you as Sub7 because of the port number, for example Sub7 can be changed to listen at a different port than it's default

As a final note it is scarey the control this program gives over someone's machine (good as a personal remote control tool unless you're worried they can get past the pwd protection - and there was a workaround for older versions), be careful

phobos

K,

I am not running Sub7 on my system, so there is no way that they could do anything more than a port scan. The main reason I am posting is because since I decided to setup a firewall, I have seen several suspicious activities, and just want to make it clear to other IOL customers that someone is scanning our machines. Like I know for a fact that this person probably knows my OS, from doing a footprint. I have taken all the standard precautions (I am not listening on any ports).

Also I would assume that it is possible for any server software to be configured to listen on "another" port. But I would assume that firewall and intrusion detection software would have to be smarter than simply associating services with their default ports. I would say that they would read the header information on the incomming packets, and ID the required service then, rather than simply checking what port the client wants to connect to.

Sorry chernobyl, I am only after coming back online now. He is probably gone. But I have some ideas on how I might get more info on this kid. He himself is only listening on 139, and nothing else. What if I was to write some socket tool to listen on the default Sub7 port, it's only purpose to accept a connection, get as much info about the client as I can, then kick them off.

Anyway I suspect that he will be back again.

;-phobos-)

phobos

I think our little friend has an accomplice, or else this is another system on his home/office network.

IP: 194.165.170.3
Node: PIII700
Group: WORKGROUP
MAC: 444553540000
DNS: q-airlock003.esatclear.ie

He is still trying the Sub7 port. Determined little bugger isn't he.

;-phobos-)

Kix

Phobos,

Don't waste any more time mate, email abuse@esatclear.ie asap with the details you have. If you're lucky it'll be a SNL customer (there are still a few of us left ) and they'll know his phone number.

K

ConUladh

As I said before this has been happening for a long time, the computer you've noted is prob a diff unrelated person (not necssarily but probably), lot of script kiddies out there and these tools are so user friendly that a new one's born every minute

If you set up a dummy server surely all it's going to get is the standard Sub7 commands (and IP which you already have)

The only way I can think of that you can track the guy down is if you connect to someone's who's been caught by him (if not pwd protected), connect using a Sub7 client and see if there's any notification details (Sub7 allows you to set up e-mail, ICQ and/or IRC notfication) or install it on your machine a nd let him set up the notification details

It'd be a lot easier if you contacted IOL and got his phone number, that is if he has caller-id switched on and IOL give out the info which I suppose is very unlikely

He's going to be using something like Superscan to scan a range of IP's, all that does is check if the port's open, it doesn't say it's looking for a Subseven Server at a particular port, so I would think that your firewall is in fact reacting to the port number, let me know if you find out I'm wrong

Edited/Added bit: I'd agree with Kix, hopefully IOL will give a toss as well, you may find you start ignoring these after a while, you'll prob be getting them from someone on EircomNet next week


[This message has been edited by ConUladh (edited 28-06-2001).]

hacktavist

he is scanning look he scans me nearly everyday look at this list
Connection From 194.145.135.187. At 22:56:00, 28/05/01, Monday Sent Message:
-
Connection From 194.145.135.187. At 22:56:47, 28/05/01, Monday Sent Message:
-
Connection From 194.145.135.187. At 22:58:01, 28/05/01, Monday Sent Message:
-
Connection From 194.165.171.160. At 23:16:37, 30/05/01, Wednesday Sent Message:
-
Connection From 194.165.171.160. At 23:17:57, 30/05/01, Wednesday Sent Message:
-
Connection From 194.145.131.173. At 19:12:41, 13/06/01, Wednesday Sent Message:
-
Connection From 194.165.170.3. At 23:59:17, 27/06/01, Wednesday Sent Message:
-
Connection From 194.165.162.7.<--[ip of your guy] At 22:59:59, 28/06/01, Thursday Sent Message:
-
Connection From 194.165.172.165. At 19:34:47, 03/07/01, Tuesday Sent Message:
-
Connection From 194.165.172.165. At 19:35:14, 03/07/01, Tuesday Sent Message:
-
Connection From 194.165.172.165. At 19:36:01, 03/07/01, Tuesday Sent Message:
-
Connection From 194.165.172.165. At 19:36:45, 03/07/01, Tuesday Sent Message:
-
Connection From 194.165.172.165. At 19:46:05, 03/07/01, Tuesday Sent Message:
-
Connection From 194.165.172.165. At 19:47:43, 03/07/01, Tuesday Sent Message:
-
Connection From 194.165.172.165. At 19:49:42, 03/07/01, Tuesday Sent Message:
-
Connection From 194.165.173.139. At 20:34:58, 03/07/01, Tuesday Sent Message:
-
Connection From 194.165.173.139. At 20:36:50, 03/07/01, Tuesday Sent Message:

root

who cares about reporting him to esat.
They dont give a ****.Install a firewall and forget about wasting esats time.

logic1

Exactly.. Esat don't care and as far as I'm aware port scanning pc's is not illegal. I can't believe so many of you are taking this so seriously. He hasn't done anything.. sure maybe if he found a pc with sub seven installed and non-p-protected he might but then again America might drop an atom bomb at any minute. Why not just sit back and relax... if your comfortable with your pcs security then this is no big deal.

.logic.

Jademan

A good info site is grc.com for firewalls and general internet security.

phobos

K,

I had decided to leave the topic alone, since my truma only involved port probes. But last night my firewall's bells and alarms triggered, because someone just penetrated it!. I got the person's IP/hostname and I'd swear it was that same guy from before. But this time he succeeded in doing more than a probe.

Now I reported this activity to IOL before and they did nothing about it. So any ideas a to what I should do now. I doesn't feel right to just forget about it. I have to do something. Is there a phone number or something where I can actually corner a technician to look in to it?

;-phobos-)

Finally @ my 100th Post, Happy PostDay to Me

Snaga

If he did more than a probe, what was it?

Theres very little that these guys can do to you if you arent infected with anything in the first place and your running good monitoring/blocking software.

As for your system, are you on dialup yourself? If your ip address is changing all the time and your still getting hit a lot, either

a) hes scanning a huge range of ip addies nightly, or
b) you are already infected with something thats broadcasting your ip addy to him.

Generally, as has been said before, it would be (a) cos the worlds full of hacker wannabes.

phobos

He did an ICMP Flood (trying to crash my machine), but I stopped him. I am logging all details. Will get in contact with IOL if problem gets any worse.

;-phobos-)