>From
http://www.robertgraham.com/pubs/firewall-seen.html
Trojan Horse (TCP). This is a commonly seen scan looking for systems
compromised by this trojan. Sub-Seven scans are becoming very frequent,
primarily due to an easy-to-use scanner built-in to the client.
and from
http://www.infowar.com/iwftp/xforce/advise30.html
SubSeven:
There have been many versions of the SubSeven backdoor released, and
most of
them were very buggy until version 1.7 came out. The latest version is
1.9.
This backdoor has been called 'BackDoor-G' by Network Associates, Inc.,
when
they discovered version 1.7. SubSeven allows remote attackers to obtain
cached
passwords, play sounds, look at a webcam on your system, capture screenshots,
and notify you over IRC or ICQ when someone gets infected. SubSeven only
works on Windows 95 and 98.
SubSeven is highly configurable. You can set a password, change the filename
and registry key it uses, make it use Win.ini or System.ini, and have it
notify an ICQ number, e-mail address, or IRC channel when it is run. You
can
also change the icon it uses, and change the port it listens on. The default
TCP port is 1243.
SubSeven has four options for starting the server -- in the Run or RunServices
registry keys in HKLM\Software\Microsoft\Windows\CurrentVersion, in the
Win.ini file, or by a 'less known method'. The 'less known method' uses
the
System.ini file, and adds its executable name to the 'shell=' line in
the
'[boot]' section of the file. By default, it will make that line
'shell=Explorer.exe mtmtask.dl', and copy mtmtask.dl to your Windows system
directory. If you look in System.ini and see anything other than
'Explorer.exe' in your 'shell=' line, immediately remove anything other than
'Explorer.exe' and delete the extra file from C:\Windows\System.
If you connect to SubSeven's port, you will see a banner similar to:
connected. time/date: 18:05.19 - June 30, 1999, Wednesday, version: 1.7
SubSeven also listens on port 6776 for the scanning function, and this
port is
not configurable. SubSeven also keeps TCP port 6711. If you see that TCP
ports
6711 and 6776 open when you do a 'netstat -a', then you probably have
SubSeven. Since it is so highly configurable and difficult to detect in
the
registry, the easiest method to remove it is to use an up-to-date virus
scanner.
Most newer virus scanners will detect and remove SubSeven.
--
all found by doing a search on
sub seven attack
then
subseven
http://www.google.com
Hope this helps you out!
d.
Administrator wrote:
>
> Hi to all,
>
> Though this may sound stupid, I need to know....therefore I ask:
>
> What is a Sub Seven Attack??? i.e.
>
> 02/05/2000 19:12:23.272 - Sub Seven Attack Dropped -
> Source:xxx.xxx.xxx.xxx, xxxx, WAN - Destination:xxx.xxx.xxx.xxx, xxxx, LAN
> - -
>
> Any info on this or a source of such info is appreciated.
>
> Thanks in advance,
>
> ----------------------------------------------------------------------------
>
> Brian K. Bunch
> Systems Administrator
> NetRamp.net
> 865-330-2520
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
--
Dorian Moore is property of Kleber Design Ltd. If found please contact Kleber
by phone on +44 207 581 1362 or visit http://www.kleber.net for further details.
You really shouldn't listen to anything he says... as it may just be an opinion
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
