Awhile back I got cable internet, and setup Norton internet security as my firewall. I now often leave the pc connected for days, downloading music etc. Frequently, my firewall will inform me of an attempted attack using backdoor/sub7 Trojan horse, saying "a remote computer (in this case 211.226.90.131) attempted to connect to your computer on a port commonly used by a remote access Trojan horse". Often this occurs when I'm using winmx, but it's hard to tell if this is the deciding factor since I use the program most of the time. Any discussion of the nature/motivation of these attacks and the real threat they pose appreciated. I'm also wondering if maybe the firewall is misinterpreting some innocuous communication, perhaps associated with winmx, as a Trojan attack.

TIA,

Dan

It may well be an innocuous event, firewalls are thankfully rather paranoid. On the other hand, it could also easily be a legitimate Trojan. Spyware, Trojans, virii, and worms tend to proliferate around places that people do a lot of downloading and this is frequently the problem with music download sites. I'd suggest you keep your firewall updated, use a good Anitvirus program and run a spyware scanner often if you are going to download music regularly.

Budfred

You can go here (http://grc.com/default.htm) and use the ShieldsUp and LeakTest if you are worried about how well your firewall is functioning.

There's all sorts of traffic knocking on ones door - some have a good sniff - but most are not malicious. I used to chase all of them up (using ZA) but nowadays as long as I'm firewalled satisfactoryily I don't bother - though I do go and check-out the logs every now and again; and do regular scans for viruses, spyware and trojans of course.

I use ZoneAlarm and have done tests using websites and it passed all tests.

Also the superb Telewest, Blueyonder free Technical Support tested my connection whilst I was on the phone. He asked me to shut down and re-start Zone Alarm and he said I was totally invisible when it was running.

So does someone know your address and are they trying it on spec even though they cannot see any sign of you online?

Your safe, why worry?

I presume you have Anti-Virus software and a system of file backup.
But have you made an Anti-Virus Rescue Disk and have you used it to back up your Partition Sector & Boot Sector?

Ok, you have a firewall and it pops up an alert warning of a sub7 attempt...well, that is its job!

It happens more when using WinMX...yeah, the file sharing networks are rife with trojans...infact some of the servers you are downloading from could very well be "own3d" machines, the server is running without the true owners knowledge.

As long as it is an incoming attempt you are ok, that is not to say you don't have anything to worry about, but that you don't have sub7 and somebody is looking to see if you do, but your firewall is blocking that traffic.

If it were an outbound attempt on a known sub7 port then you can start worrying. If that was the case then don't bother with any AV ap already installed, do an online scan or grab a specific anti-trojan product (link in my sig...Trojan Hunter and TDS-3 both have 30 day trial periods...).

There is a certain amount of "background noise" involved also...things like servers that bungle the disconnect routine and ping you for the next 30 mins (common with ad servers....doubleclick seems to be one of the most annoying for me....), "backwash" from a dDoS (distributed Denial of Service) attack, some kid just downloaded a port scanner and is "playing", etc. Most of that has no recognisable pattern, nor are successive ports usually scanned (except in the case of the little sh## punk wannabee). Another very common source of alerts/hits are on the know file sharing app ports...like KaZaa, I get bunches of them on weekend nights, because of either the person who had the IP before you picked it up was using that app (typical for dial up) or someone is scanning your IP range to find new servers to dl from.

Another Common source for the probe is Your ISP
It’s common for some Isp’s to scan their users once to look for the Trojans

This helps them protect their own systems and prevent DDOS from bringing their services down


If you get it on a regular basis then just block the offending IP