Hi
I’ve been using Norton Internet security (and for me it really good, as the ad says it does exactly what is says on the tin) for about 6 months now and just in that short space of time I’ve notice the increase in the amount of people trying to access my PC with Trojan stuff. Can anyone tell me if they have notice an increase in these types of attacks?
Does their system tell them that there is a Trojan on my system or they just try and attack or is it just a random thing?
I ask what is the world coming to?
Thanks
B
:mad:

The general number of security threats is increasing, although I am not sure it has increased much in the last six months. A lot of the hits that it tells you about are probably harmless, but a few are probably hackers looking for vulnerable systems. The situation is bad and likely to get worse as more and more of the world goes online and the idiots who want to hurt others keep providing easy ways to construct and distribute destruction.

I am not sure what you are asking about the trojan, could you ask again....

To be honest I wasn't really asking anything, I was just curious if anyone else had noticed these attacks happening and the increase in them.
The type which show up on the Norton system are called Sub Sevens and something call Net Trojan, if you could explain these it would be a bonus, and what people hope to gain out of “hacking” into a home PC, which I would have thought never has anything of any real interest in them, apart to the home user
I get at least 2 to 3 a days, I’m just hoping nothing comes of them.
:p

There are 2 main reasons that people hack into home PCs.

1. To use them to launch SPAM or other attacks from. This makes them anonymous and makes you look like the culprit to anyone who is able to trace it back.

2. To mine data, like your credit card numbers, bank account numbers and so on....

I don't have my firewall telling me what is trying to attack unless I look in the logs, so I am not sure what kind of attacks/probes I have had recently.

Thanks for taking the time to reply.
Maybe you should just take a little look at the attacks that are coming through these days I bet you'd be amazed at the amount that happen, but I'm sure you don't need someone like me to tell you that ;)

Both those attacks you are seeing are most often from your own system.
Subseven

Backdoor.SubSeven is a Trojan horse, similar to Netbus or Back Orifice. It enables unauthorized people to access your computer over the Internet without your knowledge



It may be time to take a close look at your process list that is running

I see it all the time with people on my cable node. I have reported this to my isp but nothing seems to change. Thank Goodness for my firewall.
Mark:confused:

What type of things should I be looking for here, I've got quite a few things running in the process list, maybe there is a site that tell me what is what, if you know of such a site could you post up the link please.

I’d start By visiting Shields Up and see what is reported there.
Then grab Spy-Bot and Hi-Jack This

Shields up link

https://grc.com/x/ne.dll?bh0bkyd2

Hi-Jack This Link

http://www.spywareinfo.com/~merijn/index.html

SpyBot Link

http://security.kolla.de/

After you run Hijack This
You can post the log file here on the board and someone will help you weed out the BS

OMG What a load of stuff here, This is what Hijackthis came back with

Anyone know What I need and what I don't need?
Logfile of HijackThis v1.94.0
Scan saved at 19:48:10, on 25/05/2003
Platform: Windows 2000 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.imdb.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyOverride=127.0.0.1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINDOWS\System32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page=C:\WINDOWS\SYSTEM\blank.htm
O1 - Hosts: 216.40.230.4 desktop.kazaa.com
O1 - Hosts: 216.40.230.4 alpha.kazaa.com
O1 - Hosts: 216.40.230.4 shop.kazaa.com
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FFFFFEF0-5B30-21D4-945D-000000000000} - D:\PROGRA~1\STARDO~1\SDIEInt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [DUControl] C:\Program Files\DirectUpdate\DUControl.exe
O4 - HKCU\..\Run: [ServUTrayIcon] C:\PROGRA~1\Serv-U\SERVUT~1.EXE
O8 - Extra context menu item: Download with Star Downloader - D:\PROGRA~1\STARDO~1\sdie.htm
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://www.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://download.macromedia.com/pub/shockwave/cabs/director/swdir.cab
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v43/yacscom.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20021205/qtinstall.info.apple.com/borris/us/win/QuickTimeInstaller.exe
O16 - DPF: {8522F9B3-38C5-4AA4-AE40-7401F1BBC851} - http://www.trinsic.org/download_serial.exe
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} (Update Class) - http://v4.windowsupdate.microsoft.com/CAB/x86/unicode/iuctl.CAB?37749.4390856481
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/SSC/SharedContent/common/bin/cabsa.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://help.blueyonder.co.uk/instantsupport/tool/files/MotivePreQual.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/public/chat/msnchat45.cab

First and Foremost
KAZAA

If you use it you will get lots of Hits/pings
People think you are a file sharing server..

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page=http://www.imdb.com/

Is setting your start page to IMDB.com
Internet Movie Data Base

Is that what you want ?

O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
Is Not required

O4 - HKCU\..\Run: [ServUTrayIcon] C:\PROGRA~1\Serv-U\SERVUT~1.EXE
Looks to be setting your system up as a server to someone
BAD IDEA

O8 - Extra context menu item: Download with Star Downloader - D:\PROGRA~1\STARDO~1\sdie.htm

Looks to be an Adult site downloader ?

Your right I've got Kazaa, but the kazaalite version, I know most pings come from there.
I've Got IMDB as my home page
I've also got my PC set up as a server, so I can file swap between a few mates and myself.
Star Downloader is a downloader program which I installed the other day, one of these the helps with resuming and the such like.

If you detect an attempted attack, make a note of the IP address (norton will give you this) and go to symantec's website and trace the IP
Symantec trace an attack (http://security.symantec.com/ssc/vr_main.asp?j=1&langid=ie&venid=sym&plfid=23&pkj=XHHQBRFNJSVSTIVVBEN)

Sometimes you won't get anywhere. this is because the attacker is behind a firewall; but you should always take note of the last address which is accessible. Whether this is a company or an ISP, email them, giving the time, date, attacking IP and your own IP (the one you show to the net - in otherwords the address that NOrton firewall displays to the net) and tell them you are pissed off with it.
If they have a decent policy, they will jump on the offenders head.

Note For Rick
I've ran a Trojan checker up against my system and it came back with nothing, thank crunchie
:cool:

I didn't spot the mention of any port numbers being especially involved in the "attacks". Kazaa commonly sends and receives via 1214 (though it is anticipated that this will be broadened to a number of common ports).

Such P2P "traffic" (rather than "attacks" can be the cause of exceptional consumption of bandwidth apart from what it may carry with it.

Also, please keep in mind that Kazaa in any form opens the door for malware to get into your system. You may be able to prevent and/or deal with this by using good security practices in other ways, but it will account for a larger number of attacks on your system than others receive. When I do set my firewall to show me attacks, they tend to be infrequent, but I don't use a file sharing program....

O16 - DPF: {8522F9B3-38C5-4AA4-AE40-7401F1BBC851} - hxxp://www.trinsic.org/download_serial.exe This one is a bad guy....

Why is it so bad?? And where is the most likely I've picked it up from?

I've taken it out inthe mean time.

Because it is part of LOP....

http://www.doxdesk.com/parasite/lop.html

And trinsic.com are known distributers of spyware.

Once again thanks everyone's help was invalueable