Hey Gang,

I was having a lot of problems with ZA and AOHELL (Please refrain from laughing so hard that you get a belly ache) as of late, so decided to purchase Norton Personal Firewall 2002.

I've had it up and running for a week or so, and have noticed about a half dozen instances of an alert pop-up that reads something like: "Default Backdoor Blocked/Sub-Seven....". I realize this is not good probably, and am wondering if any of you are experiencing the same thing?

http://www.PCGuide.com/ubb/eek.gif Gee, wonder how many times this has happened before I got the firewall.

Thanks.

Big Blue 66


------------------
Life = Karma, or is it, Karma = Life?

I don't get many scans for that trojan here at work. You might be getting them more than most because of the IP address your using. If your using a dial-up account for instance,then the block of IP addresses used by your ISP is proably being scanned for that trojan.

By the way, the default ports used by Sub 7 are TCP ports 1243,6711,6776.

[This message has been edited by Ghost_Hacker (edited 11-15-2001).]

Thanks Ghost. I only use AOL dial-up at home. I'm not on the net enough for broadband to pay for itself. Have a T1 here at work, so do most of my heavy duty net work here.

So now what? Anything I can do besides making sure I have my firewall up and running?

Thanks.

BB 66


------------------
Life = Karma, or is it, Karma = Life?

You could write the "abuse" watchdog for the badguy's ISP.

To do that you'll need the IP address of the guy. ( that should be in ZA logs.) Then go here http://network-tools.com/ type the IP in and click the "express lookup" option. Once the trace is done at the bottom of the trace page will be the network the IP address belongs to. It's should be a web page link, click it and the contact information should come up. Look for an "abuse@" or if that isn't listed use the "admin@" email address and email them with the firewall's log entries and the IP address of the bad guy. You should also include the date the scanning took place.

If you don't get that information from the trace you can go here http://visualroute.visualware.co.uk/ (make sure java is enabled in your web browser) type the ip address in and hit your "enter" key. This should give you a good idea what ISP he's using. You can then just do a google search for that ISP and get their contact info.


Most ISP will email you back that they have taken some steps to correct the problem. (But a few ISPs may not write back at all.)


I have gotten pretty good results this way. The key is to give them as much information as possibly about the hacking attempt.



[This message has been edited by Ghost_Hacker (edited 11-15-2001).]

Hey BigBlue, I was having the same problem a while ago. I searched and searched and someone said thet I HAD the trojan. I printed out everything that Norton had and did what they said...except I couldn't find the trojan. Here's what to do...open Norton Firewall, click Options, under General tab click Advanced Opions, click Firewall tab, then click Add. then follow directions for the Rule. Good luck. It frustrated the hell out of me. But check this real good http://securityresponse.symantec.com/avcenter/venc/data/backdoor.subseven.html

Jumby every time I click on your link it crashes Internet Explorer

------------------
Alright who messed it up this time!

Strange. It works for me. Maybe someone else can click it and see what happens for them. If not, just go to Symantec's web site and search for Backdoor.SubSeven trojan. I'll try to e-mail it to too.

Because I have a firewall, I can't send that page. (???) Sorry.

in the mail round
sorry didn't work for me neither
I did it a different way it should be to you soon luck

------------------
W/Me (memory eater)
Me Help (http://www.webtechgeek.com/center_Frame_win_me_tips.html)
BUDS TS. (http://www.geocities.com/~budallen/whatsnew.html)
answers (http://www.dewassoc.com/support/index.html)

[This message has been edited by YODA74 (edited 11-16-2001).]

[This message has been edited by YODA74 (edited 11-16-2001).]

Jumby I saved the web page to my desktop and zipped it up using WIN ZIP and sent it to you. Hope you can open it, you hould be able to when off line.

------------------
Ernie

Dumb me, I forgot to disable firewall and antivirus. Sorry. If you still need it let me know.