From owner-freebsd-security  Fri Nov  2  4:36:31 2001
Delivered-To: freebsd-security@freebsd.org
Received: from pa169.kurdwanowa.sdi.tpnet.pl (pa169.kurdwanowa.sdi.tpnet.pl [213.77.148.169])
	by hub.freebsd.org (Postfix) with ESMTP id 58D5E37B406
	for <freebsd-security@FreeBSD.ORG>; Fri,  2 Nov 2001 04:36:25 -0800 (PST)
Received: by pa169.kurdwanowa.sdi.tpnet.pl (Postfix, from userid 1001)
	id 8314C1DA7; Fri,  2 Nov 2001 13:36:13 +0100 (CET)
Received: from localhost (localhost [127.0.0.1])
	by pa169.kurdwanowa.sdi.tpnet.pl (Postfix) with ESMTP
	id 512DC55A0; Fri,  2 Nov 2001 13:36:13 +0100 (CET)
Date: Fri, 2 Nov 2001 13:36:12 +0100 (CET)
From: Krzysztof Zaraska <kzaraska@student.uci.agh.edu.pl>
X-Sender: kzaraska@lhotse.zaraska.dhs.org
To: Ralph Huntington <rjh@mohawk.net>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: SubSeven trojan horse
In-Reply-To: <20011102055342.C92627-100000@mohegan.mohawk.net>
Message-ID: <Pine.BSF.4.21.0111021326050.8364-100000@lhotse.zaraska.dhs.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Fri, 2 Nov 2001, Ralph Huntington wrote:

> One of our FreeBSD 4.2-RELEASE machines is accused by mynetwatchman.com of
> launching a SubSeven trogan horse attach. However, I do not find anything
> odd about this machine.
> 
> Is this even possible? I thought subseven was a Windows thing. Can it be
> launched from bsd? Thanks.	- Ralph
It's unclear what they mean by launching an attack. I never researched
this subject, but AFAIK Windoze trojans are client/server programs with
server running on victim's machine. Client software is used by attacker to
control victim's machine by sending requests to server. So the existence
of SubSeven client for BSD cannot be ruled out (I guess such code is
easily portable -- all you need are BSD sockets; for example there's
BackOrifice client in /usr/ports and this is almost the same). So someone
could compromise your machine and run SubSeven client from there
connecting to some windoze box. Unfortunately, I guess, the client may
even run without root priviledges.

As of spoofed attack... IIRC, BackOrifice used UDP, SubSeven may do so
also, so sending spoofing requests should be possible.

Krzysztof


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message