Date: Fri, 2 Nov 2001 14:13:03 +0100 From: Krzysztof Zaraska <kzaraska@student.uci.agh.edu.pl> To: freebsd-security@freebsd.org Subject: Re: SubSeven trojan horse Message-ID: <20011102141303.6b856e15.kzaraska@student.uci.agh.edu.pl>
next in thread | raw e-mail | index | archive | help
On Fri, 2 Nov 2001 07:53:37 -0500 (EST) Ralph Huntington wrote: > Interresting. One ouwld be able to see the client running if that were the > case, yes? I think so. You should be able to see client process on your machine, or more interestingly, packets from your machine to SubSeven's port on remote network. According to the list I have (don't remember the source) it's 1243, 6711, 6776 TCP. You should do your own search on the topic (I don't know if the list I have is reliable). Anyhow, snort or tcpdump will help you here. > > As of spoofed attack... IIRC, BackOrifice used UDP, SubSeven may do so > > also, so sending spoofing requests should be possible. > > But a probe could be spoofed, could it not? Since as I've just learned SubSeven (probably) uses TCP spoofing is made more difficult, thus spoofed portscan / probe is more probable then spoofed TCP session... The problem is that they didn't tell you if they saw just a single SYN packet or complete handshake and following session. Krzysztof To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011102141303.6b856e15.kzaraska>