Date: Fri, 2 Nov 2001 07:53:37 -0500 (EST) From: Ralph Huntington <rjh@mohawk.net> To: Krzysztof Zaraska <kzaraska@student.uci.agh.edu.pl> Cc: <freebsd-security@FreeBSD.ORG> Subject: Re: SubSeven trojan horse Message-ID: <20011102075147.L92627-100000@mohegan.mohawk.net> In-Reply-To: <Pine.BSF.4.21.0111021326050.8364-100000@lhotse.zaraska.dhs.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> > One of our FreeBSD 4.2-RELEASE machines is accused by mynetwatchman.com of > > launching a SubSeven trogan horse attach. However, I do not find anything > > odd about this machine. > > > > Is this even possible? I thought subseven was a Windows thing. Can it be > > launched from bsd? Thanks. - Ralph > > It's unclear what they mean by launching an attack. I think they meant a port probe. > I never researched this subject, but AFAIK Windoze trojans are > client/server programs with server running on victim's machine. Client > software is used by attacker to control victim's machine by sending > requests to server. So the existence of SubSeven client for BSD cannot > be ruled out (I guess such code is easily portable -- all you need are > BSD sockets; for example there's BackOrifice client in /usr/ports and > this is almost the same). So someone could compromise your machine and > run SubSeven client from there connecting to some windoze box. > Unfortunately, I guess, the client may even run without root > priviledges. Interresting. One ouwld be able to see the client running if that were the case, yes? > As of spoofed attack... IIRC, BackOrifice used UDP, SubSeven may do so > also, so sending spoofing requests should be possible. But a probe could be spoofed, could it not? To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011102075147.L92627-100000>