Thread: Trojan horse
View Single Post
  #6  
Old 28-07-2002, 14:22
RincewindTheWiz's Avatar
RincewindTheWiz RincewindTheWiz is offline
Die Hard Member
 
Join Date: Jul 2002
Location: Discworld
Posts: 2,503
Thanks: 0
Thanked 149 Times in 2 Posts
RincewindTheWiz is on a distinguished road
Maybe there was a time that a firewall alert was rare and exotic when you connected to the internet, but I wasn't around then Seriously, I've got a constant on ADSL broadband connection, and the alerts for portscanning keep on coming very day. I'm using ZoneAlarm and every portscan (what you're experiencing) used to bring up a popup with a warning, but I had to disable that since I was getting dozens of popups each day. Sometimes more than 100 in 24 hours. So don't get worried, if this is the first time it's happening, you've just been extremely lucky. Or maybe you haven't been online for long or your firewall hasn't been installed for long ?

Anyway, incoming portscans can do almost no harm. When they're scanning for a trojan, such as in your case, it just means someone is checking all ip adresses. They don't even know you're there, all they do is scan dozens of numbers and see if they're getting a reply from a trojan. Now, if you DID have a trojan, nothing would happen because the firewall intercepts the incoming messages for this trojan so it never becomes active. Even if you didn't have a firewall in place, nothing would happen if there wasn't a trojan present on your system to listen to these incoming messages.

Outgoing messages are different, and with me for example, I have to give permission in Zonealarm for each program that tries to send a message to the internet instead of just listening. If iI don't give permission, it is for the program in question as if I don't have a connection. When I start Half-Life for the first time, I would get a window asking if 'hl.exe' should be allowed to have server rights (listening) and to be able to send packets to the game servers. I know hl.exe is aok, so I allow it to send packets outside and the firewall will now automatically receive any packets destinated for hl.exe.

But if suddenly a "kerne1.exe" tries to connect outside, I ofcourse refuse this, since I don't know why it would try this. "kerne1.exe" is one of the filenames of one of the trojans, but I don't need to know that. The only thing I need to know is if it's something I want to allow to connect outside or something I don't know.

Only if the trojan program is present on your pc and you do let it connect outside, there can be a problem. And I think this (might) be the case with you. You're getting an awful lot of SubSeven messages, while normally you should be getting all kinds of things like port 80 scans (code red), other trojans etc...

In fact this can be no coincidence. My ZoneAlarm firewall blocks incoming traffic AND outgoing traffic. I know some vendors sell firewalls which do not block outgoing traffic. It's all guesswork on my side, so I could be wrong about this, but it seems the port sacnners are getting messages from your pc that the subseven trojan is there. Trojans often 'call home' to certain irc-servers to be checked by script kiddies later.

I don't think this is a coincidence, and I suspect you do have the subseven trojan. But don't worry, they can't control it, because your firewall is in the way of the incoming commands from the script kiddies. If you want to get rid of these attempts to contact the trojan, you obviously have to remove it. If you don't have an up to date virsusscanner I advise you to get one. Failing that, try one of the free subseven removal programs, like one from this page.

It could very well be that your pc is squeaky clean and the virsusscanners and removal tools find nothing. But it's better to be save than sorry... Once again, I'm only speculating here, but I think more is going on than just the random harmless portscanning everyone gets. As long as your firewall is working, you have nothing to fear, but DO try to find out if you do have the trojan ok ?