Netbus and Subseven Scans on my isp

[electroservice]

I recently installed a firewall and I am having great floods of scanners probing for netbus and subseven trojans. I have scanned my system with Mcafee, Nortons (enterprise), and Trend and show no trojans (or virus) on my machine. However I have caught windows explorer sending out on an undifined port. Does anyone know how to track this thing down? I have replaced the explorer.exe file but the scans still keep hitting me! <IMG SRC="smilies/eek.gif" border="0">

[Silverman]

check out http://grc.com/dos/intro.htm an indepth look at bots/zombies and subseven and the experience first hand of how to eliminate or at least curb the problem.

[KoWind7]

You probably don't have either one on your system. The probes are just script kiddies trying to find people that do.

If you eep your virus defs up to date and firewall up to date you should be fine.

[korpse]

open a command prompt and type:
netstat -a

This will show you which ports have connections on them and which ports are listening for connections.

[Cygnus]

I have had the same problem on two of the networks we support and both times it turned out to be nothing more than probes that got caught by the system anyway. Unless I read your post wrong I think your ok.

[kingtbone]

Originally posted by Silverman:
<STRONG>check out http://grc.com/dos/intro.htm an indepth look at bots/zombies and subseven and the experience first hand of how to eliminate or at least curb the problem.</STRONG>

I suggest that everyone read this. Aside from being very informative, it was actually quite interesting. He suggests that you run ZoneAlarm. This is what he suggests to do

All of the IRC Zombie/Bots open and maintain static connections to remote IRC chat servers whenever the host PC is connected to the Internet. Although it is possible for an IRC chat server to be configured to run on a port other than "6667", every instance I have seen has used the IRC default port of "6667".

Consequently, an active connection to an IRC server can be detected with the following command:


netstat -an | find ":6667"


Open an MS-DOS Prompt window and type the command line above, then press the "Enter" key. If a line resembling the one shown below is NOT displayed, your computer does not have an open connection to an IRC server running on the standard IRC port. If, however, you see something like this:


TCP 192.168.1.101:1026 70.13.215.89:6667 ESTABLISHED


. . . then the only question remaining is how quickly you can disconnect your PC from the Internet!
A second and equally useful test can also be performed. Since IRC servers generally require the presence of an "Ident" server on the client machine, IRC clients almost always include a local "Ident server" to keep the remote IRC server happy. Every one of the Zombie/Bots I have examined does this. Therefore, the detection of an Ident server running in your machine would be another good cause for alarm. To quickly check for an Ident server, type the following command at an MS-DOS Prompt:


netstat -an | find ":113 "


As before, a blank line indicates that there is no Ident server running on the default Ident port of "113". (Note the "space" after the 113 and before the closing double-quote.) If, however, you see something like this:


TCP 0.0.0.0:113 0.0.0.0:0 LISTENING


. . . then it's probably time to pull the plug on your cable-modem!

[Silverman]

Zonealarm is quite good at filtering out everything coming into your system or even trying to get out. GRC's probes can not detect you are online. And his are super sleuths.