I have over the last 2 hours had a barrage of trojan horse attacks, 26 upto press.

Looking at the firewall stats they all have different IP addresses. What can I do? It seems mighty strange to be getting so many. Can I report this somewhere? It's really naffing me off.

Can you give any more details? The "horse's" name and the software which is reporting the attacks.

I have PM'd you Geoff but in case anybody else can help it is backdoor/subseven and I'm using Norton symantic.

They are coming every minute or so :help:

Wow, Sub7 .... retro! They were all the rage back in the day!

If I were you i'd hit him back ;)

-Paul-

Pauls if your post was a joke then it went right over my head.

sub seven is an old school trojan based on IRC (internet relay chat). Basically it's an IRC agent that responds to commands givn remotely by someone who has managed to'plant' the sub7 trojan on your computer (as I understand it)

This means that the trojan is on your computer and trying to contact its 'daddy' somewhere on the net.

find the prgram and remove it

TRy pest patrol, works for me

I was hacked in to on Wednesday night

I was blaming the BNP

Was I wrong then?

My firewall disarmed itelf and an alarm rang, but I didnt know what to do so I just logged it all off

I have Zone Alarm

I was online on this site when it happened

Please can someone help with thoughts?

x

Originally posted by Phanerothyme
sub seven is an old school trojan based on IRC (internet relay chat). Basically it's an IRC agent that responds to commands givn remotely by someone who has managed to'plant' the sub7 trojan on your computer (as I understand it)

This means that the trojan is on your computer and trying to contact its 'daddy' somewhere on the net.

find the prgram and remove it

TRy pest patrol, works for me

Thanks for replying. I knew some clever person on here would be able to suggest something.

But Phan, why hasn't the virus scan I do every week picked this thing up?

Am logging out now but would
REALLY
appreciate someone telling me what to do
My Zone Alarm was shut down by the attack when it was disabled and the alarm started ringing loudly and it has lost its memory of who or what attacked me.
Can someone PM me with an email addy to get into this with, or an ICQ number or something?
I could probably get back online for a proper chat about it on Sunday evening
Thanks ever so much

Originally posted by Mo
... why hasn't the virus scan I do every week picked this thing up?

Because it isn't a virus basically. It is a piece of software which allows remote access to your comp from another. A virus on the otherhand is an executable file which isn't controled remotly, it is activated either on a timer or by certain actions on your behalf.

-Paul-

Originally posted by Pauls-Stuff
Because it isn't a virus basically. It is a piece of software which allows remote access to your comp from another. A virus on the otherhand is an executable file which isn't controled remotly, it is activated either on a timer or by certain actions on your behalf.

-Paul-

As you've gathered Pauls I'm still fairly new at this game. Do I have to buy something to remove it or is there stuff I can download for free?

There is a brand new set of trojans out, mainly affecting XP and Windows 2000 machines. A number of systems at our school have been affected.

SYMPTOMS:

Machine running slow(er than normal)

Small hourglass at side of mouse pointer that won't go away

CSRSS.EXE service using a great deal of CPU

Mo, you can just delete them. They are a pain, but as soon as you know where they are, you can get rid of them in a flash!

-Paul-

Thanks Paul for the advice but how do I find the little blighter in the first place?????:confused:

Try www.trojanscan.com to scan for Trojans on-line.

Or download AD-AWARE, another good free utility.

Originally posted by alchresearch
Try www.trojanscan.com to scan for Trojans on-line.

Or download AD-AWARE, another good free utility.

I used Trojanscan and guess what, no trojans found so I'm really stumped now.

:confused:

Well with them being exe files 9 times out of 10, if you press Ctrl + Alt + Delete you are given a list of all the programs that are running on your comp at that time, and the trojan should be one of them. So if there are any programs you don't reconise or haven't seen before, then take down their names and search for them : Start> Find> Files or Folders.. (Thats how you search on win98 as im not an xp man myself :rolleyes: ). Once you've found it, make it no more! :P

-Paul-

The only problem with that is that a number of trojans are 'hijacking' legitimate Windows files, making them difficult to spot - such as the case with one that overwrites csrss.exe

Edit - added following:

This is your best bet:

Start REGEDIT

Navigate to Hkey_local_machine/software/microsoft/windows/currentversion/run

Note down all files in that folder

Go to http://www.pacs-portal.co.uk/startup_pages/startup_full.htm and compare the programs you have with the ones in this list.

Originally posted by alchresearch
The only problem with that is that a number of trojans are 'hijacking' legitimate Windows files, making them difficult to spot - such as the case with one that overwrites csrss.exe

It doesn't overwrite it otherwise Windows would go tits up - it puts itself in a different path.

Belle~

That is scary and I'd have suspected the same people.

I don't have any advice I'm afraid, just wanted to say this cos noone seems to have acknowledged your concerns and I wanted to say I hear you.

chances are it was a 'random' attack - there's a million and one script kiddies around the world all trying the same thing :rolleyes:

Yeah, you don't want to start getting paranoid.

If you are concerned abotu your computers security, head on over to www.grc.com (http://www.grc.com) and get a free systems check.

Are hardware firewalls worth their weight in gold? I've heard they start at around £80 and keep problems away.

Originally posted by Classic Rock
Are hardware firewalls worth their weight in gold? I've heard they start at around £80 and keep problems away.

A hardware firewall won't necessarily be the end to your problems, after all a firewall can't stop you clicking on an exe in an email that, although it appears to be a harmless game, actually contains a trojan which is installed on your machine.
I have a hardware firewall at home though, and have never had a virus on my home network, never had a DoS attack and feel pretty secure as a result.
I think the best defence is knowledge though. I have just acquired a load of books on hacking, not so that I can break into the Pentagon, but so that I know the threat I am facing. And what a lot of people don't realise is that you don't have to have upset someone to be a target. There are plenty of easily obtainable programs that simply scan the internet for computers with vunerabilities to exploit. A lot of people do this for "fun", some do it to try and obtain passwords and other personal info.

I've been having the same trojan/sub seven attack problem, although I'm getting it from the same IP. I have a pretty good idea about who the guy is now. But all I know is his first name and the town he lives in. In any case, I scanned my computer for trojans with Ad-Aware and PestPatrol and both of them came up with a file called Alexa that's situated in the registry under Internet Explorer. I'm wondering if it's safe to remove this key and whether this might have anything to do with the trojan horse/sub seven. Pestpatrol calls it an "exploit."


Thanks in advance,

DQ

Knowing his name, town and IP address should be enough for you to take action.

I've already contacted his ISP's abuse center. But he seems to be doing some attacks though AOL, so I suspect that he'll find another way to launch attacks even if his ISP boots him.

The other action I need to take is on my end. So I'm wondering if this Alexa reg. key is part of the problem and if removing it will change anything. He seems bent on using Trojan Horse/Sub Seven. So far it doesn't seem to be working for him.


DQ

I got a unusually high number of backdoor/sub7 security alerts over the weekend also. I didn't check where they were coming from.

I use norton firewall and deepsite analyser which allows symantec to gather information about security events from their user community.

http://analyzer.securityfocus.com/downloadnis.asp

:confused: I have 9 trojan horses quarantined on Norton what would happen if i deleted them from the quarantine vault?

My latest two little visitors are Ripper Trojan and Netspy trojan. I'm getting quite a collection :(

Erm...

Can I just disagree with an earlier assumption that there was definitely a trojan on the system in the first place...

If the firewall is blocking INCOMING requests that relate to a trojan then it's likely that there are one or more script kiddies attempting to either:
a) scan for machines with a trojan installed
OR...
b) access an IP that may previously have been compromised when used by someone else.

It does not necessarily mean that a trojan actually exists on your machine...

BUT.. it never hurts to double check and there are various tools out there to help with it..

Rule of thumb is to make sure Windows update is run regularly for all critical updates. A good and regularly updated Anti Virus scanner is installed and some form of firewall..

Personally I use Smoothwall on an old P133 box to protect my entire network, Norton AV on all my machines and SpyBot to check for spyware... Works a treat :)

It's about time that ISP's took this seriously and used scanning software on everything, giving the choice to download, quarantine or delete. I am on ISDN and we're connected nearly 10 hours a day and our combination of (paid for) ISP virus and spam protection from Force 9 and Norton / AVG works very well. Why do people still click on things that are obviously dodgy?

Originally posted by Tony
Why do people still click on things that are obviously dodgy?
If you could answer that one you'd be a millionaire in seconds!! :D

Originally posted by Tony
It's about time that ISP's took this seriously and used scanning software on everything, giving the choice to download, quarantine or delete. I am on ISDN and we're connected nearly 10 hours a day and our combination of (paid for) ISP virus and spam protection from Force 9 and Norton / AVG works very well. Why do people still click on things that are obviously dodgy?

Because some people just use a pc to read email etc. and know nothing about virii and the like

i received a small exe file from someone and when i saved it to my C: drive and when double clicked on the icon the exe file disapeared. After that the person who send me the file could control or see anything i do on my computer. I was really scared becouse i had a lot of data i didnt want to loose.
I re-formatted my C: drive(the only one i have) , instaled all over again Windows Xp and i hope the virus is gone.
Do you know anything about that virus? Do you think the person can still control my computer without me knowing?
after all i installed afirewall.
Thank you

How do you know that they could see anything on your computer?

I'm not aware of any trojans that could survive a reformat and re-install so I'd say you're ok, but I'm no expert.

I'm sure you realise it now, but I'd never ever open any executable kind of attachment unless I knew who it was from.

Thank you for replying.
well you are asking me How do you know that they could see anything on your computer? :) because i was chatting with my friend and the "hacker" was laughing and typing back our conversation(the conversation with my friend) and he also described some of my files that i had on my C:drive. it was scary
yes its true i will never open exe file or anything from a person i dont know;)

Something similar happened to a friend of mine Dino. The hacker eventually managed to take over her keyboard whenever she logged on. She was forced to reformatt and after that had no more problems. Creepy though - you have my sympathy for what its worth. My friend doesn't scare easily but this really upset her.

I don`t scare easily either, but from what I have just read.

I am bothered. By the way thankyou to Mo especially for raising this point.

And special thanks to everyone else who have given me my days learning on `trojan horses`.

I got a pop up two days ago (now 19th Dec) saying that my computer was being remotely controlled.

I shut down immediately.

I do not fully understand implications of the presence of that type of alien programme or if I will be alerted if it happens again.

Can somone please PM me with more help?

venger

Well there's a bunch of things you can do but initially the course of action is preventative.

Ensure you have:
- good virus checker (kept up to date)
- all windows update (http://v4.windowsupdate.microsoft.com/en/default.asp) critical updates installed
- a firewall (eg: zonealarm) installed.
- keep regular backups of your important data.

In itself it pays to learn about how the different aspects above work so you don't get caught out as it's easy to think "I'm covered" and then negate the effect by doing something dumb.


In terms of reactive measures (ie: when a virus has gotten through or something triggers your alarm bells)...

- check whether your antivirus is still working
- look for any reports that match the problems/symptoms you're system is experiencing
- try running AdAware, Spybot or some other spyware detector to see if anything has infected your system that isn't necessarily a virus.

but above all else, if you're really worried that something has gone completely ape then turn off the machine and disconnect it from the net before seeking professional help..



Hope that helps..

I've had 274 attempted attacks in the last hour. Sat looking at the stats log and it's just going up and up and up constantly. What is happening please HELP.

20 mins later and it's up to 600. Now I'm panicking

Originally posted by Mo
I've had 274 attempted attacks in the last hour. Sat looking at the stats log and it's just going up and up and up constantly. What is happening please HELP.
Ok... first thing to say is don't panic.

If you're seeing a load of warnings to say that people are attempting to access your machine then this is normal... especially if you're on broadband..

At a guess you've just installed a firewall and have the notices set to inform you whenever any nastys pop up their heads... Trust me when I say you don't need to know... It's if your machine suddenly starts acting weird, slowing right down, pumping out emails, etc.. then you want to worry...

So, just double check a few things like your windows updates are sorted, your AV is up to date and your firewall software is up and running too...

Beyond that, turn off the notifications in your firewalls configration settings and just ignore those crack attempts..

Hope that helps..
:)
Martin

I'm going to pm you Martin.