| View previous topic :: View next topic |
| Author |
Message |
GENsnoop
Tux's lil' helper
Joined: 09 Mar 2004
Posts: 138
|
 Posted: Mon Apr 04, 2005 11:01 pm Post subject: found something odd blocked by my firewall |
 |
|
I was looking through my log from my firewall, and I found something really strange blocked from my fire wall;
time:Apr 4 06:14:54 in: out:eth0 port:1234 source:((MY IP)) dest:152.7.10.37 len:44 tos:0x00 protocol:tcp service:subseven
it says service subseven coming from my own box out to that IP: 152.7.10.37 ... is my box hacked? it was blocked from my firewall .. but what can I do to check out my box .. do I have a virus? I have updated my box not that long ago. 
_________________
.:GENtoo Linux:.
toshiba pentiumIII 700mhz 128mb ram 10gig hd =
micron PC AMD duron 750mhz 576mb ram 30gig hd = |
|
| Back to top |
|
 |
hydroxides
n00b
Joined: 24 Jan 2004
Posts: 6
Location: UK
|
| Posted: Mon Apr 04, 2005 11:35 pm Post subject: |
|
|
I didn't think there was a SubSeven trojan for Linux but apparently there is:-
http://vil.nai.com/vil/content/v_120180.htm
It's probably just a namesake rather than a direct variant. I don't think you should be worried though. The packet was outbound to port 1234 not inbound. That would mean you were connecting to an infected machine but I doubt it. I assume you were using some P2P application which the person in question has decided to run on that port number.
You need only worry when inbound packets are to port 1234 (assuming you haven't purposely set something to listen on that port). You can see which services are running using the netstat command.
For TCP services:- netstat -tlp
For UDP services:- netstat -ulp
That will display a list of sockets and the ports they are listening on, along with the associated service that owns it. You should find that there are no services listening on port 1234. If you find something you don't recognise or are still concerned, break out the AV. There's a selection in portage to choose from. ClamAV seems quite popular if you don't know which to choose although I've personally never any of them.
http://packagestest.gentoo.org/packages/?category=app-antivirus |
|
| Back to top |
|
|
GENsnoop
Tux's lil' helper
Joined: 09 Mar 2004
Posts: 138
|
| Posted: Tue Apr 05, 2005 12:27 am Post subject: |
|
|
thanks alot, I got alittle scared there when i saw "subseven" I thought my box was infected. thanks for clearing it up for me
_________________
.:GENtoo Linux:.
toshiba pentiumIII 700mhz 128mb ram 10gig hd =
micron PC AMD duron 750mhz 576mb ram 30gig hd = |
|
| Back to top |
|
|
The New Guy
Tux's lil' helper
Joined: 06 Feb 2005
Posts: 136
Location: Behind you...
|
| Posted: Tue Apr 05, 2005 12:38 am Post subject: |
|
|
As far as I know, the only SubSeven for linux is a SubSeven client. McAfee and Norton "let the virus install itself anyway" Antivirus just like to report the clients for some reason. Don't ask me how I know...
_________________
"I could tell that my parents hated me. My bath toys were a toaster and a radio."
--Rodney Dangerfield
_________________
Windows-free since Feb. 12, 2005
Registered Linux User #386012 |
|
| Back to top |
|
|
|
Networking & Security
