Hey all - within the last few weeks, I began running an ADSL connection at home that I always leave on. I started out by running Norton SystemWorks Pro '03 (including Nortan AntiVirus) and ZoneAlarm Free Version. A few days ago I purchased Norton Internet Security 2003.

I came home from work yesterday and found that Norton stopped three seperate attempts from three seperate IP's in Poland. Norton's personal firewall said that these IP's were trying to load the "Subsystem 7" Trojan Horse / Backdoor into my computer and were considered High-Risk.

Now, I'm getting at least 5-6 of these attacks from the same IP's every day. Norton blocks them, but I can't seem to get it to just do it's job and not tell me about it. Is this something I should be very concerned about? What exactly is happening here?

Thanks all -

Mike

No need to be concerned unless you happen to have that trojan on your comp . You should run a complete antivirus check on your machine.

Do you mean that the firewall pops up a dialog telling you about the blocking? I'm sure there is a setting to disable this. Maybe a tick box in thet very same dialog?

If you have dynamic IP, try closing and reopening the DSL connection. Getting a new IP should fix the problem too.

Norton Security does that a lot. Just ignore it. It becomes more of an annoyance than anything.

The Sub7 has methods in wich the attacker can know the ip adress of a machine by sending it as mail, irc or icq message to the attacker if he/she setted the trojan to do it, so just turining the dsl off and on to see if you have a dynamic public ip address may not solve the problem if you are infected by that trojan.

You should run a antivirus scan to check out if you have that virus. You should have it installed because it's a good precaution. You may not think you need it untill it's too late..

I assure you it is not a personal attack.

It is an infected machine that is simply automatically trying to spread itself - It probably hits several hundred machines a day looking for an exploitable web server.

Thanks

Thanks for the info guys. Regarding the advice of resetting my dynamic IP: I have a static IP, so I can't reset it.

I'm looking around the Norton Internet Security options, and can't seem to find an option to disable notifications like this, but I'm sure it's there, I'll find it eventually.

I ran a full system scan last night, and it came ok totally clean, so I guess Norton is doing it's job.

Thanks to all who replied -

Mike

Man, this kind of thing is normal. As soon as you install ANY software that monitors things that people are trying to do to you over the net, you begin to see just how horrific that amount of hacking and cracking that's going on is.

My advice is to keep your machine well patched with security updates, keep some firewalling software installed, and keep that up to date as well. Backup your data, don't run any telnet or ftp or anything crappy like that, use secure shell instead ( www.ssh.com ) .

Wow, these hacking attempts or whatever they are actually are becoming an annoyance like you guys said they would. I ended up turning my notifications almost all the way down so I wouldn't have to see that blinking exclamation point every hour.

So, I settled with the full Norton suite until I find something better. It seems to "suite" me well. (hehehe). SystemWorks 2003 Pro, Antivirus 2003 Pro, Internet Security 2003 Pro. Norton's pop-up blocker works very well too, although it doesn't seem to stop banner ads from within Java applet windows.

avg

just change your anti virus to avg...................it's in the download section...........it's free with auto updates

grc.com

there is a website called gibson research or http://www.grc.com there a number of tests on this site that evaluate your vulnerabilties..................check out shields up...........numerous others

Thanks JSR -

I checked out the GRC site and downloaded a number of his free utilities. After the scan, it looks like all my ports are stealthed and the firewall doesn't leak at all.

Why would I change to the free AVG versus Norton?

IP Being Probed from Eastern Europe

I too experienced something similar. I am using NAV2002 updated with latest updates. Not sure why somebody suggested AVG... perhaps, because it is not as popular as Norton and thus not such a big target for hackers? Only speculating...

Back to your subject... When I noticed my computer was being targeted by IP's coming from Poland, I went to Arin (www.arin.net) and looked up the info on the IP address that was attacking me. Emailed the contact who was supposed to be overseeing the group of IP's that contained the offender's IP address.

Never heard back from the administrator contact; however, I did do some other things that helped my trail go cold... I had a dynamic IP so I let it expire and got another one. Changed computer name, workgroup, and password. I've not experienced attacks from Poland since, but I still get attacked every now and then... It's damn annoying, but if you are up 24/7, no matter how much you stealth, invariably someone will find you.

To offset the risk, I put my cablemodem on standby when I'm not actively surfing. If I was running an FTP server or Web server, that wouldn't cut it. It sucks that the actions of a few, make life so difficult for the rest of us who simply want to be left alone.

I don't know if this helps you other than to say, "Yeah, I hear you... same thing happened to me." So you're not imagining things. I'd report all incidents to abuse@<yourISP.com>.

--Swag

P.S. My latest intrustion attempt occurred this morning. It was a Bla Trojan attempt from none other than 65.54.240.61:7001. Go figure... MSFT?!! I sent an email to abuse@microsoft.com. Am waiting to hear back.

If we don't do anything to stem the attacks, we're just giving passive consent to everyone who wants to do this sort of thing and invade our privacy. It's wrong! So please do report these attacks... and maybe we will all get lucky and have one less "malicious" hacker to deal with.