Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Possible attack

2 views
Skip to first unread message

JerryM

unread,
Dec 30, 2001, 9:42:21 PM12/30/01
to
I've recently installed Norton Internet Security and it's logging the
following events:
Intrusion attempt detected from address 62.30.235.94 by rule "Default
Block Backdoor/SubSeven Trojan horse".

Is this an actual attack?

ni...@nospam.demon.co.uk

unread,
Dec 30, 2001, 9:59:25 PM12/30/01
to

Sort of, it's just someone seeing if the "SubSeven" trojan, rather than
trying to install it themselves.

Unfortunately this is so common its really just background noise on the Net.

--
"Anyone with the naivety to run IIS is, IMHO, automatically suspect when it
comes to doing anything technical, such as setting a clock."

JerryM

unread,
Dec 30, 2001, 11:07:02 PM12/30/01
to
In article <1009767565.18988....@news.demon.co.uk>,
ni...@nospam.demon.co.uk says...

> JerryM <nos...@aol.com> wrote:
> > I've recently installed Norton Internet Security and it's logging the
> > following events:
> > Intrusion attempt detected from address 62.30.235.94 by rule "Default
> > Block Backdoor/SubSeven Trojan horse".
> >
> > Is this an actual attack?
>
> Sort of, it's just someone seeing if the "SubSeven" trojan, rather than
> trying to install it themselves.
>
> Unfortunately this is so common its really just background noise on the Net.
>
>
Thanks.
It's happened a couple of times today. The firewall seems to be stopping
it so I shouldn't be worried I guess.

siljaline

unread,
Dec 31, 2001, 2:00:54 AM12/31/01
to

Ran a traceroute on the 62.30.235.94 IP, it resolved to the following:
-----------------------------------------------------------------------------------------------------------

inetnum: 62.30.224.0 - 62.30.238.255
netname: HSD-LINLIT
descr: Linlithgo HSD platform
country: GB
admin-c: MG645-RIPE
tech-c: SB264-RIPE
status: ASSIGNED PA
mnt-by: RIPE-NCC-NONE-MNT
changed: mi...@cableinet.net 20000328
source: RIPE

route: 62.30.0.0/15
descr: Cable Internet
descr: UK ISP
origin: AS5462
notify: net...@cableinet.net
mnt-by: AS5462-MNT
changed: mi...@cableinet.net 20001012
source: RIPE

person: Mike Garrett
address: Telewest Communications (Cable Internet)
address: Genesis Busines Park
address: Woking, Surrey
address: GU21 5RW
phone: +44 1483 776796
fax-no: +44 1483 251 810
e-mail: mi...@cableinet.net
nic-hdl: MG645-RIPE
changed: mi...@cableinet.net 20010426
source: RIPE

person: Simon Brilus
address: Level(3) Communications
address: 66, Prescot Street
address: London, UK
phone: +44 207 961 8862
fax-no: +44 207 864 4488
e-mail: sbr...@cableinet.net
nic-hdl: SB264-RIPE
changed: sbr...@cableinet.net 20010626

Domain Name: BLUEYONDER.CO.UK

Registered For: Telewest Communications PLC

Domain Registered By: TELEWEST

Registered on 19-Oct-1999.

Record last updated on 26-Jul-2001 by <hostm...@cableinet.net>.

Domain servers listed in order:

NS.BLUEYONDER.CO.UK 195.188.53.114
NS2.BLUEYONDER.CO.UK 195.188.53.113

WHOIS database last updated at 00:42:24 31-Dec-2001

<END>

Please be my guest and make of this what you will.

HTH
--
siljaline
GMT - 5:00

"Arguing with anonymous strangers on the Internet is a sucker's game
because they almost always turn out to be -- or to be indistinguishable from
-- self-righteous sixteen-year-olds possessing infinite amounts of free time."
- Neil Stephenson, _Cryptonomicon_

ni...@nospam.demon.co.uk

unread,
Dec 31, 2001, 6:26:43 AM12/31/01
to
siljaline <siljaline...@spamhotmail.com> wrote:
> On Mon, 31 Dec 2001 02:42:21 GMT, JerryM <nos...@aol.com> wrote:
>
>>I've recently installed Norton Internet Security and it's logging the
>>following events:
>>Intrusion attempt detected from address 62.30.235.94 by rule "Default
>>Block Backdoor/SubSeven Trojan horse".
>>
>>Is this an actual attack?
>
> Ran a traceroute on the 62.30.235.94 IP, it resolved to the following:
> -----------------------------------------------------------------------------------------------------------
>
> inetnum: 62.30.224.0 - 62.30.238.255
> netname: HSD-LINLIT
> descr: Linlithgo HSD platform
> country: GB

Just FYI, that's "whois" not "traceroute".

Not being pedantic or anything ;)

ni...@nospam.demon.co.uk

unread,
Dec 31, 2001, 6:29:04 AM12/31/01
to
JerryM <nos...@aol.com> wrote:
> In article <1009767565.18988....@news.demon.co.uk>,
> ni...@nospam.demon.co.uk says...
>> JerryM <nos...@aol.com> wrote:
>> > I've recently installed Norton Internet Security and it's logging the
>> > following events:
>> > Intrusion attempt detected from address 62.30.235.94 by rule "Default
>> > Block Backdoor/SubSeven Trojan horse".

<snip>

> It's happened a couple of times today. The firewall seems to be stopping
> it so I shouldn't be worried I guess.

Spot on. Also do bear in mind that the remote "attacker" is looking for an
existing program running on your machine, if you're not running that program
then you're not in any danger from this particular attempt anyway. Any
decent anti-virus software should be able to detect the program, which I
hope you're running :)

siljaline

unread,
Dec 31, 2001, 12:19:12 PM12/31/01
to

Thanks for the FYI mate, yes it was a "whois" - btw, your sig speaks
volumes re: IIS.

Happy New Year from Montreal, Canada!!!

0 new messages