I was on 1-2-00 viewing a site and watching T.V. through my Aver TV card when the volume kept being tuned down and I kept turning it up and somtheing kept turning it down. then when I clicked on different links something kept clicking on everything else.Went to try and sign off realizing somebody else was controling everything.It wouldn't let me sign off it kept highlighting everything.What do I look for?
What does this mean? I have win98 with all the ms updates.Penicillin-6 and just installed bo detect (free trial) but system seems to check out ok for all viruses and even tried house calls. help me!

get mcafee or norton. there much better!
On the other hand, you might have caught a brand new viurus so keep on updating the scanner.

good luck!

go here and test your ports read every thing on this site it will tell you just about all you want or need to know about hackers and how they work and what to get http://www.sysopt.com/forum/smile.gif
http://grc.com/x/ne.dll?bh0bkyd2

[This message has been edited by scotter (edited 01-03-2000).]

[This message has been edited by scotter (edited 01-03-2000).]

Have a look in your windows directory for a file called MSREXE.EXE if its there give me a shout back. It is part of a trojan that allows other people access to your machine and it aint picked up by norton etc yet. The trojan is called SubSeven and it allows other people access to your machine....

subseven is very nasty, and very hidden. A friend and i tested it on one another. In the bottom right hand corner of the desktop on the commanding computer they see a minature version of your screen, from there, they can do anything they want. This program is dangerous, and i highly suggest you DO NOT download files you dont know about and dont download anything from people who you do not know personally.

if you have a cable modem, T1, or any other internet connection which is on all the time, disconnect it and then get rid of subseven.

For anyone who actually finds the subseven trojan on their system, DELETE IT!! When you start Windows afterwards, you will get messages about being unable to find a program blah blah blah. It is started in a number of ways, in the win.ini, the system.ini and also in the registry. Please be careful and check out that you aint infected. It really is a nasty piece of work, I had the fortun to have a copy passed over to me from a friend of mine, so I have both ends of the program here. They can do allsorts with it, steal your passwords, hack into your ICQ, yahoo messenger etc and watch all your messages, enable a keyboard logger, disable your keyboard, watch your screen, CONTROL your screen, edit/delete fiels from your machine, get any personal information you have entered(im not sure where they pull this from but trust me they do, but not on all machines). It is a REAL nasty piece of work. I have a copy of the Trojan and the controller here, as it has it's uses if a friend cannot do something with their pc or if they are having problems, don't ask me for a copy unless you have a very genuine reason as I will not give it out, there are certain trustworthy people on here that I would give it to(they might know who they are) but please, no-one, if you do have the controller program don't pass it on, and please *ALL* of you check out your windows directory for MSREXE.EXE it really is a KILLER!

=============================================
*EDIT*
The following are taken off his website, I dont know how true they are but I'd say it soudns about right...

"The author of SubSeven backdoor calls himself Mobman. His backdoor can be considered to be the most advanced one at the moment."
-Alexey Podrezov, Data Fellows
SubSeven Risk Assessment: High
- Network Associates (McAfee)
"Someone standing over your shoulder, being able to see all of your personal information and perform malicious acts of vandalism on your computer or corporate network."
- Dyan Dyer (CEO), Command Software Systems

=============================================
*END OF EDIT*

[This message has been edited by richamies (edited 01-03-2000).]

Here is a list of "features" in subseven. I copied the text over as I didnt want to link to his site. Hope I don't get roasted by Socalgal for this. I know its a long one but it seems far better to do it this way than link to the site.

features added in 2.1

address book
WWP Pager Retriever
UIN2IP
remote IP scanner
host lookup
get Windows CD-KEY
update victim from URL
ICQ takeover
FTP root folder
retrieve dial-up passwords along with phone numbers and usernames
port redirect
IRC bot. for a list of commands, click here
File Manager bookmarks
make folder, delete folder [empty or full]
process manager
text 2 speech
clipboard managerEDITSERVER CHANGES
EditServer for 2.1 changes
customizable colors
change server ICON
pick random port on server startup
irc bot configuration
features added in 2.0
Restart server
Aol Instant Messenger Spy
Yahoo Messenger Spy
Microsoft Messenger Spy
Retrieve list of ICQ uins and passwords
Retrieve list of AIM users and passwords
App Redirect
Edit file
Perform clicks on victim's desktop
Set/Change Screen Saver settings [Scrolling Marquee]
Restart Windows [see below]
Ping server
Compress/Decompress files before and after transfers
The Matrix
Ultra Fast IP scanner [thanks to Blade's TH]
IP Tool [Resolve Host names/Ping IP addresses]
Get victim's home info [not possible on alll servers]:
- Address
- Bussiness name
- City
- Company
- Country
- Customer type
- E-Mail
- Real name
- State
- City code
- Country code
- Local Phone
- Zip code
Configure Client colors
Configure menu options [add/delete pages, change names]
Automatically Display Image when downloaded [jpg,bmp]
Automatically edit files when downloaded [txt,bat]
Change port numbers for The Matrix, Keylogger and Spies
Retrieve "SubSeven message of the day"
EditServer for 2.0 new features:
Protect server's Port and Password once installed
Melt server when executed
Protect server settings with a password

1.9 or older features:

Open Web Browser to specified location.
Restart Windows [5 methods]:
- Normal shutdown
- Forced Windows shutdown
- Log off Windows user
- Shutdown Windows and turn off computer
- Reboot System
Reverse/restore Mouse buttons.
Hide/Show Mouse Pointer.
Control Mouse.
Mouse Trail Config.
Set Volume.
Record Sound file from remote mic.
Change Windows Colors / Restore.
Hung up Internet Connection.
Change Time.
Change Date.
Change Screen resolution.
Hide Desktop Icons / Show
Hide Start Button / Show
Hide taskbar / Show
Opne CD-ROM Drive / Close
Beep computer Speaker / Stop
Turn Monitor Off / On
Disable CTRL+ALT+DEL / Enable
Turn on Scroll Lock / Off
Turn on Caps Locl / Off
Turn on Num Lock / Off
Connect / Disconnect
Fast IP Scanner
Get Computer Name
Get User Name
Get Windows and System Folder Names
Get Computer Company
Get Windows Version
Get Windows Platform
Get Current Resolution
Get DirectX Version
Get Current Bytes per Pixel settings
Get CPU Vendor
Get CPU Speed
Get Hard Drive Size
Get Hard Drive Free Space
Change Server Port
Set/Remove Server Password
Update Server
Close Server
Remove Server
ICQ Pager Connection Notify
IRC Connection Notify
E-Mail Connection Notify
Enable Key Logger / Disable
Clear the Key Logger Windows
Collect Keys pressed while Offline
Open Chat Victim + Controller
Open Chat among all connected Controlelrs
Windows Pop-up Message Manager
Disable Keyboard
Send Keys to a remote Window
ICQ Spy
Full Screen Capture
Continues Thumbnail Capture
Flip Screen
Open FTP Server
Find Files
Capture from Computer Camera
List Recorded Passwords
List Cached Passwords
Clear Password List
Registry Editor
Send Text ot Printer
Show files/folders and navigate
List Drives
Execute Application
Enter Manual Command
Type path Manually
Download files
Upload files
Get File Size
Delete File
Play *.WAV
Set Wallpaper
Print .TXT\.RTF file
Show Image
List visible windows
List All Active Applications
Focus on Window
Close Window
Disable X (close) button
Hide a Window from view.
Show a Hidden Window
Disable Window
Enable Disabled Window
Set Quality of Full Screen Capture
Set Quality of Thumbnail Capture
Set Chat font size and Colors
Set Client’s User Name
Set local ‘Download’ Directory
Set Quick Help [Hints]
EditServer for 1.9 or older features:
PreSet Target Port
PreSet server Password
Attach EXE File
PreSet filename after installation
PreSet Registry Key
PreSet Autostart Methods:
- Registry: Run
- Registry: RunSevices
- Win.ini
- Less known method
- Not known method
PreSet Fake error message
PreSet Connection Notify Username
PreSet Connection Notify to ICQ#
PreSet Connection Notify to E-Mail
PreSet Connection Notify to IRC Channel or nickname


Please all of you take the time to check you aint infected this really is the worst ive seen for a long time.

[This message has been edited by richamies (edited 01-03-2000).]

Roast you for c&p'ing that info? Hardly! It's important to share this info to protect the unsuspecting and uninformed from the increasing onslaught of crackers and the programs they use. Our systems are more and more susceptible to attack and intrusion, as we have seen. As things get more sophisticated, having knowledge of what's really out there affords one the option to protect oneself.

All one really has to do is type a keyword into a search engine and then read up.

Some think I'm a "nut" for the things I do re security but I feel a heckuvalot more protected than if I wasn't. (Besides its fun http://www.sysopt.com/forum/smile.gif ). And, nothing is 100%, unfortunately. Build a better safe and a better safecracker always seems to come along.

There is always something new to learn! http://www.sysopt.com/forum/smile.gif

BTW, you handled it well (without the actual link)

for every one check out this site it will sscan all ports on your computer and tell you if your open to being scanned it will also tell you have to make your system more invisable to port scanners there is a lot of gr8 info here http://www.sysopt.com/forum/smile.gif hope it helps http://grc.com/x/ne.dll?bh0bkyd2

For more fun:

DSL/Cable modem users: www.secure-me.net (http://www.secure-me.net)

Any modem: http://privacy.net/analyze/ - Note: This one will automatically activate when you link to the site.

Its scary just how much info can be passed along unknowingly isnt it.....

Very scary indeed! http://www.sysopt.com/forum/frown.gif Thanks to all for the useful info.

Hey john robbinson..we haven't heard from you..is all well?...why not go HERE (http://www.moosoft.com)and use the Cleaner just to see if all the concerns are founded..let us know
http://www.sysopt.com/forum/smile.gif

[This message has been edited by smokin1 (edited 01-08-2000).]

well it did scare the h%&(*! out of me but what i was wandering is how. I mean is it something loaded on my pc like a trogen or can they go into a port of mine? I went to an old site i saved from here about bo and followed its intsr and didn't find anything. after your suggestions here i just went to sheilds up it said port 139 was open. I followed his instr and closed it on recheck it says its closed. MY question is could they of come in thru that port and controlled my pc like that im new to this.

ok, that program must be installed locally, meaning that either you unknowingly installed it, or someone did it without your knowledge. After it is installed, they use one of your ports, (usually 139, not always though) to gain access to the program, and run your computer.

i hope that makes sense, oh yeah, did you find the .exe in your files?

I'm an AOP operator on a channel called #icq on Dalnet (in IRC).. A user named "HellFirez^" became an op in our channel. Over a period of 4 days, our channel was now known as the "SubSeven Hacker Channel" and this user is HEAVILY involved in it. Since then he was de-op'ed and banned from the channel.

He would talk in the channel about SubSeven often, but we weren't too sure what he was talking about up until last week.

A friend of mine who said he would contact this users' ISP was unsuccessful in the contact. It was like the ISP didn't even exist.

He would invite his "hacker" friends into the channel and actually discuss his hacking attempts/successes to other users. I guess he thought we would care...

What I really don't understand about "hackers" is why on earth they waste their time writing damaging programs and uploading them to the seediest corners of the Internet. It's clear that many viruses are so complicated and cleverly designed and obviously take no small amount of talent to write - and if you have that much talent then why waste it on such chidlish, trivial things... surely these guys can put their obvious talents to things that will benefit themselves and everyone else a lot more. If I was as capable as the guy that wrote "SubSeven" then I would want to be making a real living out of it!! http://www.sysopt.com/forum/smile.gif Does anyone agree with me?

[This message has been edited by UKLee (edited 01-07-2000).]

there are very few real hackers out there. Most people who use subseven are doing it to cause havoc, stupidly. A real hacker has no use for subseven, they hack to openly show the weaknesses of "modern" security systems. If a lone person in Iowa can hack into the most sensitive files of the govt, who knows who else got that info.

please do not classify every teen with a little anger and a computer as a hacker. True hacking is an art, and a harmless one at that.

How true..there seems to be a lot of confusion out there between hacker and cracker..very few if any hackers cause problems..crackers on the other hand..well..you said it.
http://www.sysopt.com/forum/wink.gif

Most "Hackers" go undetected and are only doing it to prove to themselves that they can do it, not neccessarily to do anything bad, just a personal challenge. Like climbing a mountain http://www.sysopt.com/forum/smile.gif.

The problem lies with little scumbagz getting hold of software like SubSeven and basically getting kicks out of causing problems for people. I'm not making any generalizations here regarding age or anything, but it does seem to be the younger ones who try programs like SubSeven. Genuine hackers will continue well up into their late 20's and probably beyond.

The guy who wrote SubSeven has talent - granted. He has managed to do the exact same thing as PCAnywhere but in a lot less space, with soem extra "features" added too. I actually respect his programming skills for that. But making such a program available to the general public is completely immoral in my opinion. He has opened the door to any fool with half a brain to completely wipe someone's hard drive, and I really think that is bad.

If all the people using SubSeven had written it for themselves, then I doubt we would get any problems with these "pranksters".

Go on, shoot me down.......It's just the way I see things.

I fear that the internet as we know it will be destroyed from within, due to hackers and virus makers. first to drop out will be people like us, who finally give up the constant fight against viruses, and hackers trying to disrupt our computers, then businesses will slowly follow suit. even the government is at risk.
the only answer I see is international(much of this stuff originates outside the US)agreements on stiff punishment, and I mean jail time for persons responsible. this stuff is no longer a joke, and a slap on the wrist.
------------------
if you are in a hole stop digging

stiff punishments for being curious??!?! think about it, we would not be online if the human race wasn't curious! We progress due to curiosity.

Hacking does not ruin a government, nor a business. A hacker keeps the original .html file and renames it to a backup, and just changes index.html, or whatever the main file may be.

I could rant for hours on this topic, in fact, i have written and deleted 3 paragraphs so far, i cannot release all of my feelings with just simple text.

One simple phrase:
Free Kevin

I agree Wiz...I have deleted about 5 paragraphs so far...
one note..the internet was designed by hackers..set up by hackers..is run by them and will always be run by them...crackers are another story....
http://www.sysopt.com/forum/wink.gif

sounds like someone destined to warm a jail cot.....

Sometimes it still is possible for stupid people in our society to take themselves out of the gene pool - sounds like a great future darwin-awards candidate......

[This message has been edited by Axel (edited 01-07-2000).]

hackers or crackers i don't care it wasn't funny on this end. for the last couple of days ive been trying to get dialpad to work for me {with no luck}. anyhow i was calling my second line and experimenting with my kids neadless to say ive been getting calls that sound like their calling from a pc no answer but when i yell back my voice eco's and wondering if they where watching me dial that # and called me using my own name and code since i was off line. maybe some server glich that dialed the # again later much later. i don't know but its got me nervise. i even went out and bought McAfee viruse scan and so far it nor Pccillin-6 found anything. i also searched with tips and found nothing? QUESTION IS does there have to be something on my hd or could they just of connected on a open port one shot deal. its a stand a lone no networking or nics i use aol which is dynamic assigned standard modem connection and my only one. ihave nothing too hide or steal, its just that i have it the way i want and like it and don't want to do it all over. you know all those disc&floppys and searching for updates on the web at 50.000 beeps because someone erased some of my hd. heck maybe it is a hacker so far only thing i can find wrong is a corrupted Drawdll file.

Did you run the cleaner prog I suggested? The basics of a trojan are that there is a program on your computer and it is called a client..this makes your comp a node on the crackers "network" and they can control it remotely....try it and let us know what you found

John,

Symantec had this profile on Subseven. I hope it helps answer some of your questions:
http://www.symantec.com/avcenter/venc/data/sub.seven.20.html

Good Luck!

you must find the .exe on your computer, a recently downloaded file, most likely. The basics of subseven is that it opens port 1243 to connect to the one who commands it. I suggest getting BlackICE, it will find out what the other person's IP is, the you can find their ISP, and therefore, their location, and then you can send an email to their ISP explaining it all along with the proof, BlackICE saves all of this info. The guy will lose his account, and then you can find that .exe and clear it out.

MMMMMMM, while I was reading this discussion my computer froze and I had to reboot. I checked to see if I had any of the files mentioned and no I didn't.

Kinda ironic don't you think?

arn

WIz
You sound like a very knowegable programmer, one who is capable of combating any of the intrusions and damage to our computers that we less knolegable have to put up with. or have to spend money for programs to protect ourselves.
I read your posts as condoning and aproving of such activities.
if these folks want to play these games, fine, let them form a group of players and leave us who do not wish to play alone, I see no justification for inserting viruses or control of "non combatents" computers. to me this is the same as some one sneaking in to my house to do damage. I still maintain that these folke should be subject to penalties.
by the way if some"hacker" came in and just left a msg like "Hi just droped by,regards and Good by" and did nothing else, It would not really bother me. I have people come to my front door and do simular things. it is the viruses and damage that bothers me

[This message has been edited by alondra (edited 01-08-2000).]

SubSeven can actually use any port right up to 27374. the default for the trojan and the server is 1243, however.

i dont approve of any hacker who does damage to system. Like i said earlier, few, if any hackers do damage to systems. We all have to deal with malicious idiots with a little power and an attitude. I usually respond the easiest way, calling their ISP and having their account canceled. This does not stop them, but it makes them think. I think the easiest way to combat hackers is to use BlackICE. It logs all the info you need to get 'em.

No hard feelings towards anyone, i dont condone the action that has been used on John Robbinson. Just do not believe that the actions of one fool does not mean that every hacker is evil

THANKS all of you but with all your tips i was still not able to find any thing. still wondering could they of connected to an open port and do this with out a program on my hd. i looked in regerstry and wins directory acording to symatec and still not. P.S. SMOKEN1 i went to link and all it shows is a compairison chart no other links off page. and it looks suspicous since my MccAfee came with det for aol trojon right on the box. anyhow day after i started using bo detect so far it keeps showing nothing who knows it was a freebie.

[This message has been edited by john robbinson (edited 01-08-2000).]

You may want to download wintop. It's a processor resource monitor, create a keyed shortcut to it and if you experience wierdness quickly run it and see what file is being used to gain access to your PC.

-izzzy12k

good idea izzy!

Sorry John..I fixed the link for you..good luck
http://www.sysopt.com/forum/wink.gif

I wonder how many people are a s confused by all this as I am.
1 what is wintop
2 what are all these "ports" and where are they.
3 can anyone get in when my comp is on but not on line,
4 just when are we at risk. on forums. like right now, Email, if we don't open any that are questionable. news groups. web pages like news and the like.
maybe we could have a topic here where those who know this stuff could give us some training. http://www.sysopt.com/forum/smile.gif

Wintop is a component of the Win95 Kernel toys. It is used to see all applications sending requests to the processor. Even those not seen by any other mean. (CTL-ALT-DEL, or task manager)

You can only be hacked while online, or dialup in which caller ID would come in handy.

izzzy12k

ports are "doors" to your computer, an open port means anyone has access to your computer. Most people have port 139 open, because it is the netbios port. These doors allow hackers to access your computer when you are connected to the internet. If you have a trojan horse virus, such as subseven or back orifice, it opens a port locally and contacts its host system.

anytime you are online you are at risk

the only people who can be hacked while not online are cable users.

hope this helps

Hack the person who hacked you!
What am brabling?

Greetings
Firewalls are about as useful as a vacum cleaner that isn't used...doesn't mean your house is clean. They all have to be configured and can be very restrictive. There is a program out there called NETBUSTER that works to allow a hacker to think he is in your computer when he/or she is actually just running aroung inside of a "VIRTUAL" computer with drives, files, a fake name etc. You can log the activity and literally bust the induhvidual as well as send them any number of screen dumps or messages. Do a search and find the best source for the latest version. It will work against NETBUS the trojan of choice for most intrusive snoops.

Good luck

Sincerely

Vincent22

Wise talking!

I got a neat little exe file, anyone want it? Cmon, just let me send it to you and all you got to do is double click on it. All I ask in return is that you send me your IP. Cable modem and DSL users are encouraged to reply.

HAHa


Uhhhh, I'll give it a go!

The best attept I've ever seen to spead a trojan was A random person on icq. A "girl" with the nick "boobies" asked me to recieve an exe that supposedly would show me pictures of her. HA!!!!!!!!! http://www.sysopt.com/forum/smile.gif

Now ya got me all worried..........

Is blackICE shareware or where can I buy it?
thanks

Black-Ice (http://www.networkice.com/)
It's $39.95 but I think it's worth every penny.
Dave

Thanks Dave_H http://www.sysopt.com/forum/smile.gif

its worth more than that! It's simple, yet effective, lemme tell ya, its pretty scary how often my IP gets scanned. protect yourselves.

A fellow operator in a channel I was recently in, wanted to convince me that he could hack into a server, and make it look like he was from Korea.. (which I advised him not to). He said he wouldn't, but of course, he did. I was amazed.. He was well aware that there was probably a 50/50 chance he was going to jail, because it was a possibility someone could tell was using their box.

What kind of jail time would you even serve for **** like that?

if it is malicious, 4 or more years. If no damage is done, there is little or no penality.

Heh, just now, someone from Ca on a cable modem attempted to hack into my system. No one is proctected from what they do not know. Always keep your guard while online.

Just a follow up, i found who the hacker was who tried to get into my computer, his name is Ross Sarvian, he goes to calpoly. please watch for this name in scanners those of you who use BlackICE.

[This message has been edited by Wiz (edited 01-09-2000).]

Anybody know FOR SURE if there is a penalty for port scanning? I was told by an internet security manager friend that scanning ports was not illegal, but unauthorized entry into one of the ports was illegal. I am going to school for network engineering, and was under the impression that scanning was illegal, but not really enforcable since no damage was done.

nope, scanning is completely legal. It has never been illegal to my knowledge.

thanks Dave_H for the link

Some kid in Russia stole a bunch of CC numbers then tried blackmail. and this is supposed to be a very secure site. at present there is little chance of him being caught or penalties if he is. Is this a look in to the future.???

Just downloaded Black Ice

Its easy to be paranoid
when you cast two shadows. http://www.sysopt.com/forum/smile.gif

Just wanted to see how things are going? Anyone more attacks?

izzzy12k

Have had BID for three days now. the little icon started blinking I clicked it and it told me some ICQ number had tried to get in had a real high peak on the screen, still have to learn how to use it. downloaded an instruction manuel but cant find it.

Question,

If your using BlackIce and you go to the above labeled port probing site, shouldnt it show up as an "attack?" and also, what level of security should I set it on, and will this affect my internet sharing connection at all? thanks

All of them showed up as stealth, except the HTTP port...is it important to close it, and how? Thanks!

it should, but usually they come up about 2 min after your test in one big pack. All your ports should come up stealth also.

The latest version of SubSeven has a few new options to play around with, i.e. different ways of infecting your computer. The main way for the whole thing is to put a file on your computer called server.com, although this can be anything different. My favourite way to do this is to infect the Windows folder with a file called Command.com, as this makes the unwitting user think it is a backup for their DOS prompt.
Anyway, this file can be attached to any other exe, com or bat file, and will infect your comp.
Now, the options you get for infecting the target range from easily detectable to unknown method. I know how to uninfect my comp from all ways except for the last. I know for a fact it isn't registry, as thats the next known method.
Anyway, any updated AV program will detect it.
A lot of hackers/crackers do not design their programs for specifically malicious use, they make them to cause a little phun. An option in SubSeven is to send messages and other things to the comp. Most of the options are there simply to annoy the target.

"anything different. My favourite way to do this is to infect the Windows folder with a file called Command.com, as this makes the"

Whoa, YOUR favourite way? You're a distributor of the subseven? Man, those files and all instances of those files are so dang hard to remove. I thought I found them all...then poof, the run.exe and watching.dll show up in my registry too! ARGH!

Dachande, you REALLY shouldn't admit that here. There are quite a few people who know how to do more damage to a system without the need of 3rd party software...

Not to sound cynical, since there is so much good discussion on this topic, but are we sure this isn’t just a temporary glitch? Has the problem happened since? I have a mouse that runs around the screen clicking and highlighting on stuff….but its because of a bad PS/2 controller http://www.sysopt.com/forum/smile.gif

Midnight, Sub7 is real, and it gives every kid with the basic knowledge of turning on the computer the power to do some pretty crazy stuff.

Anything from making the infected PC an FTP server to making their screen do your bidding.