|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Krzysztof Zaraska (kzaraska
student.uci.agh.edu.pl)Date: Fri Nov 02 2001 - 07:13:03 CST
On Fri, 2 Nov 2001 07:53:37 -0500 (EST) Ralph Huntington wrote:
> Interresting. One ouwld be able to see the client running if that were
the
> case, yes?
I think so. You should be able to see client process on your machine, or
more interestingly, packets from your machine to SubSeven's port on remote
network. According to the list I have (don't remember the source) it's
1243, 6711, 6776 TCP. You should do your own search on the topic (I don't
know if the list I have is reliable). Anyhow, snort or tcpdump will help
you here.
> > As of spoofed attack... IIRC, BackOrifice used UDP, SubSeven may do so
> > also, so sending spoofing requests should be possible.
>
> But a probe could be spoofed, could it not?
Since as I've just learned SubSeven (probably) uses TCP spoofing is made
more difficult, thus spoofed portscan / probe is more probable then
spoofed TCP session... The problem is that they didn't tell you if they
saw just a single SYN packet or complete handshake and following session.
Krzysztof
To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]