SubSeven is reported only to run on Windows machines, to my understanding.

Since my FireWall has reported an "outgoing" block on port 1234, I need to ask if anyone else has seen this OR if a Linux varient of SubSeven exists.

FireWall I'm using is FireStarter.

I have searched our forum but see no query for outgoing connection blocks for port 1234.

Thanks ahead !

I'm getting very concerned about you... you are continually asking about cracking techinques and various security measures... We will not tolerate ANY posts abuot programs such as this, I can politely ask you to never ask anything like this again, or i can set UnSpawn on you... sure there's a tiny tiny chance that you're trying to block this program... but that's not exactly likely now is it?

Maybe you should look at this as a "cease and desist" post. take my advice.

Firewall you are using is either IPtables in 2.4 kernels or IPchains in 2.2 kernels, you are only using firestarter as a GUI frontend to configure your firewall.
Ok, do you have any service/server running on that port?
Taking a quick look at http://www.iana.org/assignments/port-numbers
shows that port is:
search-agent 1234/tcp Infoseek Search Agent
search-agent 1234/udp Infoseek Search Agent
Do you have anything to do with infoseek? If not then you might have a problem. First thing try to block all outbound traffic from that port using IPtables, read a good tutorial, for example:
http://www.linuxsecurity.com/resourc...-tutorial.html
and also wait to see if anyone else on the board has any other suggestions.
Hope that helps
-NSKL

EDIT: Looks like Acid arrived while i was writing my reply... Well i'll leave my reply just in case that little percentage of possibility that he is trying to block the port is true....

Good you searched the board before asking.
Next to Infoseek Search Agent, there's references to Hotline (Lin/Win/Mac P2P), Ultors (Trojan) and a SubSeven Java Client for port TCP/1234 so, server control is possible.

Do a "netstat -anp (-A inet)", verify the user running the app, verify the app running on that port. If it's not a legitimate app (by who's std's?) save the PID's /proc entries if necessary, list the IP's it's (been) connecting to and finally kill the PID. Close off the fw for outgoing trojan ports. If unsure about user/app, scan and verify integrity of whole system, block user shell access and block fw access to irc servers until "proven innocent".

Btw, did Snort pick up and dump a few packets as well? Would be good to look at and correlate with your fw logging to see if it actually had established connections.

//mod.note: If Acid reacts this way to you posting he must have seen something (maybe another forum) I missed: just to be clear, LQ AUP states "black hat" questions or replies (from anyone) on this board are not tolerated, regardless of one's personal opinion on the case.

No, Acids stern reply is unfounded and totally out of order. You bet I'm concerned with security!

Thank you for your trouble shooting proceedure and references. I did not have Snort activated at the time of FireStarters report, but will search my logs. I beleive this ends my post. Nuff said!!!

I can appreciate your sense of security !
I read my firewall logs regularly. And occasionally sniff packets on my lan.
A large part of my reason to change all my desktops to Linux was the vastly improved security when correctly configured. This includes the users inability to install foreign software. And the fact that if something does get in through user activity, it should only destroy their folder/settings, not the system.
I run "netstat -an | less" regularly to see where my machine's are connected and intermittantly run ethereal on the 'router' to see incoming and outgoing packets. I also have a very long list of blocked sites in my /etc/hosts file pointed to 127.0.0.1 to keep my children from viewing inappropriate sites, some advertising banners and spyware sites. I also have this same file loaded into the last Windows machines here as C:\Windows\hosts .
I have made a couple of posts regarding port use here and on other forums. A lot of what I have seen was incoming requests for known services I dont run connected to the internet. A few incoming requests were 'random' ports. I have since determined that it was a service running on another computer before I was given the IP address by my ISP. Evidently the client program on the other computer never disconnected properly and the host never timed out, trying my connectection for over a week to get a responce. I figured this out after running Gnucleus on a computer and the same machines tried again to connect to me on the same and simular ports. None of which were 6346.
As far as the outgoing connection attempt on Port 1234, your computer grabs the first available port above 1023 for outgoing connections. Your firewall may be configured to deny all incoming and outgoing connection requests to our from that port. And to log the attempt for you to read. Possibly your browser tried to use that port to connect to a remotepage on the net. The destination port would give a little insight to what was going on at the moment.
I have found that to keep crackers out I need to know how they try to get in. Using this information helps us all to better administer or own systems from those that truely are trying to crack root.

We will not tolerate ANY posts abuot programs such as this, I can politely ask you to never ask anything like this again, or i can set UnSpawn on you... sure there's a tiny tiny chance that you're trying to block this program... but that's not exactly likely now is it?
--------------------
r u COMMUNIST? if not why so bully? is it because u r a moderator?

by the way you won't put me on UnSpawn, aren't u?

jim888, welcome to the LQ forums.
I appreciate you being alert, but instead of writing about asking them I mean stuff like "I can politely ask you to never ask anything like this again, or i can set UnSpawn on you", I'd rather you ask them...

Secondly, please don't make idle threats like "I'll set unSpawn on you". It's not necessary, impolite towards your fellow LQ members (yes, moderators are members too, not some select breed of BOFH-stylee Creature Of The Night).
Ok, at least the other mods aren't, I'm pretty sure :-]

I decided to give mldonkey a little spin recently, and being the paranoid type, was watching carefully for anything funny going on -- Caught it on the firewall and via netstat.

Nothing in Ethereal, however -- I'm guessing because it never went out on the interface. Shame, I'd be curious to know what the transmission contained.

Still doing some investigation around the issue -- I got my binary from http://savannah.nongnu.org/download/mldonkey/stable/

Relevant Output from netstat -a -p -t -c:

Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 1 MY-ADDRESS:35447 FOREIGN-ADDRESS:1234 SYN_SENT 2307/mldonkey

Relevant Firewall Log Entries:

time:Nov 19 17:48:03 in: out:eth0 port:1234 source:MY-ADDRESS dest:FOREIGN-ADDRESS len:44 tos:0x00 protocol:tcp service:subseven

time:Nov 19 17:47:13 in: out:eth0 port:12345 source:MY-ADDRESS dest:FOREIGN-ADDRESS len:44 tos:0x00 protocol:tcp service:netbus

tcp 0 1 MY-ADDRESS:35447 211.101.179.254:1234 SYN_SENT 2307/mldonkey
This would mean *you're* accessing a remote trojaned box???

Yes, these were outgoing requests from pidof mldonkey that were stopped on the firewall.

But I'm not yet convinced that the binary is trojaned -- In fact I'm leaning towards the harmless coincidence theory.

Apparently there are mldonkey servers on many nonstandard ports, including these "well known" ones. Its likely that the mldonkey client is just trying to reach out to them innocuously.

But I wonder if the original author is also running some sort of P2P software that has caused him to notice this sort of activity?

Yup. I was looking at my firestarter log and sure enough it said sub7. The IP address that came up was one I used with nmap.
ex. nmap 68.248.56.89
firestarter log
port = 1234
source = my ip
dest = 68.248.56.89
protocol = tcp
service = subseven

I think he was asking a legitimate question as I am concerned myself.

nmap 689/tcp NMAP
nmap 689/udp NMAP
rnmap 3418/tcp Remote nmap
rnmap 3418/udp Remote nmap

None of these show up in the log.
doesn't it seem like they should?

communism is an economic theory. it has nothing to do with bullying or pushing anybody around. See "The Communist Manifesto" by Karl Marx for more information. also im sure acid would not make that post without reason.

Any alert based solely on source or destination port can have a lot of false positives, especially if it's a port over 1023. Since clients will open ports over 1023 to make outbound connections (and listen on said port for a response) you can often get coincidences. For instance, snort will often claim it saw an outbound X11 connection, when in fact it's just a harmless HTTP session outbound from port 600x (these are ports tentatively "reserved" for X11).

Good snort rules are content-based, not solely port-based (same goes for any IDS). Make sure to cross reference with actual traffic before crying wolf. By the way, it's highly ironic that you were spooked by your own nmap scan. Perhaps you should learn to use your tools a little bit more responsibly.

uhm.. it was port 1234, not 1023...