
#-----------------------------------------------------------------------
# README
#-----------------------------------------------------------------------
#
# These rules were developed based on <http://xforce.iss.net/alerts/
# advise30.php>.
#
# There have been many versions of the SubSeven backdoor released, and 
# most of them were very buggy until version 1.7 came out. The latest 
# version is 1.9. This backdoor has been called 'BackDoor-G' by Network
# Associates, Inc., when they discovered version 1.7. SubSeven allows 
# remote attackers to obtain cached passwords, play sounds, look at a 
# webcam on your system, capture screenshots, and notify you over IRC 
# or ICQ when someone gets infected. SubSeven only works on Windows 95 
# and 98.
#
# To install, copy this file to /etc/firewall/modules/public/
# block-remote-ports/subseven. There's no need to execute rc.firewall 
# with the --update-config parameter.
# 
#-----------------------------------------------------------------------
# CHANGES
#-----------------------------------------------------------------------
#
# 2001-02-05  Edwin ten Brink <edwin@privateer.student.utwente.nl>
#             Updated documentation to reflect path changes in v5.1
# 2000-10-17  Jean-Sebastien Morisset <jsmoriss@jsm-mv.dyndns.org>
#             Initial module written for v5.0.
#
#-----------------------------------------------------------------------
# START OF MODULE CODE
#-----------------------------------------------------------------------

echo "Reject $INTOPT $IPADDR -> $ANY phAse Zero (logged)"
ipchains -A $OUTCHAIN -j REJECT -p tcp -y -s $IPADDR $UNPRIVPORTS -d $ANY 1234 -l
ipchains -A $OUTCHAIN -j REJECT -p tcp -y -s $IPADDR $UNPRIVPORTS -d $ANY 6711 -l
ipchains -A $OUTCHAIN -j REJECT -p tcp -y -s $IPADDR $UNPRIVPORTS -d $ANY 6776 -l

