Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Hacking Techniques :: s7genfaq.txt

SubSeven General FAQ BKI:





                                    f.a.q.

                         displaying: General questions.

Q: What is a Trojan or R.A.T?
Q: What is SubSeven?
Q: How do I use SubSeven?
Q: What is an IP address?
Q: What is a port?
Q: What is the default port of SubSeven?
Q: What is the master password of SubSeven?
Q: "ICQ notification" doesnt work for me?
Q: I'm Infected with Sub7 server, how can I remove it from my computer?
Q: Can I rename the server ? and can I rename the server to .jpg?
Q: What is the difference b/w a R.A.T and trojan?
Q: What is a Mini Trojan?
Q: What is B.U.G Mafia?
Q: Who has coded Sub7 and what is it Coded in?
Q: How can I get the sub7 source?
Q: When was the first version of Sub7 released to the public?
Q: What is "SubSeven Crew"?
Q: How can I be Sub7 Crew?
Q: Is Sub7 compatible with NT/2k?
Q: Are there any other trojans that run on Win NT?
Q: What is a Lamer?
Q: How can I "HACK THROUGH UNIX"?
Q: What is SubPass?
Q: What is Sub-Buster?
Q: How can I find other computers already infected with Sub7?
Q: What is the best "IP RANGE"?
Q: How can I bypass firewalls (to use sub7)?
Q: Why do antivirus alert me when I use Sub7?
Q: When I connect to some server the client displays "YOU ARE BANNED"?
Q: I get notified that the victim is online but I'm Unable to connect?
Q: Can I get caught using Sub7?
Q: What does M.U.I.E stand for?
Q: What is DEFCON and what is the DEFCON release of Sub7?
Q: On connection to the Sub7 IRC server I get the msg "Closing Link: nick[ip]
(You are banned from using this server)"?

Q: What is a Trojan or R.A.T?
A: Trojans or R.A.Ts(Remote Administration Tools) are programs that allows
you to gain remote access or in other words spy on other people's
computers. They are Client/server based i.e You send the server to
"Computer A" which is the *victim* and control it with "Computer B" using
the Trojan [Sub7] Client. Oh! and using trojans isnt "hacking".
NNOTE: DO NOT run the Sub7 server on your own pc unless you know what u are
doing :P [e.g for testing a freshly configured server] incase u click it by
mistake! check out the latter section of this FAQ regarding Disinfection.N

Q: What is SubSeven?
A: SubSeven is a Remote Adminstration Tool/Trojan. It consists of 3 main
files: SubSeven.exe (client), Server.exe (server duh!), EditServer.exe
(server configuration utility).
http://www.sub7page.org

Q: How do I use SubSeven?
A: Step 1: Open EditServer.exe and configure the server.exe (file to send
to victim). Make sure to setup some sort of "Notification", so that u get
the IP/port/password of your victim when he logs on. It is recommended to
set your own port/password to protect the server from being stolen! Using
Higher ports is recommended. Also setup the "startup method{s]". This will
automatically startup the Sub7 server on the victim's pc on every boot!
Changing the Icon is also highly recommended. [to make it look real i.e to
fool the victim]

Step 2: Send the server.exe[rename it ofcourse] to the desired victim via
ICQ, IRC, email or whatever (dont ask HOW to send) its so freaken simple
:P. The victim needs to execute the file u sent, inorder to be infected
(i.e server loads in memory)

Step 3: Open SubSeven.exe (Sub7 Client) and enter the victim's IP address
or ICQ UIN in the IP/UIN field and press "Connect". If u setup a password
while configuring the server, the client will ask u to enter it! once you
are connected to the victim you can have all the FUN! u want! but dont do
any lame stuff like formatting etc! and read Disclaimer.txt [with the Sub7
Package] before doing anything!

Q: What is an IP address?
A: IP stands for INERNET PROTOCOL. It is a Unique 32 bit number which
identifes a computer connected to the internet. You will require the IP of
your victim inorder to connect with his computer. E.g 172.42.34.34 or
24.24.147.9

Q: What is a port?
A: A port is like a socket that allows you to send/receive data to and from
the victim. Port values range from 0 to 65535.

Q: What is the default port of SubSeven?
A: The default port for 'SubSeven 2.1 Icqfix' and onwards is "6667"
Previously it was "1243" and "27374" 1243 = Sub7 1.0 to Sub7 2.0 , 27374 =
Sub7 2.1 to Sub7 Defcon.

Q: What is the master password of SubSeven?
A: NONE! to speak of currently! previous versions had one [so stop asking
about this :P]. Don't be a *lamer* by stealing other ppl's vics, go get yor
own victims.

Q: "ICQ notification" doesnt work for me?
A: Check the "Server Side FAQ" for this.
NOTE: VIctim DOES NOT need to have ICQ,for ICQ notification to work.

Q: I'm Infected with Sub7 server, how can I remove it from my computer?
A: OK! First of all u need to know the port the server is running on your
computer. This you can check via the "netstat -an" command from the dos
prompt [when u are OFFLINE i.e not connected to the internet]. There should
be no listening ports when u're offline after closing all EXTRA applications
like ICQ netdetect and MSN Messeger etc. Assuming you know the port of the
Sub7 Server, now open the Sub7 Client and Put 127.0.0.1 in the IP field.
127.0.0.1 is the Local Loopback i.e ure IP when u are offline! IF the server
has no password set u will get connected and then select the "remove server"
option from the "server options" page in the "connect menu". If the server
has a password and its M.U.I.E build # 2 and beyond then you will have to
use the manual method of removal.

Manual Method:

1 4 Firstly, get yourself a program like "Proclist" or "Netmon" [Process
Managers] that tells you all the running *processes* on your system and lets
you TERMINATE them! You can just view them via the "msinfo32" command [type
that at the windows RUN prompt]. Verify this by typing the "netstat -an"
command again. The server port should no longer be listening [waiting for
connections].

2 4 After killing the server procoess delete the server executable in the
\windows or windows\system directory. It could also be random if the "random
file name" option was checked while configuring the server. The size should
be around 370* K.

3 4 Now you should remove the server startup, this could vary cuz Sub7 has 5
startup methods:

For the first 2 startup methods: [registry *Run* and *RunServices* ]:

1) open Regedit.exe [via the windows RUN prompt ]

2) Remove the following 2 keys:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\ABC

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\ABC

NOTE: ABC = Reg Key Name ....this could be anything as set as in EDITSERVER
and XYZ.exe = name of sub7 server executable. This is the key value/data.
Delete the whole key by right clicking it and selecting the *delete* option.

For the "WIN.INI" method and "less known" method:

1) Type "sysedit" in the windows RUN menu or manually open win.ini and
system.ini.

2) Delete the following lines:

* In System.ini delete the line "shell=exprorer.exe XYZ.exe"
* In Win.ini delete the line(s) " load = XYZ.exe" or "run = XYZ.exe"

NNOTE: DO NOT delete any other lines except the ones containing the Sub7
server [XYZ.exe], this could affect your system e.g some printer drivers
load via the "run = whatever.exe" commandN

4 4 Reboot the system and check "netstat -an" again. If the port is still
listening repeat steps 1-3

Q: Can I rename the server ? and can I rename the server to .jpg?
A: Check the "Server Side FAQ" for this.

Q: What is the difference b/w a R.A.T and trojan?
A: Basically nothing that much.....except that "Legal Trojans" like
Laplink, PCAnywhere etc. are considered "Remote administraion tools"
[R.A.Ts] (beats me), while other underground programs are called "trojans".
R.A.Ts are usually made to be LESS stealthy....just an excuse....basically
both are the same! OK! there is on difference I guess....U have to pay for
most R.A.Ts :) hrm I wonder why Netbus suddenly became a R.A.T :P

Q: What is a Mini Trojan?
A: A mini trojan also called an "upload trojan" is used to upload bigger
trojans like Sub7 to victims. Most people dont accept 300+ KB files so u
can send a upload trojan(ranging from 3kb to 100 kb)like Psychward,
Infector, Asylum etc to the victim and then upload the Sub7 server or any
other trojan!

Q: What is B.U.G Mafia?
A: B.U.G Mafia is a Romanian Hip-Hop band. All versions of Sub7 are
dedicated to B.U.G Mafia! Check Out: http://bugmafia.org

Q: Who has coded Sub7 and what is it Coded in?
A: Coded by : "mobman" Coded in : Delphi.

NOTE: *Sub7 Crew* has nothing to do with the programming of sub7 :P

Q: How can I get the sub7 source?
A: YOU CANT! so stop asking for it! Sub7 is NOT an open source project! for
a lot of reasons!

Q: When was the first version of Sub7 released to the public?
A: 28th Feburary, 1999

Q: What is "SubSeven Crew"?
A: Subseven Crew is a *group* of ppl that help mobman with "sub7 stuff" i.e
beta testing, irc, suggestions etc.

Q: How can I be Sub7 Crew?
A: First of all the people that say "I wanna be sub7 crew" have never been
chosen! People that are trustworthy and USEFUL to the crew are chosen! and
no! u dont have to give ur name or sumthin! or tell us how useful u are. We
will do the choosing ourselves :P [so STOP bugging us]

NOTE: DONT ASK for OPS/VOICE in #subeven IRC channel.
DONT ASK to be Sub7 crew :P

Q: Is Sub7 compatible with NT/2k?
A: Wasn't before! but 2.2 is gonna be compatible with NT/2KJ

Q: Are there any other trojans that run on Win NT?
A: Bo2k, Donald Dick and a few more!

Q: What is a Lamer?
A: Ok! there are a lot of definitions of lamers...........but if ure
actually reading this quesion. cant say much about u ;) in my book a
*lamer* is basically a person that doesnt know jack shit about what hez
talkin but pretends as if he knows a lot! see next question for examples ;)
hrm i wonder who this "Syphillis" character is?

Q: How can I "HACK THROUGH UNIX"?
A: There u go! a lamer for u :P . This isnt all, people that come to
#subseven and ask for victims. people that think using linux is *elite* all
fall under the same category, dont take me wrong....not sayin anything to
the *nix community!

Q: What is SubPass?
A: "SubPass" is a Sub7 password bypasser/changer, but it only works for
version 1.9 and BEFORE!

Q: What is Sub-Buster?
A: Sub-Buster is a fake server for Sub7 like Netbuster for Netbus. I find
these kinda fake server(s) [crap] usuless! OK....what do u acheive by
running on of these? u get to know whose tryin to Scan/gain access to ur
system for sub7? so? what is that gonna acheive?

Q: How can I find other computers already infected with Sub7?
A: With the "IP Scanner" Feature. Put a suitable "ip range" and then scan
that subnet (class c or d). You can also use the "Remote Scanner" Feature
so that the scan takes place throught the victims bandwith! i.e remote and
also eliminates the risk of getting caught.

Q: What is the best "IP RANGE"?
A: Lot of people ask this question! first of all, due to the HUGE nature of
the internet it is impossible to single out one range to be the best :P
secondly the best range depends on what ure looking for, e.g if someone is
in US most probably he would scan a US range (preferably cable). 24.*.*.*
is cable tough!

NNOTE: Scanning can get you in trouble with a lot of ISPs so we are NOT
RESPONSIBLE for your actions!N

Q: How can I bypass firewalls (to use sub7)?
A: Depends on the firewalls and the user (victim). Some firewalls like
lockdown/blackice dont actually STOP u from using sub7 they just ALERT the
victim that someone is *connecting* to their system! Firewalls (Application
level) like @guard. zonealarm, nis2k( pretty neat) are impossible to bypass
unless the victim adds the Sub7 server as a "trusted" application..many do!
so push ur luck :p I have many victims using zonealarm and @guard

Q: Why do antivirus alert me when I use Sub7?
A: NO! not cuz the Sub7 client has a backdoor or virus in it :P AVs use
this tactic to *SCARE* trojan users[retards ones]. so that they dont use
Sub7. Just exclude/ignore this warning! Regarding the Sub7 server......why
do they detect it? what else do ya except ....its a trojan rite? use the
UNPACKED server to avoid this!

Q: When I connect to some server the client displays "YOU ARE BANNED"?
A: SubSeven has a builtin in "bruteforce protector". Some ppl coded this
"Sub7 Server Password BruteForcer". So mobman put a protection that you
cannot enter a lot of passwords! i.e no brute forcing. Secondly if ure
using the BOnus Client (with password bypasser) on versions M.U.I.E (second
release) and later......this client is gonna BAN you cuz these versions
don't work with the password bypasser :P

Q: I get notified that the victim is online but I'm Unable to connect?
A: If u get the notification stating that the victim is online, 'n u are
unable to connect to the victim. there could be many reasons, I'll try to
state as many as I can:

* Victim has a firewall or some sort of protection installed. You get the
ICQ pager cuz most people dont block any sort of outgoing connections, so
the pager data gets sent to u(outgoing), but when u try to connect to the
victim, that falls under the *Incoming* category i.e Firewalls blocks
access! even tough the box is infected with sub7!
* Your/Victim's Connection is awfully slow (like he has a 14.4 modem) so
due to slowness you are unable to connect, retry a couple of times! or at a
later time.
* Victim logs on to the internet (pager gets sent to ya) and he goes
OFFLINE!
* You are using the "Password Bypasser" Client to connect to a M.U.I.E
Build # 2 server or latter.
* The victim is on a *LAN* [local area network] e.g in a
CyberCafe/University Library. You cannot connect to a victims behind a LAN.
Private address blocks are:

10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255

So, If youre victim has an IP address that lies in this range, don't BOTHER
to connect.

Q: Can I get caught using Sub7?
A: Well Yeah! -[highly unlikely]- but it IS possible! specially if u have a
static IP (like cable). IP Scanning can get you in trouble also cuz many
ISPs Monitor for WELL KNOWN ports like 27374! N

Q: What does M.U.I.E stand for?
A: "Mostly Used for Internet Entertainment". M.U.I.E is the code name for
SubSeven 2.1.3. [MUIE also means something nasty in romanian]

Q: What is DEFCON and what is the DEFCON release of Sub7?
A: DEFCON is an annual computer underground party for hackers held in Las
Vegas, Nevada, every summer for the past seven
years.http://www.defcon.org.The defcon version is like: some of the crew
members (swampy and Unca HeLL) were attending Defcon so mobman released a
special version for it.Just a new undeteced server and modified client.

Q: On connection to the Sub7 IRC server I get the msg "Closing Link:
nick[ip] (You are banned from using this server)"?
A: Due to bots and other security issues we DO NOT allow connections to our
IRC server(s) without IDENTD enabled. For MIRC u can enable IDENTD by
clicking the "General Options" button and then select "Idtent" from the
*Connect* menu.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH