i recently acquired the norton internet security 2004 pack and iīve been very satisfied,cause it gives me a full control over my machine and informs me of all that is going on when im connected to the internet,and iīve tested the pack with multiples threats and vulnerabillities and it protected the machine each time.
So,all was going good when i connected to the internet,some warnings started to appear,normal warnings,like a remote system is trying to connect to...but then i started to auto-block the ips for 48 hours,but the warnings didnt stop.as i pressed to block ok,in the second after another ip was blocked and another warning shown.this went on for 15 minutes , each time a different ip,each time a different port,each second a warning .i blocked all ips and put them on autoblock for 48 hours and finally the warnings stop.Then when all seemed to be over a small,very small window appeared with the name of feh and an alert saying point 1,then an ok button.iclicked close and appeared the same window this time saying pont 2.this went on until point 9 and then the last alert said 12lakhjdwhhqgw99012wms40.exec and then iīve closed my connection and it all stoped.I checked for viruses,spyware,checked for listening ports and programas and processes running but i canīt find anything suspicious.i didnīt installed any new programs and all the new files were carefully checked by norton and spysweeper.
Does anyone knows what happened?
Its possible it was an hacker/s attack using multiple computers?
Does anyone recognize the alerts and windows described?
ive searched everywhere but i cant find nothing.i will appreciate if someone could give me an answer
If you could be so kind as to attach a sanitized log of the activity.
(just remove your personal ip address. if you want, you can remove the supposed "attacker's" ip address... your choice)
That will be a little easier to follow.
wow random ports and ips...hmmm that is a problem :D
are you sure you checked everything for spyware cause it sounds like it to me but there is always a possibility of something else...download ad-aware and run a scan, see if it gets you anything better...I've never seen something like this yet
don't forget Spybot S&D. It catches things that Ad-aware doesn't.
Indeed, logs would be most helpful.
At the risk of getting kicked for laziness, it sounds like you have your warning levels set too high. Your IDS is posting warnings for harmless scans. Your circumstances don't sound too uncommon. Run all the checks and updates for your box. If your box is as secure as you can make it. What can you do? (abuse@their isp? what does that ever do?)
by 'Pont', and 'point', do you mean 'port'?
If so the only thing odd about these scans is that it was port 1-9, that's just goofy.
For more assistance we need more info. If you have not been logging, you should start, then post clean versions of any problems. If you don't record any problems, then all is well regardless.
i dunno but that "feh" thing and that "12lakhjdwhhqgw99012wms40.exec" bother me..
is that file on your hard drive ?
I'd grab a trojan scanner like TheCleaner , Swatit.. or even better, TDS-3 and scan..
It wouldn't hurt to get all three..
Sounds like you had a good clean install of your security software and as soon as you went online, the vigaroa hit the mix-master. You could have had someone scanning you, spybots, etc., and it sounds like your firewall blocked them, but you really need to make sure that there aren't any unusual packets leaving your computer as well. You haven't posted your logs yet. If you do these folks here can help you out.
I'd also go to either: www.sygatetech.com or www.grc.com to have them scan your computer as well.
Don't get too comfortable if either or both of these sites show that you are stealth or at least blocking the packets. But it will give you an idea about the ports they do scan whether they are open at the time of the scan.
Re: Security question
Originally posted here by N'AAB
i recently acquired the norton internet security 2004 ...
By "acquired" did you PURCHASE, or DOWNLOAD it?
If its off something like kazaa....
Well,i didnt expect so much answers but iīm pleased about the fact that people really try to and help here.I read all posts and investigated as much as possible .
Iīve downloaded spybot,ad aware,virus definitions and i runned all scans.they didnīt find a thing.
then i went to the firewall records and system records and found something intriguing,as i saw that NIS has blocked every connection made except one,that was allowed by the user (me) at port 3798 TCP and that the connection was active for 3 minutes,being the remote port 3568 and the packets volume and information unknown.i guessed with all those warnings i just kept pressing the default and recommended answer( BLOCK) and at a time, the default answer may have changed to PERMIT and i pressed ok,as i went bored with the situation and didnt payed much attention to the repetitive choice ive been doing for so long.
i searched for the exec file in my computer,checked the registry,win.ini; sys.ini ;boot;ini and system log but nothing changed,and all appears to be working fine. i took the tests on a variety of online scans(symantec,auditmypc,browser check up,shield something,sygatech) and no vulnerabilities were found and all ports were stealth/not responding.
So i know now that it was me that made a mistake but i still wanted to know what was it cause if it was an attack i never saw nothing like it.
Maybe this is boring but if some of you can investigate or give me some hints on what this might be...
So i wiil explained by detail what is going on:
i bought this new computer, installed another phone line and another dsl connection,installed everything ive needed,( i have no kazzaa or simillar prog)purchased the NIS 2004 security pack,erased my netbios,telnet and configured all the changes needed for a secure PC i remebered after updating my OS.
the few download ive done (codecs,updates for visual studio,msn 6.1 and some other programs were done on the official webpages and previously scanned by NIS and spysweeper.
i tested then the security,cause this is important for me,since i saw my entire data destroyed by some BIOS related virus,months a go.so as i was saying iīve tested with my other boxes and the NIS held and didnīt respond to nothing.i then checked NIS logs and found that sometimes it blocks harmfull connections,but not often,and depending on what im going to do while logged on to the internet,i choose between running the nis underground or manually configure access.Ive never saw nothing like that day and then some questions pop when i think about it:
If the ports were stealth,i didnīt enter any service,webpage,mail,i just connect to my ISP how did they find me??
How come so many different ips and ports?does a guy/some guys have this kind of machine power to attack others?
How can they put some windows appearing on my desktop without any control when i think i configured all correctly?is a new vulnerability found?
I canīt find any,spyware,trojans or even cookies(the 4 cookies i have found are legit) and i dont have anything listening on any ports and all seems to be ok,so this is weird,very weird,i think.
im not an expert in this situations,i just started to learn about security and protocols/internet 7 months ago since then i read alot about that,tried somethings and took all that ive learned to perfect my systems.
But you guys know a lot more than i do and really needed some help cause i canīt figure it out. checked with my ISP,NORTON support, teachers,colleagues but no one knows.
Soon ill put some logs and some printscreens here ,just have to edit some things,but ill post everything i can and that i can find,for you to help me.
Thanks to all for your help.
Well without the actually logs to be sure, i'd assume that all your seeing is normal traffic, being caused by simply connecting to the internet, and your FW warning levels being set too high. If you are sure, and it sounds like you have, done all the normal security checks, spyware,trojans, etc. im sure you have nothing to worry about.
Usually going to the likes of www.grc.com, and running a port a scan, will tell you if your secure enough for the average user.