I need some sort of surveilance equipment

[DarkSlayer]

Ok, so the day is here, and I have been freekin hacked.

I know alot about computers in many ways, but when the subject is security I guess I am a newbee.I have roamed the net to try to find out anything about security, but the informasion is huge and vage. Somebody with good knowledge should clean up the newbee section here....it is comprehensive but wery messy and confusing for alot of people I guess.

So I need some help here.

I came home, got to the computer which had been on the net for hours, so I was lookin around, suddenly my mouse behaved silly. I thougt my new mouse just were weird, but when i saw it closing windows and ****, I shut down my computer.

I run several internett programs, like messenger, AOL IM, web server, ftp servers, and I think the silly smtp server is running, I have programs to update my DNS name like dyndns.org stuff, I have a vnc program to remote controll my computer at work or other funny places, and the only security software I have is Norton "well patched" Antivirus, and a few games for online use. .....and a *ehem* p2p apps.

I think the hacker got the password for my vnc and were using that to get in. I don't realy know.

Sooo, What do I need? I'll try explain. I don't need to patch my system from the ass and up. I don't need a firewall, they only messes up everything and provide little security, and I don't want one either, they realy messes up the system so badly.
Why? because I run so many non-secure apps that my computer is like a halfopen money safe in a prison whithout gurads....anyway....

What I need is something like this.....

Everybody connects to me with an ip, right?
The ip goes in an port, right?
After the port the packages goes to an application?

I would need something that can see the traffic from the ip adress and all the way in to the software that gets the packages, and it should be presented on a "timeline" so that I can see that a weird adress connected to my AOL IM and AOL IM sendt out 30MB to that ip adress between 2 and 4 am. something like that. and if the system could see what files the program accessed that would be great too. Because I have an handfull of friends that access my ftp, that should be ok, because the ftp have only one dir it could access, but if it access silly directories around on my software, then it should ring a bell right? or if between2 or 4 am there was an app startet that connected and did silly naughty things on my computer.

I don't know if software like this exist, I have a bad feeling about that it don't. I don't care if people connect to my computer, but I want an app that can help me spot when somebody crosses the line between friendly connecting and hacking.
And the information the app is giving me should be so good that I could turn those evidence over to an abuse department at the ISP and make them deal with it, or in worst case senario...police. The firewall I have now cannot do that. It present tonns of ip adresses whithout giving good and easy info about what it is..

I don't want a wall, I want a surveilance equipment that can see who is going over my lawn, to whom, doing what, and if they misbehave, beeing naughty you know, I should have a shotgun....no no no...I want a big f*** exterminator.......hehe

If you have links to programs that fit the description please give it to me, and if you have good links to how to use the more fancy security features in windows I would be greatful.
If you have links to sites that can tell me what those different prosesses running in the backgroud are for something, that would be good. And if you have links to sites that present port numbers and what they are used for, by who, and how...that would be great to.

and tell me if there is great articles in the forum, I could not find any because I realy don't know what I'm looking for, and alot of the articles were mostly non-informative.

...and a page to go to when the paranoia takes comlete overhand, my firewall it satt to be mean and realy make it though on people.....and during the writing I have had 20 different ips trying to connect to a bounch of wierd ports......

[Mahakaal]

What I need is something like this.....

Everybody connects to me with an ip, right?
The ip goes in an port, right?
After the port the packages goes to an application?

I would need something that can see the traffic from the ip adress and all the way in to the software that gets the packages, and it should be presented on a "timeline" so that I can see that a weird adress connected to my AOL IM and AOL IM sendt out 30MB to that ip adress between 2 and 4 am.

The solution you're looking for... it's called a firewall. I personally use Norton Internet Security . Also get a packet sniffer, just do a search for them. But judging from your post, I doubt if you want to scroll through loads of logs to see what went where.....

[sweet_angel]

know alot about computers in many ways, but when the subject is security I guess I am a newbee.I have roamed the net to try to find out anything about security, but the informasion is huge and vage. Somebody with good knowledge should clean up the newbee section here....it is comprehensive but wery messy and confusing for alot of people I guess.

But you...wrote

Sooo, What do I need? I'll try explain. I don't need to patch my system from the ass and up. I don't need a firewall, they only messes up everything and provide little security, and I don't want one either, they realy messes up the system so badly.
Why? because I run so many non-secure apps that my computer is like a halfopen money safe in a prison whithout gurads....anyway....

Like mahakaal said ..you need to get firewall...at least you are little bit more secure..

wait..wait..

. The firewall I have now cannot do that. It present tonns of ip adresses whithout giving good and easy info about what it is..

What kind of firewall do you have?

[Tiger Shark]

First - while I can make an educated guess about the OS you are using it would have been nice to have it confirmed by you!!!! I'm guessing Windows for the OS but what is the version, is it 9X or 2000/XP/Me..... It makes a difference - trust me...

Second - you say you have a firewall - you say you don't like it because it only gives you a list of IP's...... I have $5 says it gives you the ports and direction too.....<s> As sweet_angel asked.... What Firewall?????

Third - Firewalls are only as good as the person using them. If the firewall pops up and says "The Nasty Trojan is trying to connect to the nasty hackers machine. Do you want to A) prevent it, b) allow it this time or c) Always allow it?" and you answer C then the firewall is a waste of space. It seems to me that with the ton of "less than" secure apps you seem to like to run a firewall would probably be a bit of a waste of time anyway - since you are running one though it would be kinda handy if you tried to learn what it was telling you - I'm pretty certain it's telling you most of what you need. There is a secret place on the internet that us "security types" like to go to for information..... It's called www.google.com.... Try it.... It's great.... but don't tell anyone else about it....<s>

I will also hazard a guess that you have probably allowed some inbound stuff and outbound stuff through the firewall in the past that you probably didn't want to. Quick suggestion - delete all the firewall rules you have created and start again. This will also allow you to see the less than nice connections to and from your machine.

Also - Let's be a little smart here..... Your buddies are allowed into your system but you don't want others in..... Make your buddies authenticate themselves..... And change all your passwords too!!!!!! If you suspect that the "attacker" has one of your passwords that should have been your first action.

Answer the questions Mahakaal, sweet_angel and I have asked and we can proceed from there..... While you wait for our replies start learning about your firewall. Tell us what it is telling you, (Source, destination, direction, source port, destination port etc). Then start googling for the ports to see what they are used for......

But like Mahakaal says..... I get this feeling that the prospect may be a little daunting for you.... Oh dear.... I agreed with you Mahakaal.....

[Spyrus]

while everyone else has given you information on firewalls and such (my favorite is tiny found at www.tinysoftware.com). I thought I would post a link for what it sounds like has happened to you. If I were just guessing I would say you were hit with a sub 7 trojan maybe? or a strand close to that so this website shows you how to check and remove it
http://www.geocities.com/Pentagon/Qu...new/sub7guide/

I would check into tiny or what Mahakaal mentioned. I know if you run tiny on its lowest setting it will just observe and log transactions. BOL

[phishphreek]

Just thought I'd throw this out there.

If you think someone might be connected to your computer, to confirm, cou can use a command utility called netstat.

For a complete list of the options, type

netstat /? at a command prompt.

There are many other programs that do this too. Some of my favorites are

fport
and
activeports

Like others suggested, you should get a good firewall installed. If you don't have money to spend on one, there are several free ones out there.

My personal favorite free firewalls are

zonealarm
and
tiny personal firewall

At least this will get you a step in the right direction. There is so much info on this site... so grab up a seat and stay a while.

PS: Make sure you have a good antivirus program running, and do a COMPLETE scan right away!
Welcome to AO!!

[Vorlin]

Sygate (www.sygate.com) has a good firewall, Zone Alarm Pro (www.zonelabs.com) is pretty good, Tiny (www.tinysoftware.com) is free and good. Like mentioned above, these three listed would give you a good start on securing your system

And to be honest (take this as constructive criticism), it's not a firewall or router that "messes up your system so badly", it's the fact that you run a million and a half unsecure programs on a machine that's directly connected to the internet (BAD BAD BAD IDEA). The only way that could get any worse is if you went ahead and got a domain name registered to a static IP.

I seriously recommend doing this:

1: get a firewall, and allow only those that are a must through.
2: use a different mail program and browser (most vulnerabilities are made for Win* programs like Outlook, Outlook Express, and IE specifically). Get used to this one...otherwise you'll be relying on "patching your system from the ass up" with MS patches that may or may not fix anything and may open up MORE problems (this is proven).
3: get a router to boot. I recommend getting a Linksys 1-port (if you have only one machine connected to the net). That helps a ton right there by providing a hardware layer of protection. Coupled with a properly configured software firewall, and you're doing good.
4: go read O'Reilly's book on Internet Security. In internet security, half the problems or more could have been avoided by not being ignorant and learning how things work instead of putting blind faith in the OS or not patching or any number of things.
5: be paranoid, read your router logs and firewall logs religiously. Understand what's going on.
6: get an AntiVirus (I recommend www.pandasoftware.com , very fast and efficient). Use it.
7: get Lavasoft's Ad-Aware (and RefUpdate 2.0 to update the reference file). RUN THAT first. You'll fall on your ASS when you see how much ****'s on your machine that's spyware. I'm betting well over 200, to start.
8: use Trillian instead of using standard IM programs like AOL, YIM, etc. It supports AIM, YIM, MSN, ICQ, and IRC. Use it. Believe in it. Trust in it. Hehe...

[DarkSlayer]

I'll answear in several notes, my questions are beginning to be long here.

WinXp is my system. Norton Antivirus, and Norton internett security for now.


I do agree with you in a sense on what you have sugested.


You say I need an firewall, ok.

I close every ports on the computer, right, and open those I need.
In a way it would be better, because people would not be able to
access ports that should not be in use. good.

Changes passwords and creates user to those who needs it,
that is done, and have been in place for a long time, good.

But as I said. I use a bunch of programs that needs access in and
out of the wall. So. Let say somebody know the password to my vnc,
which I suspect. A firewall would never stop such access. At best
it would say that today there have been access on
"the port which vnc usually use". My Norton Firewall is a big
mess looking through, so I would not be able to spot such
unautoriced access, because it contains thousands of unsortet
entrys, which is presented in a more confusing way.
And you cannot sort it properly. I would need an firewall where I
can look at the log and say....hmm, somebody accessed my vnc today,
strange...in a matter of 2min.

Q. You run a web-server which has 500 people visiting
every day from all over the world. How could you with a
firewall spot that 1 person who hacks throug the web-server
and gain access to files on the computer which that
person should not have access to..... That is my problem really.

A firewall is no better than the security of your weakest app.
Think you will agree. Which makes the firewall pretty useless actually.

And ofcourse I agree, the security on a computer is no higher than
the persons knowledge. I know.

I have been looking around in the logs of NIS ( Norton Internett Security )
today, and I do see ips that have in a short period of time tried to connect
to several ports, I would define it as an port scan. And the ip comes from Norway.
Is it a port scan? is it a legitimate program that connects to other
computer by trying a bounch of ports? is it a virus? does the person in
the other end know it is going on? does an abuse department take an port scan seriously?
...probably not, I wouldn't. The problem arise when a hack is being made, and right there
Norton would not tell me. If there was a new unknown trojan, I do not have a system that spot
him. Because these packages do goes to somebody, Norton doesn't tell who is
resiving what from where, at its best it has resived 10 000 packages. I sound frustrated I know,
apologise me, anoing weekend really.

I see you suggest some firewalls there, may I ask how the logging feature is on those firewalls?

[CXGJarrod]

I have found that bigger companies do tend to take port scans seriously. I had a computer from in the Wells Fargo domain port scanning my ISA Server for days. I finally complained to their admins and they stopped the scanning.

[DarkSlayer]

You quated:
The solution you're looking for... it's called a firewall. I personally use Norton Internet Security . Also get a packet sniffer, just do a search for them. But judging from your post, I doubt if you want to scroll through loads of logs to see what went where.....


Ofcourse I do not want spending hours on loads of loggs. We are in 2002, soon 2003. I want to sit home program on my silly directx program, try new silly programs, look for books on kazaa to see and try before I buy, I want to send a few mail, read the news, real news not geek news...ok a bit geek news.... DVD Jon is for trial today in Norway... The norwegian Newspaper used the word geek a loads of time " This is almost like x-mas for these nerds" hehe.

But hey, listen.
Where is the system that sorts the logg for you in easy way? "vnc was used by 2 ip today which is xxxxxxxxx and yyyyyyyy. This happend at time xx.xx and yy.yy". suddenly a bell is ringing in my head.

Today I have seen in Norton that 1 ip have tried alot of ports, yet Norton does not yell "portscan"....weeeeehuuuuuu. I had to read 20 messy loggs to figure that out. Do I want to do this every day? through 1000 loggs? And where is the program that present a graphical view of the traffic made on certain ports and present it in a timeline. In this way I could in 5sec? spot if AOL 5pm were used as an "trojan", or if nbus.exe were connecting to an ip in germany. Where is the system that present: "iexplore.exe have on ports so and so, been connected to ip adresses bla bla bla and a long list follow weeeeee" not Norton certainly. A very silly application if you ask me. It would be helpful also with a system that said that "it looks like that document "possible but ugly girlfriends.doc" were sendt out on the net". hmm

Is there some security program developer around? I have tons of ideas.

oh is www.google.com secret? oh dear, silly me, I think I told a few, is that realy baaaad? I do get x-mas present still right? hehe


ehey, you silly. You tell me what I need, google does the rest for me, always does. But as you know, if you do not know the dogs name or what kind of dog you are searching for, how could google.