Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: How are they finding me?

  1. #1
    Junior Member
    Join Date
    Nov 2001
    Posts
    10

    How are they finding me?

    Hi all, just needed to get some info concerning a problem i have...

    I installed a firewall recently on my home PC.... it uses a dial-up ....

    Basically about two days ago i started getting Net Bios (port 137) requests coming in at a rate of about 10 per hour. It usually starts about five mins after i log on to my dialup, and i am receiving requests from taiwan, US, mexico, and even malaysia too mention but a few.

    I already researched the port 137 probe and already know what thats all about, however my question is basically, how the hell are they finding me? IMHO it doesnt seem to have be a conscious effort of these individuals to be scanning me and considering the fact that i use a very small local ISP I just wonder how these people or this program (dare i say : virus?) is detecting and querying my IP so soon after i log in. Is it just lucky guessing or is there something I am missing.

    Thanks very much for any help..

  2. #2
    Senior Member
    Join Date
    Jan 2003
    Posts
    100
    they could just be scanning for random boxes with the ports open or they may be finding you on irc or another chat prog that you use. It would be highly unlikely for them to randomly guess _your_ ip address each time you dial up.
    Just because you don\'t see it doesn\'t mean it\'s not there

  3. #3
    Senior Member
    Join Date
    Jan 2002
    Posts
    371
    It is likely that people are scanning network ranges looking for machine with NetBios open.

    ie. 192.168.0.0.

    My guess is that your particular subnet lies within these peoples target network ranges with their port scans.
    SoggyBottom.

    [glowpurple]There were so many fewer questions when the stars where still just the holes to heaven - JJ[/glowpurple] [gloworange]I sure could use a vacation from this bull$hit, three ringed circus side show of freaks. - Tool. [/gloworange]

  4. #4
    Senior Member
    Join Date
    Dec 2002
    Posts
    110
    As mentioned by SoggyBottom this is just normal background network activity. It is an annoyance only and nothing to be worried about. You have a f/w up so you are fine.
    Stay on line long enough and you will start seeing all kinds of scan 80/443/1433/3128/8080...
    ad nauseum. Nothing to worry about. Unless they really are out to get you!!! ;-)

  5. #5
    Plus some of the latest worms (well, not just latest, but a lot of worms), try to use port 137 to propogate. I know that Bugbear was one of them, we noticed a definite increase in port 137 activity when it came out. Nothing really to worry about as long as you are running a good firewall and are keeping up to date with your virus updates.
    - Maverick

  6. #6
    Senior Member
    Join Date
    Dec 2002
    Posts
    127
    Actually don, if he has a f/w up he isn't completely fine. There are ways to take out the firewall and access the computer. More than likely he probably wont be attacked. The f/w is good protection but like I have learned and other people have said, Firewalls aren’t completely safe. Oblivious, you are probably fine though. Unless there is a reason for a true hacker to get your information, the only real people you have to worry about are those script kiddies, and the firewall usually takes care of them.
    The only four things i need are food, water, a computer, and the internet.

  7. #7
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Originally posted here by Madseel
    Actually don, if he has a f/w up he isn't completely fine. There are ways to take out the firewall and access the computer. More than likely he probably wont be attacked. The f/w is good protection but like I have learned and other people have said, Firewalls aren’t completely safe. Oblivious, you are probably fine though. Unless there is a reason for a true hacker to get your information, the only real people you have to worry about are those script kiddies, and the firewall usually takes care of them.
    The biggest hole in almost every firewall is it's egress filters. More and more programs, (both malware and "normal" software such as instant messengers), are taking advantage of the fact that while there default port may be locked by a more industious admin they can still connect across standard ports when the connection fails.

    You are correct in saying that a firewall isn't the end of your security by any means. Most ways past firewalls tend to depend upon the firewall. Simple packet filter firewalls can be quite easily bypassed after a little fingerprinting determines the ACL's. NAT firewalls are similarly exploited but it is more difficult. Stateful Firewalls are the best but they also require bigger $$$$$$. By and large, a hardware firewall such as a linksys is more than sufficient for a home user at keeping unwanted connections from the outside out. OTOH they are utterly useless if you then go ahead and d/l every piece of malware available out there from kazaa or whatever - cos they will simply call home and the firewall becomes simply another peice of useless hardware attached to your system.

    Oblivious: You are being scanned, be it by an individual or by an automated virus/worm. These scans are random. You will get them all the time. As long as your ingress filters drop everything then you are fine. If they allow some of these requests through then you need to maintain your patch level on a daily basis to try to ensure that you are patched against all the known vulnerabilities of your OS.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  8. #8
    Junior Member
    Join Date
    Nov 2001
    Posts
    10
    Thanks very much for the info guys....

    I must say i was starting to get a bit worried about the frequence of these port 137 requests... and i didnt really just wanna switch of the alerts and leave it up to the firewall to keep blocking traffic...

    Thanks again for helping out, off to google 'ingress filters' now j/k
    \"I do not fear computers. I fear the lack of them.\"
    Isaac Asimov (1920 - 1992)

  9. #9
    You should be fine as long as your not sharing, and your running win2k.. if your running win9x, im sorry. what they do is they scan you, and they stick your ip in there "LMhosts.sam" file. in this case when the computer is started up, it will pretend that your on his lan. as long as you got passwords, and you got nothing sharing you should be fine. if you do, turn off NETBIOS/NETBEUI, and to network your computers just use the TCP/IP trick 192.168.0.X. (Interal Routing) Personally, i hate NetX just because at times it can be very vulnerable. Hope this Helps.

    Oh one more thing, Check your ISP, which ISP are you using? because if your using a Well Targerted ISP, they can continue Guessing the IP, ont the top of that, check your IP everytime your dial on. It may be that your ISP is dishing you out the same ip. If thats the case go to the command prompt and type "ipconfig /renew" and get a new ip. just keep on it. then after your done with that and you still feel iffy, go grab some software related firewall, and make sure you dont open anything from anywhere.
    Im Chris Bartholomew - 18 Years old

    TSeNg
    questions? Cxbartholomew@yahoo.com

  10. #10
    Junior Member
    Join Date
    Jan 2003
    Posts
    16
    Here's pretty much an exact answer to your quesion. Hope it helps!!

    http://www.robertgraham.com/pubs/firewall-seen.html#10

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •