February 21st, 2003, 09:54 PM
Hello all and ty for taking time to read this. I recently noticed that someone was "tinkering" in my computer and decided to get a router on top of the FW I have. Since I have had the router up it appears that it has been scanning my computer non-stop. Every possible port imaginable is listed from the router ip 192.168.1.1. to my computers internal ip. When I contacted Linksys for help they kinda brushed me off. I am new at all of this and yes I searched all the FAQ's till my eyes bleed lol so that I wouldn't be wasting anyones time.
I have a linksys BEFSR41 router and ZA Pro.
I work in an unrelated field and I am trying but I couldn't figure this out on my own. I have been reading from this site for awhile now and must say that I am learning alot and appreaciate the knowledge displayed here, it is amazing what some of you know about computers!
Thank You again
February 21st, 2003, 10:48 PM
My recommendation to you is to d/l windump and libpcap which is it's dependency. Just google
for windump and both of the abv mentioned are there. Once installed take a look at the packets flying across and post a snippet of what it is your talking about. It is unlikely that someone has access to your computer now that your router is up. ZA has some exploits out
against it though. Anyhoo install what I said and post some of the traffic.
February 21st, 2003, 11:47 PM
Thank you I will give that a go but do you have any idea why my router is continuously scanning my computer?
February 22nd, 2003, 12:44 AM
The router would not be scanning you computer per se. It is probably just arp traffic your seeing. ie: arp who has this ip 192.168.blah.blah
If you are being scanned I advise you to d/l a tool called "The Cleaner" by MooSoft. Download
it and check your hardrive. If this finds nothing then there is something here that makes no
sense which is why I advised to d/l a packet sniffer.
February 22nd, 2003, 05:36 AM
Well I have had the cleaner among other programs for awhile and it always comes up clean. The ip 192.168.1.1(source ip) is scanning 192.168.1.xxx my computer on all ports. I was wondering if maybe this is a setup our configuration problem with either the FW or the router?
I d/l the program u gave and didnt find and weird activity. As it stands now when my FW is up all it can record is the above and nothing else is recorded and my linklogger is always empty.
Thanks again for your help Don
February 22nd, 2003, 11:32 AM
Um, also make sure that your router doesnt have ports 21 and 23 open towards the outside. Some routers have them open by default for administration. Also change all the default passwords that came along with your router. About the programms mentioned by don, i would also like to add www.ethereal.com Its just another packet analyser thats pretty good aswell. Apart from that, maybe also try another firewall other than ZA. I know that the firewall is off topic here to your problme, just ive heard alot of negative comments about it.
Good luck to you.
The reason why i asked about port 21 and 23 is that its possible to connect to them and change your router settings, making a possible attack look like its comming from your router.
Ubuntu-: Means in African : "Im too dumb to use Slackware"
February 22nd, 2003, 03:06 PM
I have the same router as you do.
The router is your gateway out of the 192.168.1.x network. If you have every port with open connections to the router, you have more issues than someone "tinkering". You should see a local address of your IP and a foreign address of something other than your router IP of 192.168.1.1.
The first thing I would do is drop to a command prompt and type: netstat -an and see what connections are present. Please let us know what they are.
This router, by default, will not allow inbound connections to privileged ports and remote admin is also off by default. If you see a ton of open connections, you may have an trojan, worm or a ton of spyware on your box. If this is the case, the router wont stop the traffic from going outbound. I would download adware6 from http://www.lavasoft.de and run it on your machine.
Once you have done that, go to http://www.moosoft.com and download the trojan cleaner. RUn this program and see if it finds anything. Once you have done these things, drop to a command prompt again and do a netstat -an and see how many open connections you have. Note any differences from your initial results.
Finally, I would flash the firmware on the router. Early firmware for this model had a bunch of issues. You can get the latest firmware from www.linksys.com. Follow the prompts in support to go to the firmware download for the linksys BEFSR41.
One last note, you can download the logviewer.exe file from the linksys ftp site and set it up so that you can monitor the router logs in a nice GUI interface on your machine. If you want step-by-steps to get this working, just PM me.
Hope this helps.
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
February 22nd, 2003, 10:27 PM
Thank you all again for responding. I have been running netstat and I have all the above programs(minus the packet sniffer) for sometime and I havent had any open or established connections. I am working with a friend who is trying to learn as well "Phite" and he has port scanned me with no luck. Although one thing I do find odd is that on www.grc.com I used to be "stealth" on all ports but for some reason now my port 113 is only "closed" and I'm not sure why this is. I have updated the firmware and I have a complicated password so I dont believe (ignorance) anyone can get to my router?
Sorry I havent had time to post an SS of my router or FW I am very busy and I appreciate all the help. I hope what I am posting makes sense to you guys LOL, I 'm sure I'm doing a good job of confusing the crap out of you with my lack of knowledge
February 22nd, 2003, 10:37 PM
The following is from Steve Gibson's FAQ about ShieldsUp!
As you can see, his FAQ is somewhat outdated (with ZoneAlarm just having released version 3.7.098). ZoneAlarm 3.0 and above can no longer "Stealth" port 113. It's a glitch that has been reported to them, but they do not see the necessity to resolve. They call it a "new feature", while others call it a security risk. Anyway, that's why your port 113 is appearing as closed, rather than stealth.
Why isn't my Port 113 Stealthed? I'm using a firewall to stealth my entire machine, but the ShieldsUP! port probe shows port 113 to only be closed instead of stealthed! What gives?
Port 113 is associated with the Internet's Ident/Auth (Identification / Authentication) service. When a client program in your computer contacts a remote server for services such as POP, IMAP, SMTP, or IRC, that remote server sends back a query to the "Ident" server running in many systems listening for these queries on port 113. Essentially, the remote server is asking your system to identify itself .*.*. and you. This means that port 113 is often probed by attackers as a rich source of your personal information.
You may recall, from my explanation of Stealthed ports, that attempting to connect to a stealthed port is both costly and painful for the contact initiator — which is why it's so cool to stealth our machines. But the problem with simple stealthing of port 113 is that we don't want to hurt the servers we are trying to contact when they turn around and send us their IDENT query. If they get no response at all from their port 113 query, our connection to them (which initiated their query in the first place) will be delayed or perhaps completely abandoned.
Note that not all servers generate IDENT queries. So, depending upon your ISP, stealthing port 113 may not be any problem for you. However, you'll note that requirements for port 113 are common enough that most mature firewalls (BlackICE Defender, AtGuard, NIS2K, etc.) include built-in default rules allowing IDENT queries to pass through. These rules result in the IDENT's status being "closed" rather than "stealth."
So what can you do?
*You may be able to remove or disable your firewall's default rule for IDENT (port 113) and run it in full stealth mode without trouble. If you do this, keep on the lookout for trouble connecting to less common servers, like IRC, which might have problems that you haven't encountered before.
*Or, you can leave the default rule in place and live with your system's IDENT service port being visible to the outside world. Be aware that this provides a means for intruders to detect an otherwise stealthed computer. And they'll know you're running a firewall since other things are stealthed, but not port 113.
*Or, you can switch to the very latest, highest technology, and best adaptive firewall which is smart enough to stealth this port against random probes, while still showing it as "closed" to queries from valid servers .*.*.
My current favorite firewall — soon to be recommended — is the completely free *ZoneAlarm 2.0 *(ZA2) from ZoneLabs. ZoneAlarm is the only firewall I know of that's smart enough to stealth your ENTIRE machine while still allowing your remote servers to see port 113 as closed.
February 22nd, 2003, 11:08 PM
My Ident port is also Closed, this is the routers port...the router will take care of it, and it's as good as stelth, well, I'm not sure about your router, but that is true for mine.
good luck.....routers can be a tricky sort.
With all the subtlety of an artillery barrage / Follow blindly, for the true path is sketchy at best. .:Bring OS X to x86!
Og ingen kan minnast dei linne drag i dronningas andlet den fagre dag Då landet her kvilte i heilag fred og alle hadde kjærleik å elske med.