Sygate Personal Firewall? - Page 2
Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 25

Thread: Sygate Personal Firewall?

  1. #11
    Senior Member
    Join Date
    Jan 2005
    Posts
    217

    Lightbulb Hmmm...

    Good point, ByTeWrangler!

    3 out of 4 vulnerability arE UNPATCHED"
    One vulnerability was way back year 2002 - moderately critical (Typically used for remotely exploitable Denial of Service vulnerabilities against services like FTP, HTTP, and SMTP, and for vulnerabilities, which allows system compromises but require user interaction.)

    From Secunia also - http://secunia.com/advisories/7930/

    Description:
    Sygate Personal Firewall comes with a default rule set that blocks all udp requests, however if udp requests originates from source port 137 or 138 they are allowed, thus a malicious person could get access to all open udp ports on a target merely by sending all requests from source port 137 or 138.

    Unpatched but with solution
    Solution:
    Change your firewall rules to block all udp traffic, inclusive trafik with source port 137 and 138.

    Yo!
    \"Life without FREEDOM is no life at all\". - William Wallace
    MyhomE MyboX StealtH (loop n. see loop.)
    http://www.geocities.com/sebeneleben/SOTBMulti.gif

  2. #12
    Junior Member
    Join Date
    Mar 2005
    Posts
    9
    I just opened a WinZip crack that I downloaded from Kazaa Lite. Must have been spyware or something because as soon as I opened it Sygate told me: C:\WINDOWS\TEMP\123.exe is attempting to connect to an IP address that I did not record. Set Sygate to BLOCK the connection and any other connections that it told me about. Now, in the list of running applications, I have new apps that I have never seen there before that are set to ask before connection:

    |RCPCSS.EXE| |TCP| |LISTEN| |1028|
    |RCPCSS.EXE| |TCP| |LISTEN| |135|
    |kernel32.dll| |UDP| |LISTEN| |68|
    |kernel32.dll| |UDP| |LISTEN| |138|
    |kernel32.dll| |UDP| |LISTEN| |137|
    |kernel32.dll| |UDP| |LISTEN| |139|

    All files exist on the C:\WINDOWS\SYSTEM directory. Should I block them all?

    I have scanned my PC using "Free Spyware Scanner GOLD" with updated database, and it found nothing. I do remember one of the domains the programs were trying to connect to was: get.inetbar.com . My NOD32 Antivirus scanner did not detect the file that I downloaded and ran even when I scanned it a second time myself with advanced heuristics and updated definitions. Usually if I download an infected file from Kazaa lite, my NOD32 will detect it before it is even finished downloading. Did not detect anything. This "LISTEN" sounds fishy to me. Especially on the ports that scratchonthebox just posted about. So what I did, was set an advanced rule with Sygate titled "Patch" to block ALL hosts with UDP REMOTE and LOCAL ports 137, 138, and 139.

    What I am worried about here is, could I have opened an undetectable trojan? Can anyone PLEASE help me out here? Thanks ALOT in advance!!!


    Peace.

  3. #13
    Senior Member
    Join Date
    Jan 2005
    Posts
    217

    Hmmm...

    ryan-nyquist,

    Don't panic. Relax! Just like most of the AO guys said about firewall, it is doing its job. Aside from chaging the settings of your sygate (as per the solution of the advisory of course), what have you done lately? First thing, using P2P SW like Kazaa Lite, not to mention that you had opened a WinZip crack (what do you mean by it?), it is probably a malware (and it is in temp folder).

    For the ports you had mentioned, only port 139 I could recall and it is in my website’s port list - NetBIOS. NetBIOS is used for Windows File & Print sharing. If port 139 is open, your computer is open to sharing files over the Internet. Other components of NetBIOS can expose your computer name, workgroup, user name, and other information.

    *.. and port 135 Location service (loc-srv). This port is used to direct RPC (Remote Procedure Calls) services to the appropriate dynamically mapped ports. Hackers can use this to determine which port is used by several Windows services. This port should not be visible from the Internet.
    *


    You should do the normal routine, disable system restore, restart in safe mode, run your anti-malware and antivirus (make sure all definitions are updated). After doing this, restart your BoX, and run HJT (hijackthis - http://www.antionline.com/showthrea...threadid=265467) and check it (Remember, don’t do anything with the HJT, show the logs here first so that the rest of AO guys could give you advice). You can place the LOG here afterwards to see more details of what's going on with your BoX.

    Yo!
    \"Life without FREEDOM is no life at all\". - William Wallace
    MyhomE MyboX StealtH (loop n. see loop.)
    http://www.geocities.com/sebeneleben/SOTBMulti.gif

  4. #14
    Senior Member
    Join Date
    Feb 2004
    Posts
    270
    I would like to take this opportunity the blatently advertise for

    Kerio. Its a decent firewall that does its work like it should. AND it can be configured really well.
    Since the beginning of time, Man has searched for the answers to the big questions: \'How did we get here?\' \'Is there life after death?\' \'Are we alone?\' But today, in this very theatre, you will be asked to answer the biggest question of them all...WHO LIVES IN A PINEAPPLE UNDER THE SEA?

  5. #15
    StOrM™
    Join Date
    Aug 2004
    Posts
    1,003
    Greeting's

    Okay you might want to do the following :

    Get you Copmuter scanned online at housecall.trendmicro.com

    Get an anti-spyware program like spy.bot and if you want upload your hijackthis log online.
    Parth Maniar,
    CISSP, CISM, CISA, SSCP

    *Thank you GOD*

    Greater the Difficulty, SWEETER the Victory.

    Believe in yourself.

  6. #16
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,178
    I just opened a WinZip crack that I downloaded from Kazaa Lite. Must have been spyware or something
    Jeez! some of them won't ever learn

    Let that be a lesson to you, in future go into Google and type "freeware", you will get lots of sites and just about everything you might need..............even full-blown Microsoft Compatible Office Suites!............there are certainly plenty of Zip file applications.

    Get spy bot Search & Destroy and AdAware SE, update them and run them in safe mode.

    Get Moosoft's "The Cleaner" 30 day trial and run that.

    And follow the advice already given
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  7. #17
    Junior Member
    Join Date
    Mar 2005
    Posts
    9
    You guys got it right on. Its definately a browser hijacker. Won't even let me click that link so I have to copy and paste the hijackthis URL into my browser.

    Sounds alot like spyware to me, but just to be safe, I am gonna perform a number of online scans with different AV sites. I know there is one that uses 6 different AV's definitions to scan your PC. Can't remember the link though. Will also get Moosoft's "The Cleaner" and perform an updated scan on my system.

    I have never really had this problem with Kazaa lite before. Not until now. I mean "Winzip crack" by an app that was supposed to be a keygen (product key number generator). It was in a Winzip zip file so I figured it wouldn't be a virus. I scanned the app before I opened it and it was clean. But when I actually opened the application, nothing happened. Sounds like typical trojan behavior to me. So like I said will perform multiple virus scans and will post up what I come up with.

    Will also install "Hijackthis" but what exactly is this program?

    Thanks again in advance!!


    Peace.

  8. #18
    Junior Member
    Join Date
    Mar 2005
    Posts
    9

    sorry for double post

    sorry for the double post but I didn't know that I wouldn't have to install HiJackThis. I performed a scan with it, and also saved the log file. Here the entire log file, since it will not allow me to attach a .log file to this post:

    Logfile of HijackThis v1.98.2
    Scan saved at 4:59:37 PM, on 3/24/05
    Platform: Windows 98 SE (Win9x 4.10.2222A)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\SYSTEM\KERNEL32.DLL
    C:\WINDOWS\SYSTEM\MSGSRV32.EXE
    C:\WINDOWS\SYSTEM\MPREXE.EXE
    C:\WINDOWS\SYSTEM\MSTASK.EXE
    C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
    C:\WINDOWS\SYSTEM\mmtask.tsk
    C:\PROGRAM FILES\ESET\NOD32KRN.EXE
    C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
    C:\WINDOWS\SYSTEM\HIDSERV.EXE
    C:\WINDOWS\EXPLORER.EXE
    C:\WINDOWS\TASKMON.EXE
    C:\WINDOWS\SYSTEM\SYSTRAY.EXE
    C:\PROGRAM FILES\ANALOG DEVICES\SOUNDMAX\SMTRAY.EXE
    C:\PROGRAM FILES\NETASSISTANT\SMARTBRIDGE\MOTIVESB.EXE
    C:\PROGRAM FILES\ESET\NOD32KUI.EXE
    C:\WINDOWS\LOADQM.EXE
    C:\PROGRAM FILES\IRIVER\IRIVER MANAGER\UPDATER\UPDATER.EXE
    C:\WINDOWS\SYSTEM\PRINTRAY.EXE
    C:\PROGRAM FILES\FINEPIXVIEWER\QUICKDCF.EXE
    C:\WINDOWS\SYSTEM\LEXBCES.EXE
    C:\WINDOWS\SYSTEM\SPOOL32.EXE
    C:\WINDOWS\SYSTEM\WMIEXE.EXE
    C:\WINDOWS\SYSTEM\RPCSS.EXE
    C:\WINDOWS\SYSTEM\DDHELP.EXE
    C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
    C:\WINDOWS\DESKTOP\HIJACKTHIS.EXE

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.freewebtown.com/freesec/thankyou.htm
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O2 - BHO: {92E1B3F7-0546-421E-9835-904D25B7BA66} - {C4F147D7-BF25-488E-A12B-EFD43E7029BF} - C:\WINDOWS\SYSTEM\winvbie.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\SYSTEM\MSDXM.OCX
    O3 - Toolbar: VisuExplorer - {92E1B3F7-0546-421E-9835-904D25B7BA66} - C:\WINDOWS\SYSTEM\msiev32.dll
    O4 - HKLM\..\Run: [ScanRegistry] C:\WINDOWS\scanregw.exe /autorun
    O4 - HKLM\..\Run: [TaskMonitor] C:\WINDOWS\taskmon.exe
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\Smtray.exe
    O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\NETASS~1\SMARTB~1\MotiveSB.exe
    O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [iRiver Updater] C:\Program Files\iRiver\iRiver Manager\Updater\Updater.exe
    O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
    O4 - HKLM\..\Run: [mdac_runonce] C:\WINDOWS\SYSTEM\runonce.exe
    O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\SYGATE\SPF\SMC.EXE -startgui
    O4 - HKLM\..\Run: [CriticalUpdate] C:\WINDOWS\SYSTEM\wucrtupd.exe -startup
    O4 - HKLM\..\Run: [LexStart] Lexstart.exe
    O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe
    O4 - HKLM\..\RunServices: [LoadPowerProfile] Rundll32.exe powrprof.dll,LoadCurrentPwrScheme
    O4 - HKLM\..\RunServices: [SchedulingAgent] mstask.exe
    O4 - HKLM\..\RunServices: [KB891711] C:\WINDOWS\SYSTEM\KB891711\KB891711.EXE
    O4 - HKLM\..\RunServices: [NOD32kernel] "C:\Program Files\Eset\nod32krn.exe"
    O4 - HKLM\..\RunServices: [Hidserv] Hidserv.exe run
    O4 - HKLM\..\RunServices: [SmcService] C:\PROGRAM FILES\SYGATE\SPF\SMC.EXE
    O4 - HKCU\..\Run: [msnmsgr] "C:\PROGRAM FILES\MSN MESSENGER\MSNMSGR.EXE" /background
    O4 - Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
    O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
    O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
    O16 - DPF: {556DDE35-E955-11D0-A707-000000521957} - http://www.xblock.com/download/xclean_micro.exe
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
    Your help with this is greatly appreciated!!! Will do the Cleaner scan and antivirus programs scans now and will edit this post if they find anything.


    Peace.

  9. #19
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    To clear up a couple of little misconceptions here....

    Ryan: That "router" you got given by the ISP..... It isn't a router... It's a Cable/DSL modem... It does _nothing_ for your security... It could, very easily, but your ISP would then charge you $100/month for internet access when all you need is to D/L Sygate or whatever.... Or update to SP2 if you are on XP.

    Whoever: It's practically impossible to DoS any user nowadays by using a "pipe-filling" DoS. Yeah, they can deny service to a box by crashing the box through a DoS vulnerability in the service that either kills the service or the OS but a "pipe-filling" DoS is reserved for lamers using a cable/dsl connection to attack a dial-up client.... Now a DDoS is a whole different issue and can be accomplished against really big "pipes" if you have enough "drones" on big "pipes" themselves.

    Ryan again: You downloaded cracked warez....

    /stop....

    This doesn't feel right any more.... As I go back and read what has been said by ryan.... He's not coming across as "right".... He has all the terminology "down"... Which implies a deeper knowledge than he ends up with by d/ling cracked warez and then being screwed up by it...

    I just had my "troll alert" flag go up really high.....

    As such I am withdrawing from the conversation.....

    Have fun Y'all....

    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  10. #20
    Junior Member
    Join Date
    Mar 2005
    Posts
    9
    Just spent about 20 minutes writing out a long post that when I clicked "Submit Reply" on, told me that I had included too many images in my last post. Yet it only had 2 smilies. Clicked "Back" button on my browser an took me to empty "Reply To Topic" page .

    Anyways, it ran along the lines of, is this what this forum is meant for? Am I misunderstood on this forum's purpose?

    Wrote a LONG description about my experience and work with computers, and also my personal experiences with trojans. It's 1:42 AM here, and I am going to go to bed now. BTW, ran The Cleaner and antivirus scans in safe mode, and nothing was found. Am too tired now, but will edit this thread tomorrow trying to re-write my last reply attempt's less important details. Also mentioned about those who are telling me not to download cracks - The crack I download was for WinZIP. This isn't an expensive/big program here (probably $29 online, and a product which I don't even know if trial version has an expiry for personal use ). Besides, WinZIP was needed to open and extract "HiJackThis" file and is needed to open and extract ALOT of FREE programs today.


    Peace.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides