Port probes

Hi again,

I've just been looking at the logs for my firewall and they seem wierd and am asking for your opinion on this.

Today i've had about 53 TCP port probes, 3 HTTP, 8 netBIOS probes, also Socks, MSRPC, Proxy, UDP, i don't even know what most of these are but do you get this type of activity too? One thing i read in a thread the other day was what ports to block from Trojans, but i forgot and went on the net to look for which ones to add into my firewall settings and obviously there's loads of them, but i'm wondering : do you add rules for each port that needs to be blocked? And finally, if so, i don't know how to add a range of ports for one rule, would i just add it like this : 135,136,137,138,139 ?

I'm guessing that's right but just to be safe i thought i'd ask.

Rather than block given ports because trojans can be reconfigured to use any port just block all inbound connections. It doesn't help with connections shovelling, (calling home"), but it stops all the "listeners"

Will blocking all inbound cause problems with using the net or outlook express, and if not where do i do this, in advanced settings for my firewall?

Oh, just one more thing, is there any place i can make my netBIOS more secure in windows options or in the registry? Ha, i hate having to ask all these questions without being able to help anyone aswell, i'll have to remember to come back and help future newbies out when i get some of this sussed. :p

Which firewall?

Sorry, it's blackICE but i'm not sure whether i should go back to sgygate or not, this one has IDS with it and i don't think sygate does, but i don't know if that makes any difference.

Shoot.... never played with that one but with it's reputation I have to believe that it comes with the default of no inbound connections.....

Any BlackIce geeks help us out here?

I have the same thing happing can you please tell me whan you find out what it is

Well i know for a fact that at least one person here uses blackICE because they said it in a thread the other day. No worries, the net has all information, it's just a matter of typing in the correct thing. :D

Oh, actually this place will have it i guess, i'll use the trusty search function.

Sygate has a good IDS. I add "135-139" instead of 135,136,137,138,139 to the rule.

Hi,

I have BlackIce free version and have disabled it, I don't rate it very highly, and neither do any reviews that I have seen.

Zone Alarm is the easiest to use, just set everything to "High". I know that a lot of people on this forum don't like it, probably because they cannot fiddle with settings?

Agnitum and Tiny also do free versions, and are a bit more sophisticated, I have not tried any others in a domestic environment. Remember there is one hell of a difference between the firewall requirements of a commercial server environment and a home computer running WinME, with sporadic dial-up connection to the net.

Go to: http://www.grc.com and run "shields up" to see what ports are open to the net. Ideally there should be none visible to incoming traffic, your machine should be in "stealth mode".

As for AV, I would not install Norton if you gave it to me free. The business product is OK but the home one has been a cause of a lot of problems for me. And you have to buy it!

AVG is a solid product, and I have never known it cause problems, but it is poor at detecting trojans. So is Norton for that matter.

Take a look at February's "Computer Shopper " for a review

I would suggest eTrustEZ Antivirus Protection from Computer Associates International. I recently tested it against AVG and threw a handful of trojans at them................ETrust found the same as Moosoft.....100%................AVG only found 33% :(

Whatever you use, remember that you must set:

1. Heuristics scanning on (or it almost certainly won't find Trojans)
2. Scan all files.
3. Scan compressed files.

Good luck

ZA can be a bit of a pain in the arse, e.g. Playing WC3 and it pops up in the background (so you can't click on it) and preventing the socket so WC3 hangs :/

ButterflyEffect,

I take your point, but I don't think Eon will be playing that with the setup that he has at the moment. I have discussed one or two other issues with him, so I have some recollection.

I would have thought that for decent online gaming you would want ADSL/cable/satellite........at least a PIII/733MHz and at least 256Mb of RAM (he is using WinME..........XP with 512Mb would be better?)

56.6 dial-up is not that hot over here in the UK, actual d/l speeds are around 6kbps :(

I am not an online gamer, so your comments would be appreciated..........I know that it is a bit "off topic" but I suspect that Eon would also be interested for future reference, as it involves the interaction with firewalls and AV?

What AV/Firewall combo do you gamers prefer? Do you use the same one all the time, or just switch for gaming?

Cheers

Yeah don't worry about going off topic, i'm fine with it. I just did it in the zombie thread so i'm good.

How do i get broadband then and how much will that cost?

Ok seeing as we're going off topic i'll ask these aswell, and then i should be fine to gather all of the stuff i've collected so far and spend the rest of this year reading it all. (i've even started collecting links to threads on this site and am collecting and saving them in wordpad.)

1. Proxy, is this better for me or not?

2. I've read quite a bit about having a changing instead of a static IP address. How do i do this and would this make my PC more secure? Oh, i've just been told that it's already changing by my stepdad. Is this right?

3. Last one, i've been looking at javascript for a while now because it seems to be added into webpages on the net a lot, when i view the source code for pages, but can anyone tell me, in what is hopefully the last question for a good while, why it's included so much in websites and how it could benefit me in making my own site in my hosting account? (i've been looking at it and loads of the things that i can put in pages are already in HTML)

..........phew.


Seriously, i think i'm gonna have to spend a long time reading very shortly. I've just got my Dev C++ to compile the hello world program so i'm trying to learn C++ aswell, along with HTML table layouts for webpages and Javascript. (i want to get into web-design at the moment and am shortly starting a Design IT course.)

Hi Eon,

PM me with your UK location (general, like county/nearest big town...not specific...be safe!) and I will advise you on your Broadband options........out in sticksville, East Yorkshire Coast, I have the option of BT, BT or BT..........but I think that ntl will be a player at the end of April..........we have no cable as yet, and satellite is expensive to set up independently................it has got as far as Driffield on shared services basis.

You are looking at around £30 per month 24 hours availability................you might be able to get a deal that ties it in with cable TV/satellite TV/Telephone, so you actually save money...............that sort of deal has actually saved me over £400 per year because of the discounted telephone element. Like I pay a fixed amount, but there are no phone bills except for exotic foreign stuff?

I am talking 256ul/512dl ADSL here, by the way.

Sorry to sound boring, but you need to look at your family requirements.........they (Telcos) won't help you save paying them money ;) You can actually end up with a better service for less money!!!!!!!!!!!!!!!!!!

1. Proxy..................not sure why you would want it?
2. Your stepdad is correct, dial up and most UK ADSL are dynamic IP addresses within an address block assigned to your ISP.
3. If you are using Java with WinME you must get the latest security updates from Microsoft, or go to the Sun replacement........otherwise you are vulnerable to the byteverifyer (bitveryfier?) trojan exploits. Hint: it may not work if you have updated other things in the meantime, so run the update again after re-booting, and see if it is still there?

Cheers

Eon, would it be possible to post some of your logs? I'm trying to find out where those probes are dialing and where they're coming from. There's been quite an increase in number of members who believe they've been hacked or that their computer is sending packets outbound. There's a hot issue right now about zombies attacking the merijin site and DDOSing it constantly. Any help would be greatly appreciated.


nihil, join AOs counter-strike clan :)...you'll have some fun


Here's some update on the issue:

February 24, 2004:
The DDoS attack is continuing. If you can read this, there's a small gap in the attack or it's over. Either way, until the attack is over, the update function in CWShredder or HijackThis will not work.

By the way, we often point the DDoS'ed domains to 127.0.0.1, which makes the bots attack themselves. You can still reach us by adding 216.40.225.12 www.merijn.org and 209.133.47.19 www.spywareinfo.com in your hosts file. If you don't know what that means, ignore this block of text. :)

Sup Ice. Hows your clan doing? Oh yah, on topic the logs would help more-ish. Nihil knows tons so he can help you immensly. BTW, don't you UK-landers have cable or dsl?

-Cheers-

well we lost another match last night, but we seem to be getting better :).

Nihil i live in Hull but i share this computer with my brother and he's already paying out quite a bit.....haha, he's just said it's an extra 10 pound a month (i have a screwed keyboard that gives # instead of a poundsign) so i think we'll be getting it.

Cybr1d i'll post my logs on here shortly, is that ok to just post all of the IP addresses on here with the info next to them? Dunno why i'm even asking that, i'll start writing them down and post back.

These are just a few from my firewall logs, if you want more i'll add more crazy looking ones that appear later. :



MSRPC TCP port probe 213.249.223.83
TCP port probe user-0cdv739.cable.mindspring.com
HTTP port probe DFU-SERV
TCP port probe pn125.internetdsl.tpnet.pl
MSRPC TCP port probe adsl-213-249-248-144.karoo.KCOM.COM (think this is my PC)
TCP port probe TEMPWEB
TCP port probe 202.134.188.21 (count of 90)
TPC port probe adsl-65-70-78-119.dsl.tulsok.swbell.net
TCP port probe c118107.upc-c.chello.nl
UDP port probe ppp-80-47-205-35.lns.access.uk.tiscali.com
HTTP port probe 61-221-109-155.HINET-IP.hinet.net
SOCKS port probe pool-138-89-110-2.mad.east.verizon.net
Suspicious URL Event 64.235.246.120
NetBIOS port probe FUZZY8
NetBIOS port probe PROMETRIC
TCP port probe 3e70dbea.adsl.enternet.hu (count of 86)

If you want me to give you the actual logs, i'm having a problem finding and opening them, i'll have to get back to you, this was set out better in wordpad but it didn't translate to the post.

Thank you very much:


pool-138-89-110-2.mad.east.verizon.net

Its server seems to be in New York and If i'm correct, the client should be close by. Is this connection dialing out? If this happens to be one of the zombies, i dont think i'd be able to go all the way to new york with my current $$ :). I live in boston.

As for TCP port probe 3e70dbea.adsl.enternet.hu (count of 86) do you actually mean this shows 86 times?

Now, I would recommend you go to http://www.glocksoft.com and download the trial version of Advanced Administrative Tools. THere's a feature in this tool to monitor your network and see whats going on. Perhaps it could help us out even more if you show us some logs from it.


If your computer is a zombie, it will show what program is dialing out and to what IP. We would be able to get a specimen of the zombie that way and work from there.


THank you so much for your help, i really appreciate it.

That's ok, glad i could be of help.

When i said 'count of' i mean in my blackice firewall the logs are listed in sections : Time, Event, Intruder and Count, so i guess that means that i was probed that number of times? It doesn't show 86 times in the log though.

I'll download from the link you gave me anyway and get back to you when i have some logs.

Hi Eon,

Thanks for helping Cybr1d............. I think that he has "the smell of blood" so we can rely on him to take it to the wire, so to speak. Damn right too!!!

Hull? "From Hull, Hell and Halifax, may the Lord preserve us" An old English saying, reflecting the fact that in the times when you were hanged for stealing to the value of £0.06 or above, it was £0.03 in Hull and Halifax.............otherwise you got free Australian nationality..............and have they ever repaid us by buying beer? :D

Hmmm..........you are actually within 235mm artillery range of my front garden...........now where did I put those mushroom cloud shells?.......just joking............they never trusted me with anything bigger than 155mm :)

You deal with KTC (Kingston Telecommunications Company) who are a law unto themselves. Hull has always had a privately owned telco, even when the rest of the UK was a government monopoly! I was born and raised in York............. York Waterworks Ltd was a private company as well.

You should be able to get Cable as well in Hull? I suggest that you PM me so that we can talk through your best cost options without boring our international friends to tears? After all, and as I have already explained, there are far fewer people from Hull in Australia :cool:

Cheers