Show 20 posts from this thread on one page
|
Show 20 posts from this thread on one page |
VisorCentral.com (http://discussion.visorcentral.com/vcforum/index.php)
- Off Topic (http://discussion.visorcentral.com/vcforum/forumdisplay.php?forumid=6)
-- expert needed - hack attempts on me (http://discussion.visorcentral.com/vcforum/showthread.php?threadid=31361)
expert needed - hack attempts on me
Hi
I hope somebody can help me with this. I've firewall installed on my PC, (Norton Personal Firewall) and usually when I leave the computer on through the night, in the morning I would get a Security Alert telling me that firewall had blocked a Trojan.
I've sent a screenshot of the firewall log.
I've scanned the computer with 2 of the most recently updated popular virus scanners already, but I'm still getting this about few times a week. I suspect some sort of calling card is on my computer, but like i said the Viruscans don't find anything.
What do you recommend I do to stop this? Or do I have to live with this?
Thanks you very much.
__________________
I'm just a dreamer..
Have you looked into spyware?
What are you running anyway, dial-up, cable, DSL?
Do you have a fixed IP address?
And no you don't have to live with it, you just have to figure out whats up. If there is a program on your computer there are several "spyware spotters" out there. Most that I've seen are free too.
Try asking over at cybertech.com, I've seen some very tough problems solved over there. They have specific forums for each windows OS and very knowledgable moderators.
Good luck. Wish I could be more helpful.
Michael
__________________
"I am a debtor both to Greeks and to Barbarians, both to the wise and to the foolish."
Thanks BobbyMike, I really appreciate it, I'm using ADSL, and I don't think my IP is fixed. I'll check out cybertech.
I forgot to mention that I did a spyware search as well, nothing.
To be more detailed, occasionally I got an alert from firewall telling me a program is trying to access the internet. The list of such software include very random apps, among them:
rnapp.exe (dial up connection, but as I'm using DSL, this isn't even qualified!)
explorer.exe
netscape.exe (when I'm not using it, not even in the memory)
mplayer2.exe (media player)
nmain.exe (norton file. I won't allow it at all)
now, why would rnapp.exe or explorer.exe want to access the internet?? I'm doing fine with them NOT accessing the internet. And the scary part is, Netscape also wants a bit of action even if I don't have it open.
I may have to rebuild my system, but at the moment I just can't afford the downtime. I would have to rely on firewall at the moment.
------------------
quote:
Originally posted by BobbyMike
Have you looked into spyware?
What are you running anyway, dial-up, cable, DSL?
Do you have a fixed IP address?
And no you don't have to live with it, you just have to figure out whats up. If there is a program on your computer there are several "spyware spotters" out there. Most that I've seen are free too.
Try asking over at cybertech.com, I've seen some very tough problems solved over there. They have specific forums for each windows OS and very knowledgable moderators.
Good luck. Wish I could be more helpful.
Michael
__________________
I'm just a dreamer..
even if your ISP is not using fixed IP's, for one connection "session" your IP will be "fixed." It's better to disconnect from the 'net when not actually using it, even if you have a high-speed connection and a flat monthly fee. Typically your IP will be different the next time you connect.
__________________
The light at the end of your tunnel has been disconnected due to non-payment. Please remit funds immediately for restoration of hope.
quote:
Originally posted by Yorick
even if your ISP is not using fixed IP's, for one connection "session" your IP will be "fixed." It's better to disconnect from the 'net when not actually using it, even if you have a high-speed connection and a flat monthly fee. Typically your IP will be different the next time you connect.
__________________
I'm just a dreamer..
What I've found is that often you will get port scans by someone looking for a trojan horse installed on your computer. For instance if you write a TH called "Fred" that listens to port 7, you will broadcast from your computer to port 7 at random IPs to see if Fred responds. Then you can do your dirty work. However, a firewall will block this and log it as a problem even though there is nothing malicious on your computer, and that even if the signal had gotten through, nothing would have happened because Fred isn't there. At least that's my interpretation. 
__________________
<a href="http://www.kurtramsauer.com">KurtRamsauer.com</a>
You've got me.... I'll suugest going to that site again. There are a couple of programs that will blab about all programs running on your machine. With the list in hand of said programs, some of the very knowledgable people can help you. The people who volunteer aren't amateurs like me, they're techs that volunteer on their off time. Smart gals and guys.
__________________
"I am a debtor both to Greeks and to Barbarians, both to the wise and to the foolish."
I run Norton Personal Firewall as well. The report indicates that someone was probing one of your ports (whichever one that particular Trojan uses) to see if the Trojan was present. It does not mean that the Trojan is present, someone is simply looking to see if it is. If the Trojan were present and you were not running a Firewall, then they could do dastardly deeds to your computer. Basically, you are fine and need to do nothing else. If the probes continually come from the same IP address, Norton's does allow you to block that computer permanently. Looking in the instructions.
I agree that if you are not using the computer you shouldn't leave it connected to the net, even if you are paying a flat monthly fee and have a firewall. It is sort of like this. If you had a very rare sports car with an alarm system wouldn't it be safer to park it in the garage with the door closed at night than on the street? After all, someone still might steal the car or damage it despite the alarm.
A good site with info on firewalls and security is here. Go to the ShieldsUp!! section.
__________________
Donate Blood!!!
Visit here to see how: America's Blood Centers
Thank you
First of all I'd like to thank Pathdoc, BobbyMike, KRamsauer and Yorick for helping me out.
quote:
Originally posted by Pathdoc
I run Norton Personal Firewall as well. The report indicates that someone was probing one of your ports (whichever one that particular Trojan uses) to see if the Trojan was present. It does not mean that the Trojan is present, someone is simply looking to see if it is. If the Trojan were present and you were not running a Firewall, then they could do dastardly deeds to your computer. Basically, you are fine and need to do nothing else. If the probes continually come from the same IP address, Norton's does allow you to block that computer permanently. Looking in the instructions.
quote:
Originally posted by KRamsauer
What I've found is that often you will get port scans by someone looking for a trojan horse installed on your computer. For instance if you write a TH called "Fred" that listens to port 7, you will broadcast from your computer to port 7 at random IPs to see if Fred responds. Then you can do your dirty work. However, a firewall will block this and log it as a problem even though there is nothing malicious on your computer, and that even if the signal had gotten through, nothing would have happened because Fred isn't there. At least that's my interpretation.
__________________
I'm just a dreamer..
LEAK
Well just tested the Norton Firewall on the LeakTest in the GRC site. ( http://www.grc.com./lt/leaktest.htm )
IT LEAKS! And it does so almost immedietly.
__________________
I'm just a dreamer..
The best firewall is still ZoneAlarm. 
With regards to your original LOG... notice that what happened was packet was blocked on an incoming TCP connection, also notice that the attempt was blocked.
So 1 of 2 things here. Either some little script kiddie was scanning a block of computers for a vulnerability (which you DON'T have - obviously the firewall blocked the attempt). Or someone elses computer, unbeknownst to them, has been infected and is automatically looking for others to infect.
However, as people have already said - your firewall did what it was supposed to do.
If it makes you feel any better, my webserver usually gets maliciously constructed packets on the order of a few an hour... sometimes a few a minute. However, since I'm not running IIS (a microsoft webserver) they are all simply entries in a log capturing all errors. Basically the same thing as you've got.
<shameless linux plug> heh... With regards to firewall... got to disagree... ipchains/iptables work JUST fine.. </end shameless linux plug>
quote:
Originally posted by dannoz
If it makes you feel any better, my webserver usually gets maliciously constructed packets on the order of a few an hour... sometimes a few a minute. However, since I'm not running IIS (a microsoft webserver) they are all simply entries in a log capturing all errors. Basically the same thing as you've got.
quote:
<shameless linux plug> heh... With regards to firewall... got to disagree... ipchains/iptables work JUST fine.. </end shameless linux plug>
__________________
I'm just a dreamer..
quote:
Originally posted by Digisane
The list also includes Eudora trying to access the internet even if I don't have it open..
)__________________
The light at the end of your tunnel has been disconnected due to non-payment. Please remit funds immediately for restoration of hope.
quote:
Originally posted by cywong
The best firewall is still ZoneAlarm.
__________________
It's gotta be weather balloons. It's always weather balloons. Big, fiery, exploding weather balloons.
-- ComaVN (from Slashdot)
Based on your attached log, the probe in question is inbound, and it is blocked - so what is the problem?
It appears that you are just being scanned for that particular trojan, which is not present on your system.
I leave my PC's up up most of the time, and I see hundreds, if not thousends of scans, it is just a fact of life on the Internet...
Keep you anti-virus def's up to date, and run tests on your firewall, and that is about all you can do.
quote:
Originally posted by larryk
Based on your attached log, the probe in question is inbound, and it is blocked - so what is the problem?
It appears that you are just being scanned for that particular trojan, which is not present on your system.
I leave my PC's up up most of the time, and I see hundreds, if not thousends of scans, it is just a fact of life on the Internet...
Keep you anti-virus def's up to date, and run tests on your firewall, and that is about all you can do.
__________________
I'm just a dreamer..
quote:A bit of big picture advice: backup your data and don't worry too much. Take prudent measures (which you've done) but don't let it bug you.
Originally posted by Digisane
I'm sorry for sounding so paranoid but I'm somewhat new to firewall systems. Esp when things don't go as expected (didn't ask what to do with cookies when it should, and Solitaire trying to access the internet)
__________________
<a href="http://www.kurtramsauer.com">KurtRamsauer.com</a>
| All times are GMT. The time now is 10:28 PM. | Show 20 posts from this thread on one page |
Powered by: vBulletin Version 2.3.4
Copyright © Jelsoft Enterprises Limited 2000 - 2016.