Registered: Jun 2002
Location: By the toilet.
Posts: 174

expert needed - hack attempts on me

Hi

I hope somebody can help me with this. I've firewall installed on my PC, (Norton Personal Firewall) and usually when I leave the computer on through the night, in the morning I would get a Security Alert telling me that firewall had blocked a Trojan.

I've sent a screenshot of the firewall log.

I've scanned the computer with 2 of the most recently updated popular virus scanners already, but I'm still getting this about few times a week. I suspect some sort of calling card is on my computer, but like i said the Viruscans don't find anything.

What do you recommend I do to stop this? Or do I have to live with this?

Thanks you very much.

Attachment: trojan1.gif
This has been downloaded 207 time(s).

__________________
I'm just a dreamer..

Registered: Dec 1999
Location: "Children are a gift from God, they are a reward"
Posts: 1049

Have you looked into spyware?

What are you running anyway, dial-up, cable, DSL?

Do you have a fixed IP address?

And no you don't have to live with it, you just have to figure out whats up. If there is a program on your computer there are several "spyware spotters" out there. Most that I've seen are free too.

Try asking over at cybertech.com, I've seen some very tough problems solved over there. They have specific forums for each windows OS and very knowledgable moderators.

Good luck. Wish I could be more helpful.

Michael

__________________
"I am a debtor both to Greeks and to Barbarians, both to the wise and to the foolish."

Registered: Jun 2002
Location: By the toilet.
Posts: 174

Thanks BobbyMike, I really appreciate it, I'm using ADSL, and I don't think my IP is fixed. I'll check out cybertech.

I forgot to mention that I did a spyware search as well, nothing.

To be more detailed, occasionally I got an alert from firewall telling me a program is trying to access the internet. The list of such software include very random apps, among them:

rnapp.exe (dial up connection, but as I'm using DSL, this isn't even qualified!)
explorer.exe
netscape.exe (when I'm not using it, not even in the memory)
mplayer2.exe (media player)
nmain.exe (norton file. I won't allow it at all)

now, why would rnapp.exe or explorer.exe want to access the internet?? I'm doing fine with them NOT accessing the internet. And the scary part is, Netscape also wants a bit of action even if I don't have it open.

I may have to rebuild my system, but at the moment I just can't afford the downtime. I would have to rely on firewall at the moment.

------------------

quote:

---

Originally posted by BobbyMike
Have you looked into spyware?
What are you running anyway, dial-up, cable, DSL?
Do you have a fixed IP address?
And no you don't have to live with it, you just have to figure out whats up. If there is a program on your computer there are several "spyware spotters" out there. Most that I've seen are free too.
Try asking over at cybertech.com, I've seen some very tough problems solved over there. They have specific forums for each windows OS and very knowledgable moderators.
Good luck. Wish I could be more helpful.
Michael

---

__________________
I'm just a dreamer..

Registered: Mar 2001
Location: Out of my skull, back in five minutes
Posts: 1435

even if your ISP is not using fixed IP's, for one connection "session" your IP will be "fixed." It's better to disconnect from the 'net when not actually using it, even if you have a high-speed connection and a flat monthly fee. Typically your IP will be different the next time you connect.

__________________
The light at the end of your tunnel has been disconnected due to non-payment. Please remit funds immediately for restoration of hope.

Registered: Jun 2002
Location: By the toilet.
Posts: 174

quote:

---

Originally posted by Yorick
even if your ISP is not using fixed IP's, for one connection "session" your IP will be "fixed." It's better to disconnect from the 'net when not actually using it, even if you have a high-speed connection and a flat monthly fee. Typically your IP will be different the next time you connect.

---

__________________
I'm just a dreamer..

Registered: Apr 2002
Location: Houston, TX
Posts: 734

What I've found is that often you will get port scans by someone looking for a trojan horse installed on your computer. For instance if you write a TH called "Fred" that listens to port 7, you will broadcast from your computer to port 7 at random IPs to see if Fred responds. Then you can do your dirty work. However, a firewall will block this and log it as a problem even though there is nothing malicious on your computer, and that even if the signal had gotten through, nothing would have happened because Fred isn't there. At least that's my interpretation.

__________________
<a href="http://www.kurtramsauer.com">KurtRamsauer.com</a>

Registered: Dec 1999
Location: "Children are a gift from God, they are a reward"
Posts: 1049

You've got me.... I'll suugest going to that site again. There are a couple of programs that will blab about all programs running on your machine. With the list in hand of said programs, some of the very knowledgable people can help you. The people who volunteer aren't amateurs like me, they're techs that volunteer on their off time. Smart gals and guys.

__________________
"I am a debtor both to Greeks and to Barbarians, both to the wise and to the foolish."

Registered: Feb 2001
Location: Minnesota
Posts: 216

I run Norton Personal Firewall as well. The report indicates that someone was probing one of your ports (whichever one that particular Trojan uses) to see if the Trojan was present. It does not mean that the Trojan is present, someone is simply looking to see if it is. If the Trojan were present and you were not running a Firewall, then they could do dastardly deeds to your computer. Basically, you are fine and need to do nothing else. If the probes continually come from the same IP address, Norton's does allow you to block that computer permanently. Looking in the instructions.

I agree that if you are not using the computer you shouldn't leave it connected to the net, even if you are paying a flat monthly fee and have a firewall. It is sort of like this. If you had a very rare sports car with an alarm system wouldn't it be safer to park it in the garage with the door closed at night than on the street? After all, someone still might steal the car or damage it despite the alarm.

A good site with info on firewalls and security is here. Go to the ShieldsUp!! section.

__________________
Donate Blood!!!
Visit here to see how: America's Blood Centers

Registered: Jun 2002
Location: By the toilet.
Posts: 174

Thank you

First of all I'd like to thank Pathdoc, BobbyMike, KRamsauer and Yorick for helping me out.

quote:

---

Originally posted by Pathdoc
I run Norton Personal Firewall as well. The report indicates that someone was probing one of your ports (whichever one that particular Trojan uses) to see if the Trojan was present. It does not mean that the Trojan is present, someone is simply looking to see if it is. If the Trojan were present and you were not running a Firewall, then they could do dastardly deeds to your computer. Basically, you are fine and need to do nothing else. If the probes continually come from the same IP address, Norton's does allow you to block that computer permanently. Looking in the instructions.

---

__________________
I'm just a dreamer..

Registered: Jun 2002
Location: By the toilet.
Posts: 174

LEAK

Well just tested the Norton Firewall on the LeakTest in the GRC site. ( http://www.grc.com./lt/leaktest.htm )

IT LEAKS! And it does so almost immedietly.

__________________
I'm just a dreamer..

Registered: Nov 2002
Location: Kuala Lumpur, Malaysia
Posts: 4

The best firewall is still ZoneAlarm.

Registered: Dec 1999
Location:
Posts: 26

With regards to your original LOG... notice that what happened was packet was blocked on an incoming TCP connection, also notice that the attempt was blocked.

So 1 of 2 things here. Either some little script kiddie was scanning a block of computers for a vulnerability (which you DON'T have - obviously the firewall blocked the attempt). Or someone elses computer, unbeknownst to them, has been infected and is automatically looking for others to infect.

However, as people have already said - your firewall did what it was supposed to do.

If it makes you feel any better, my webserver usually gets maliciously constructed packets on the order of a few an hour... sometimes a few a minute. However, since I'm not running IIS (a microsoft webserver) they are all simply entries in a log capturing all errors. Basically the same thing as you've got.

<shameless linux plug> heh... With regards to firewall... got to disagree... ipchains/iptables work JUST fine.. </end shameless linux plug>

Last edited by dannoz on 01-15-2003 at 07:16 AM

Registered: Jun 2002
Location: By the toilet.
Posts: 174

quote:

---

Originally posted by dannoz
If it makes you feel any better, my webserver usually gets maliciously constructed packets on the order of a few an hour... sometimes a few a minute. However, since I'm not running IIS (a microsoft webserver) they are all simply entries in a log capturing all errors. Basically the same thing as you've got.

---

__________________
I'm just a dreamer..

Registered: Mar 2001
Location: Out of my skull, back in five minutes
Posts: 1435

quote:

---

Originally posted by Digisane
The list also includes Eudora trying to access the internet even if I don't have it open..

---

this is a wild shot in the dark. I think Eudora might be configured to check for messages every so often; it's probably a background task separate from the actual email program. Then it can alert you that you have new mail and you'll go open your email software.
Again, theory only, because I have a Mac and my email only checks for mail while it's open, and every time I have a Windows-based computer at a job the email soft is always open and the network connection always on, so this has never happened to me. (But they say it happens to lots of guys. )

__________________
The light at the end of your tunnel has been disconnected due to non-payment. Please remit funds immediately for restoration of hope.

Registered: Sep 2000
Location: Rochester, NY
Posts: 284

quote:

---

Originally posted by cywong
The best firewall is still ZoneAlarm.

---

__________________
It's gotta be weather balloons. It's always weather balloons. Big, fiery, exploding weather balloons.
-- ComaVN (from Slashdot)

Registered: Jun 2002
Location: Chicago Area
Posts: 1

Based on your attached log, the probe in question is inbound, and it is blocked - so what is the problem?
It appears that you are just being scanned for that particular trojan, which is not present on your system.
I leave my PC's up up most of the time, and I see hundreds, if not thousends of scans, it is just a fact of life on the Internet...
Keep you anti-virus def's up to date, and run tests on your firewall, and that is about all you can do.

Registered: Jun 2002
Location: By the toilet.
Posts: 174

quote:

---

Originally posted by larryk
Based on your attached log, the probe in question is inbound, and it is blocked - so what is the problem?
It appears that you are just being scanned for that particular trojan, which is not present on your system.
I leave my PC's up up most of the time, and I see hundreds, if not thousends of scans, it is just a fact of life on the Internet...
Keep you anti-virus def's up to date, and run tests on your firewall, and that is about all you can do.

---

__________________
I'm just a dreamer..

Registered: Apr 2002
Location: Houston, TX
Posts: 734

quote:

---

Originally posted by Digisane



I'm sorry for sounding so paranoid but I'm somewhat new to firewall systems. Esp when things don't go as expected (didn't ask what to do with cookies when it should, and Solitaire trying to access the internet)

---

__________________
<a href="http://www.kurtramsauer.com">KurtRamsauer.com</a>