Intruders (No Absinthe Content)

Sepulchritude Forum: The Absinthe Forum Thru December 2001: Intruders (No Absinthe Content)
By Zack on Friday, August 24, 2001 - 06:50 pm: Edit

"If you have nothing on your pc that you need to secure, you have nothing to lose."

Except your bandwidth.

By Dr_Ordinaire on Friday, August 24, 2001 - 05:40 pm: Edit

"If you have nothing on your pc that you need to secure, you have nothing to lose."

Amen. This is probably the most likely situation for 99% of computer users. My computer use is pretty standard and, unless you like sex with sheep, you won't find anything interesting in it.

They want to use my computer to launch a "denial-of-service" attack on Bank of America? More power to them! Considering the time they keep me on hold, they are already denying me service...

By Don_Walsh on Friday, August 24, 2001 - 03:51 pm: Edit

If you have nothing on your pc that you need to secure, you have nothing to lose.

But to paraphrase Artemis, don't you lock your doors at night? And when you go out? In some neighborhoods you might lock yourself in even when you are at home.

5-10 sucessful defenses a day? I get about 50 a day and I'm certainly not on the Net 24 hrs a day. And they're not all just pings. Many of these attempted intrusions are hard to explain except as attempts to find open ports (NetBIOS, etc.)

"Just because you're paranoid, doesn't mean they're not out to get you." -- Wm Rotsler.

By Dr_Ordinaire on Friday, August 24, 2001 - 01:18 pm: Edit

I don't have a firewall. I know of people who have it and are successfully defended 5 to 10 times a day.

I have a cable modem (which is to hackers like dangling an absinthe bottle in front of a Forumite).

I spend A LOT of time online. My computer should be crawling with intruders.

The fact is: I run McAfee Viruscan Online every once in a while...and I'm as virus free as a nun.

These programs (firewalls) seem to be a little bit...alarmist.

By Heiko on Thursday, August 23, 2001 - 12:57 pm: Edit

I just had to revive that thread because I'd like to quote an article in Newsweek Europe on the intruders/firewall topic:


Quote:

He [Steve Gibson] also worries that Microsoft's integration of a firewall component in its upcoming Windows XP operating system will only compound the problem. "User behaviour still has to be modified," says Gibson [...]. "Ultimately, that's the only solution."



*grin*
Isn't that what Microsoft always wants? Modify user behaviour to fit their needs?

By Verawench on Saturday, August 11, 2001 - 06:03 pm: Edit

It was a hardware problem afterall because I slipped a shiny new internal cd burner into the same slot and it works dandy.

Thanks all!

By _Blackjack on Friday, August 10, 2001 - 10:02 pm: Edit

Vera, one last thing. Make sure the tray/door is getting closed all the way. I once had a drive that wouldn't work because the screws I used were too long and the caddy wouldn't slide all the way in...

(Of course, this was back in the days of caddies, mind you...)

By Head_Prosthesis on Friday, August 10, 2001 - 04:24 pm: Edit

It woiks!!!

By Test1 on Friday, August 10, 2001 - 04:02 pm: Edit

fiddle

By Verawench on Friday, August 10, 2001 - 08:57 am: Edit

Heiko, thanks for the tips... but the drive didn't recognize any cd within it, cd-r or not. A lens cleaner cd was useless since the drive doesn't spin any disk within it. And no cdr software on the pute... and nothing on the virus scan... Hrm :(

By Wolfgang on Friday, August 10, 2001 - 08:07 am: Edit

Yes but you could buy a translucid RED Mac... Think about it!

By Head_Prosthesis on Friday, August 10, 2001 - 07:48 am: Edit

Heiko,


Quote:

Or, how about the dumbass-answer no. 1: "Install Linux"




The one I get all the time is "Buy a Mac"

By Pataphysician on Friday, August 10, 2001 - 07:36 am: Edit

Hey, if you really want to explore the outer limits of browser annoyance, look around in here:

http://www.potatoland.org/

By Test1 on Thursday, August 09, 2001 - 11:46 pm: Edit

faddle ...

By Verawench on Thursday, August 09, 2001 - 08:56 pm: Edit

Blackjack, I'm writing you here, as hotmail is taking a nap at the moment.

Thank you for the tips, dearie. I tried the startup disk... the drive wouldn't list the directory (CDR101 Not ready drive E) so I guess it's the hardware.

Ah well.. I was gonna buy a nice speedy cd burner anyway.

By Heiko on Thursday, August 09, 2001 - 04:40 pm: Edit

Hi, I'm back with a new installation.... :-)

I tried to boot without mouse and keyboard but only multiplied the explorer windows with every new start - at the end I had 23 Windows popping up and the system hung up every time...

I tried to unplug keyboard and mouse because I had a stuck key failure once (that was when I had spilled a glass of Deva on my keyboard...). First I thought it was a virus: every time I wanted to correct something that I had written the cursor would start to run to the right. Then I found out the "right arrow" key was stuck... The system was almost unusable because of that damn stuck key!
Not this time, though...

Vera, if you're using CDR's - you might really have a problem with the media itself. I found out that more than half of all older (that is: more than one year old) CDR's start to oxidize...
Since I lost some of my data to oxidation, I'm now only using Mitsui SG, Mitsui Gold or Kodak Gold CDR's for anything that I want to keep for more than half a year...

First you have to check if it's just this one CD, or any CD you use: if it doesn't work with any CD, well, run a virus scan and clean the lens (haha, that sounds like the standard "I dunno at all what it might be"-answer...).
Do you have some CDR-writing software installed that might lock the drive? Usually only the CDR writer gets locked, but, who knows?

"Where do you want to go today?
Doesn't matter, you're coming with us anyways..."

Or, how about the dumbass-answer no. 1: "Install Linux" (Would I do that if I could use all the programs and multimedia stuff that is available for Windows? Yes, I would...)

By _Blackjack on Thursday, August 09, 2001 - 03:53 pm: Edit

And you wold be shocked by the sheer number of "stuck key" errors saw back when I worked tier one support. The usualy started out "Every time I click on something, all the words turn blue..." When you tell them to tap their CTRL key a few times and it goes away, they think you're a miracle worker.

Not nearly as annoying as the people who don't know the difference between the monitor and the computer.

"No, not the TV-set thing. The little box-shaped thing. Look under your desk..."

By _Blackjack on Thursday, August 09, 2001 - 03:45 pm: Edit

Hey, folks don't start queuing up for tech support or I minght have to start charging. :)

Vera, I actually just spent two weeks banging my head into the wall with weird, illogical cd-r problems, and I can tell you, there is a certain amount of voodoo to it. CD-R technology is a bastard child never meant to be, even tho it is damn convenient when it works. Some disks just act weird. I had a burner which would write perfectly good disks that would read on every drive I tried, EXCEPT the drive which actually wrote them. My DVD drive will read CD's from my old burner but not my new one. Some disks mount immediately, some take a couple of minutes, some I have to insert and eject several times.

As for Norton, I don't think it can scan CD's anyway. The latest version can't, anyway. The quickest way to check the CD is to try it in another machine. It may have gotten scratched (the TOP of CD-R's, the side with the printing, is actually the one most vulnerable to scratches) or something.

Is this a regular cd-rom drive, a recorder/rewriter, or a DVD dirve? CD-RW and DVD drives tend to be a little more persnickity when it comes to what disks they will read.

Well, I should go fix someting I get payed to fix...

By Zack on Thursday, August 09, 2001 - 03:19 pm: Edit

Good idea Blackjack, something similar happened to me once... All of these windows of porn started popping up, faster than I could close them. I kept trying to close them for about 5 mins, then I looked down at the keyboard and the 'Enter' key was being held down by some dried semen! That was a relief...

By Verawench on Thursday, August 09, 2001 - 03:07 pm: Edit

I've got one for you Blackjack... this one happened just today. See if you can outdo Dell tech support:

I put a cd-r into the cd rom drive (I've used that cd in that drive before). I got the "E:\ is not Accessible: Device is Not Ready" error, same as when the drive is empty. The system seems to recognize the drive, though, cause it acknowledged the drive during reboot. Device Manager says everything is ok as well.

Well, then I ran Norton's ScanDisk on it and got: "Drive has been locked by disk utility. Please resume scanning when the drive is no longer locked". Eh??? I call Dell's tech support and am told to do a virus scan (nothing turns up) and to clean the drive's laser lens with a Scotch cd rom cleaner, which I am about to do.

Very strange and most frustrating as I've just backed up quite a bit of my hard drive in Austin on cd-r's and brought them down here.. now I can't do shit with them.

By _Blackjack on Thursday, August 09, 2001 - 02:09 pm: Edit

Blah. That's weird. Humor me and try this: boot up your system, and just befoer windows starts, unplug the keyboard and mouse. It sounds almost like there is a stuck key.

By Heiko on Thursday, August 09, 2001 - 12:45 pm: Edit

Blackjack,
as you seem to know quite a lot about computer problems, maybe you have a solution for this?

Something nasty began to happen a few weeks ago when I start up my Win98 SE (IE6):

Explorer windows open (just like they had been opened on the last shutdown and are now restored). A lot of Explorer windows (16 right now)! And they get more and more with time, as it seems...

BUT:
- I have not installed any Symantec/Norton software.
- None of the RUN, RUNONCE, RUNSERVICE registry keys point to explorer.exe
- There is no 'DesktopProcess' key in the registry (Microsoft suggests to delete this key)
- There's nothing related to explorer in win.ini or system.ini except for: shell=Explorer.exe in system.ini (and I think that can't be the reason...).
- Unchecking all programs in the startup tab of msconfig doesn't help.
- I have tried booting with checked as well as unchecked "Save Explorer window settings" option in TweakUI - no result.
- last but not least: of course there's nothing in the "startup" folder in the start menu.

The only hints I have are the following:
When I terminate the Explorer process with WinTop, it auto-restarts (that's normal, I know) and opens the exact same 16 Windows.
These Windows are all different, they expand c:, d:, e:, f:, g: and z: (all harddrives and one RAMDisk) but in addition to that the other windows expand folders like g:\temp, g:\music\mp3\ g:\wave\project1\ (that means: no system folders, but folders I may have used recently).
These paths on the other hand cannot be found in the registry or in any of the files on c:
When I start the system in safe mode, no windows open at startup.

My solution now would be: format c:, reinstall...
(not because I am too lazy to close the 16 Windows, but sometimes my system hangs directly after startup because of all that crap opening at once and I have to reboot once or twice to get that damn thing running - that's not fun anymore!)

By _Blackjack on Thursday, August 09, 2001 - 11:07 am: Edit

I used to do tech support for an international aid organization, and EVERY computer coming back from Africa or Eastern Europe was infected with something or other.

By Don_Walsh on Thursday, August 09, 2001 - 02:45 am: Edit

I have performed the same function in various companies over the years, first thing is to sweep all the floppies in the place. Infected ones ought to either be trashed or else have their boot sectors overwritten (several a/v programs offer this option.) Then the hard drives, I used to use a antivirus card from IR&D here in Bkk which was very effective when run in concert with their a/v software. This was effective in cleaning infected application files without damaging them (unlike the rather useless Microsoft (Norton) AV). A thorough job on the floppies and then cleaning out the machines in the office one by one was quite effective. Few of the office PCs had Net connections in those days. Things are more complex now. But I only have to worry about my own PC not a dozen.

By Heiko on Wednesday, August 08, 2001 - 01:28 pm: Edit

I know I don't have to fear code red - I was just wondering why almost all of the attempts in recent days were HTTP (usually it's a mixture of pings, ftp, NetBios...).

I suspected Code Red would be scanning the net for open HTTP ports (web servers, so to speak).

I myself never had the pleasure to have any contact with a virus - until I started working as the computer-guy for our department for romance languages. That means: a bunch of people to whom you can't explain not to open attachments of certain kinds because they don't even know what a "file" is... "are you using Windows 98?" - "No, I'm using Word."
Take a floppy disk out of the drawer and have a 50% chance to find some old bootsector virus on it...

By Don_Walsh on Wednesday, August 08, 2001 - 08:16 am: Edit

I dunno. I am getting maybe 30 alerts from ZA an (online) hour, mostly from my own IP block 203.146. Sounds like background noise. Code Red is mostly hype, by the FBI's computer geeks actually, and if you ain't got IIS, there's nothing to worry about. Ordinary users (I still run 95) of 95, 98, and ME have nothing to be concerned about. It's after NT and 2000 servers, not standalones.

By Heiko on Tuesday, August 07, 2001 - 12:10 pm: Edit

Actually, nothing had crashed - but I also suspected IE 6. Sometimes it asks if it should send a report of an error that just occured...

On the other hand, the destination isn't the web, but 127.0.01 - the standard "self"-address. Weird...

Since Artemis started this thread I have gotten more and more attempts by HTTP. Is it some of the "code red" that is still alive (the originating ports are always high port numbers), or was my IP posted somewhere appearing to be a http address? I don't know...

By _Blackjack on Monday, August 06, 2001 - 03:07 pm: Edit

I would guess that Windows is phoning home to Microsoft trying to find out what the error meant, but I've never seen it do that before. Had something just crashed?

By Heiko on Monday, August 06, 2001 - 01:08 pm: Edit

btw. have you ever seen anything like that before? I haven't...

strange warning

By Don_Walsh on Monday, August 06, 2001 - 11:48 am: Edit

Art, I just downloaded Sam Spade. Couldn't resist an app by that name...

Thanks again

By Cheese on Monday, August 06, 2001 - 10:48 am: Edit

Blackjack, try looking here:

domain: JESUS.COM
owner-address: Second Coming Multimedia Publications
owner-address: 1121 Oleander St
owner-address: Suite 8
owner-address: Washington
owner-address: Dist. of Columbia
owner-address: United States

By Lordhobgoblin on Monday, August 06, 2001 - 09:27 am: Edit

Who knows Blackjack he may even let you take a bath with him.

By _Blackjack on Monday, August 06, 2001 - 09:19 am: Edit

The jesus.com guy is local to me. I've got to see if I can find him in person.

By Lordhobgoblin on Monday, August 06, 2001 - 07:53 am: Edit

"I was starting to think my gift horse had been looked into the mouth down to his asshole."

I for one am grateful for your advice.

Hobgoblin

By Artemis on Monday, August 06, 2001 - 07:47 am: Edit

" ... what good does it do to block access from someone looking for BackOffice, if you don't HAVE BackOffice in the first place?"

A firewall is not the be-all and end-all of protection. It certainly behooves you to be aware of what's on your machine and keep things like BackOffice (and BackOrifice - I did not misspell it) off of there. If you don't have such a program; they can't find it and use it on you, I can't argue with that.

But Don, "what good does it do to block access if you don't have (fill in the blank)" is like saying why lock your house if you don't have any valuables that would attract thieves. I lock my house (computer) because I don't want anybody but me in there. I don't even want them *looking around* for valuables.

Anybody who's bothered by constant "false alarms" of a firewall can do one of two things:

1. Go back to sitting in the dark
2. Learn to live with the new way your system works

I chose number 2. One of the biggest benefits of AtGuard is that it taught me something about networking and how that works. Whether it kept out any intruders or not, I gained knowledge and I was well served.

"Not answering any requests - that's the point. Your IP just seems dead to the outside world, just like you were offline."

Very well said. If I understand it correctly, that's a perfect description of "stealth". They can tell an IP number (randomly assigned to you by your ISP for that session in most cases) is in use. They cannot tell your computer responds to it. Your machine might as well be turned off for all they know.

"So I am happy to have ZA and thanks to Artemis for this thread."

You're welcome. I was starting to think my gift horse had been looked into the mouth down to his asshole.

"Anything better out there? Time to go on the offense."

I use both Sam Spade and Neotrace, both of which work well and are fun to use, but no program will return definitive results every time. Neotrace actually draws a map toward the offending computer - that's the one I caught trying to "phone home" for an upgrade, though.

By Don_Walsh on Monday, August 06, 2001 - 06:47 am: Edit

Heiko, I can see the utility of being able to walk invisibly through the avenues of cyber, but I do think that marketing via paranoia is a little exploitative. Still, as Bill Rotsler used to say, just because you're paranoid, doesn't mean They's Not Out to Get You.

So I am happy to have ZA and thanks to Artemis for this thread.

I do notice that 90+% of the alerts I get are IP addresses in same general part of the world I am. As Ted mentioned, Korea and Taiwan predominate. And he's on other side of the world. So what does this signify? Are Korea and Taiwan full of hackers, or are these places full of individuals and companies scouring the net for information on user patterns, for marketing research, or what?

I use www.network-tools.com to trace, reverse trace, ping, run dns, etc on IP addresses. Sometimes it works, sometimes ir doesn't, but at least I can get a general idea of the location of the user/site/network that is source of the attempted contact.

Anything better out there? Time to go on the offense.

By Lordhobgoblin on Monday, August 06, 2001 - 03:04 am: Edit

Get cleansed from sin and then get rewarded with sex in the bath.

You gotta admire his cheek, and it seems to have worked (at least with Mellisa from Oregon).

By Marc on Monday, August 06, 2001 - 02:37 am: Edit

check out

jesus.com

By Heiko on Monday, August 06, 2001 - 02:20 am: Edit

For me, Zonealarm is just a way of hiding as much of my computer as possible. I don't care about "alarms" too much: they only mean "someone tried to communicate with your computer for whatever reason, but your machine did not answer"

Not answering any requests - that's the point. Your IP just seems dead to the outside world, just like you were offline.

With Zonealarm installed, you're surfing the web like someone who is sneaking silently around corners, trying not to attract attention. Without a firewall and with MS standard network settings, you're surfing the web like someone jumping around, screaming and waving a big sign that says "kick me!"

By Don_Walsh on Sunday, August 05, 2001 - 10:20 pm: Edit

But, Artemis, what good does it do to block access from someone looking for BackOffice, if you don't HAVE BackOffice in the first place?

FYI I also delete Outlook Express etc for same reasons. And I think I will disable .vbx support if I can. I own VB6 Professional, but I no longer use it and it is not installed on this hard disk.

By Pataphysician on Sunday, August 05, 2001 - 06:01 pm: Edit

>>Spider -- Is it legit though?

I heard about it from some mainstream computer journal. I've been using it for quite a while with no problems. It's pretty straightforward, it just finds all the cookies, and deletes them. They are found not only in the Temp file and Windows won't let you delete them all manually.

By Artemis on Sunday, August 05, 2001 - 05:06 pm: Edit

I never said a Firewall (and frankly, AtGuard is better than ZoneAlarm IMO, because there are no "alarms") would divine the intent of the people trying to connect to your computer.

Look at it this way. It's dark, and you're sitting inside your house. Various things pass by outside the window and give it a tap - moths, cats, people on the sidewalk with no evil intent, and the occasional psycho killer. You're sitting inside in the light, so you can't see any of them.
A firewall is a spotlight with a motion detector. Everytime *whatever* passes by, the light comes on, and you get to see what's out there. You also get some idea of their intent, based upon the port and the service to which they attempted to connect.

I can assure you that if somebody attempts to connect to your machine looking for Back Orifice, he does not wish you well. It has happened to me on numerous occasions.

And I did say that a firewall mostly allows you laugh at futile connection attempts with probably no evil intent. But without it, you don't even know about them - you are literally in the dark.

Convincing a couple of people to install firewalls is probably the most valuable thing I've done on this forum, whether they realize it or not.

By Don_Walsh on Sunday, August 05, 2001 - 10:06 am: Edit

That's the crux of the problem. ZA at its highest security level (stealth mode) does perform a useful function, but it also delivers a lof of what are really false alarms, Net noise, and unless one reads the fine print one is moved to misinterpret this as aggressive Net intrusion.

Crying wolf just lowers the sensitivity level of users to real threats.

The same is true of programs that intercept cookies. Many users are paranoid about cookies. I am not too crazy about cookies but many apps not require them (notably Hotmail) so total freedom from cookies is impractical.

Bottom line: ZA has a valid function but for many users will create a false sense of security by exxagerating the significance of innocuous and meaningless non-'attacks' -- and at the same time I seriously doubt that ZA will be effective against a determined, knowledgeable, competent attack by a hacker.

Corollary: what you don't want out there, don't put on a net-connected machine. Keep it standalone. Works for the CIA! Works for anyone. Short of a black-bag job such info is safe, and even that is useless against storage in a vault. Which is precisely where the USA keep their secrets, and why they buy so many Iomega and Syquest and similar removable drived. (Not my favorite, I prefer rack mounted conventional HDDs and/or CD-burners.)

By Lordhobgoblin on Sunday, August 05, 2001 - 08:14 am: Edit

Pata,

Is it legit though? The page looks a bit amateurish and I'm a bit untrusting when it comes to downloading programs from the net.

Hobgoblin

By Pataphysician on Sunday, August 05, 2001 - 07:38 am: Edit

"Spider" is even better for removing cookies. It removes the ones that are hidden elsewhere on your hard drive -- IE's "delete files" won't do that.

http://www.fsm.nl/ward/

By Lordhobgoblin on Sunday, August 05, 2001 - 07:32 am: Edit

Don,

I never bothered looking at ZA's analysis as I was pushed for time this morning, I just became quite paranoid. I was beginning to think that somebody was targeting me. Nice to know it's probably only shadows as shadows can't bite you.

Hobgoblin

By Don_Walsh on Sunday, August 05, 2001 - 07:03 am: Edit

Yes, Lord H, and I have similar results now. The operative question is: are these 'attacks' or just normal net background noise? ZA's own analysis says the latter. Most of these for me originate in Taiwan and Korea as far as I can tell.

In short ZA protects us from shadows, the computer Boogey Man.

By Lordhobgoblin on Sunday, August 05, 2001 - 12:00 am: Edit

Thanks Artemis,

I've been running Zonealarm now for 30 minutes and have had 10 alerts already. I did set the security level to High.

Hobgoblin

By Verawench on Saturday, August 04, 2001 - 11:20 am: Edit

Now, my system is free of spyware as well (except for some doubleclick cookies that I have to remove every day).

Try AdSubtract for cookie annihilation.

By Don_Walsh on Saturday, August 04, 2001 - 07:57 am: Edit

I've been running ZA for about 24 hrs now and have yet to have an alarm/alert/whatever. But I have been running in stealth mode since onset so maybe things would be different if I downgraded the security level. Anyway thanks for the heads up, Artemis.

By Artemis on Friday, August 03, 2001 - 04:57 pm: Edit

"After using ad-aware (or something similar)? Or before? Well, you can't know before, I guess."

I've never had any adware on my machine, having learned what it was (through Usenet discussions) before ever downloading any. That was mostly by luck. And of course, after I knew what it was, it was by intent.

Also, sometime back my machine crashed, and after I reformatted the hard drive, I was even more careful about what I installed, to keep it lean and mean. It's growing bloated again, though - a good purge every now and then is a good thing.

Just yesterday I caught one of my DNS tracing programs trying to "phone home" (supposedly to check for uprgrades, but maybe to report a hacked serial number or something). Does that count? AtGuard caught it and I promptly spanked the program by barring it from ever trying to access its own site again.

By Heiko on Friday, August 03, 2001 - 11:31 am: Edit

"Mine is."

After using ad-aware (or something similar)? Or before? Well, you can't know before, I guess.
Now, my system is free of spyware as well (except for some doubleclick cookies that I have to remove every day).

AtGuard seems to do the same as Zonealarm (asking you to manually give rights, server and/or incoming, to any program that makes a connection attempt). Incoming attempts (pings, any connection attempts from outside) are reported as "alarms" then, but they are all blocked (port stealth mode - no reply)

By Artemis on Friday, August 03, 2001 - 11:10 am: Edit

"You know, I would agree that keeping sensitive information on the computer is never a good idea."

I don't agree it's *never* a good idea. Sometimes it HAS to be there. It's certainly better not to have any there if you can avoid it, but if you must have sensitive data on a hard or removable disk, there are encryption programs for creating encrypted containers (virtual drives) or steganographic files that will make the data secure from any hacker on the planet. NSA may be another matter, but if they have an interest in you, you have bigger problems than your data.

By Artemis on Friday, August 03, 2001 - 11:05 am: Edit

"Up to now I haven't found any computer which was free of spyware"

Mine is.

"most "alarms" are created by websites you just visited who didn't realize you ended the session"

AtGuard doesn't have "alarms", it simply tells you every time a connection attempt is made, outgoing or incoming, tells you what program wants to make the connection and using what port, and asks if you want to allow it. The default is to allow NOTHING (i.e., you can't even get on the Internet). You build the rules yourself from there.

NONE of the attempts I have mentioned here have anything to do with a website I visited or anything I initiated. They may well be random. It's just strange that in the last few days there have been so many, every time I'm online, when for a long time there were few or none.

Don, I've experienced the same frustration with trying to download software. I don't know what you're using, but getting a client program dedicated to FTP might help, if that's the way it's coming down. Netscape in particular is not good at FTP and often gives the results you mentioned.

By Heiko on Friday, August 03, 2001 - 10:17 am: Edit

What made me think different about Zonealarm's safety recently was a little nasty spyware trojan called Tsad.Bot (it sends info of your system/browsing behaviour to some company). That thing managed to get full server rights in Zonealarm but I was never asked...

Run ad-aware (by lavasoft) on your system - you'll be surprised how many nasty spyware trojans you have there eating up your bandwith, memory and cpu time, sending personal data to some greedy companies (a friend of mine who uses a modem connection told me his connection is about 10% faster since he ran ad-aware).
Up to now I haven't found any computer which was free of spyware (although the use of spyware is illegal...)

By Panks on Friday, August 03, 2001 - 09:16 am: Edit

You know, I would agree that keeping sensitive information on the computer is never a good idea.

However, sometimes it is purely a matter of people stealing bandwidth that we try to prevent. Take the new sharing program Morpheus, a bug was just discovered that lets people browse your system through Internet Explorer if you have Morpheus open using only your IP. That way they can download things without being seen all the while raping your bandwidth.

This is, of course, an isolated example, but I am sure you see my point. ZoneAlarm is pretty useless against these sorts of things too. But it is a start.

By Heiko on Friday, August 03, 2001 - 08:37 am: Edit

Sometimes you get real portscans (if one IP tries connecting to your IP on 5 different protocols and/or port by port, starting somewhere at high port numbers). These guys might be really looking for ports opened by trojans like back orifice.
But Don is right - most "alarms" are created by websites you just visited who didn't realize you ended the session or random broadcast by other computers and so on...

What I think is more interesting about zonealarm is that it tells you what programs want to connect outbound from your computer. Sometimes I'm asked if I want to give server rights to IE - when I say no, everything works just fine, no problem. I wonder what information IE intended to send then - none that was needed for what I was doing...

By Don_Walsh on Friday, August 03, 2001 - 07:46 am: Edit

Finally on about attempt 24 I managed to get this thing downloaded. Installation was easy. I have noit had time to read all the ins and outs but, it seems like the email security bit will have to be disabled, as I prefer to let McAffee continue to be used in Hotmail. If I had my druthers, this wouldn't be the case but I can't disable Microsoft's use of McAffee.

Obviously anyone who is foolish enough to open an unsolicited attachment from an unknown sender (or your own address which is even lamer) ALMOST deserves what they get. These trojans are about as brainless as what the other Trojans get wrapped around. They are typically .vbx, .pix, or .exe files disguised as .pdf, .doc, etc.

Bottom line is, NEVER open any email attachment from ANY source you do not personally know and trust. Preferably one you are expecting and have a reason to open.

Very few worms, viruses, or trojans / bombs are written by very creative programmers. 90% are hacks of other such things done by the compurer equivalent of disgruntled postal workers or malicious children. Many do not work or do not work as intended. While a few can do massive damage most are just a nuisance, like tissue paper wrapped around your house.

I am not a security specialist but I know a few and I have been watching this develop over the last 10-15 years.

As to the 'attacks' that ZA is intercepting, most if not all are just random pings from companies collecting profiles about net use in support of future advertising and promotion. I have had occasion to 'ping' an IP address. This was not an 'attack', it was just a request for identification. Brought about by a contact with a user at that IP by email. That's not an 'attack'.

By Anatomist1 on Friday, August 03, 2001 - 06:29 am: Edit

If you've had trouble with ZoneAlarm, try the Tiny Personal Firewall. I read a survey in which it compared favorably to Zone, so I downloaded it. It seems to work OK, and it's free.

K.

By Don_Walsh on Thursday, August 02, 2001 - 10:59 pm: Edit

I have attempted to download this freeware 20 times without success. Invariably I get bounced out of their site, sometimes at once, sometimes after 1-2 Mb have been received. I consider this to be a waste of my time.

Computer security, to me, means not keeping sensitive information on a PC that is used online.

And that's what I do. Keep my proprietary info on a seperate disk, standalone, physically removed from the online machine. Rack mounts are a wonderful thing.

By Dread on Thursday, August 02, 2001 - 04:04 pm: Edit

Actually, whether you are on a dial-up or dsl or cable, you are just as at risk under certain circumstances.

I don't know of any ISP dial-up accounts in the US that use private ip addresses (like _Blackjack mentioned). Using a private ip address and NAT for internet connections does not allow several applications to work properly and would make quite a few customer's complain.

If your IP is static or not (like mine on a cable modem) you are still at risk. Most of these network scans are done by kids looking for specific open ports. Usually they are looking for people that have been infected with a backdoor program like SubSeven, BackOrifice, NetBus, etc...

If you make sure that you run a virus scanner and keep it up to date then you are most likely safe. If you are careful not to run any applications that are sent via email or downloaded from usenet then chances are that your system is clean.

It would take a knowledgeable hacker to compromise a system that has not been infected with a backdoor program. Most of these network scans are as I said kids just looking for easy prey.

Bottom line is this, dial-up or not, if you have been infected with a backdoor then you are not safe.

By _Blackjack on Thursday, August 02, 2001 - 03:26 pm: Edit

If you are on a dial-up, a firewall probably won't make much difference. Most dial-ups get assigned a new IP each time they connect, it is usually a virtual IP, meaning it is only valid from within your ISP's network, and you are only vulnerable during the time you are actually connected. The people who are vulnerable are those with always-on connections like DSL and some cable modems, especially those with static addresses.

By Panks on Thursday, August 02, 2001 - 01:48 pm: Edit

You could always purchase a router. It is more expensive, but then you have the added bonus of having instant connectivity all over your home. Shared Internet access, easy networking, and a free firewall to boot.

Just a thought.

By Artemis on Thursday, August 02, 2001 - 12:44 pm: Edit

The home version of ZoneAlarm is free. You can't get a better deal than that. You can download it from their website, www.zonelabs.com.

I think they are a British company? They make a commercial version (more robust) which they sell, also.

You can find AtGuard on various warez sites.

By Lordhobgoblin on Thursday, August 02, 2001 - 12:08 pm: Edit

For someone like me who uses a dial-up connection, and is very computer illiterate. What (preferably very inexpensive) fire-wall software do you reccomend I should get (It must be very easy to install)?

Hobgoblin

By Artemis on Thursday, August 02, 2001 - 09:15 am: Edit

And while I was typing that last post, the firewall blocked an inbound TCP connection attempt from the Bethesda, Maryland area. Addresses near NSA, naval installations, etc. really make one wonder, but all this activity (afer weeks of virtually none) make me think the squirrels are simply on the rampage out there.

By Artemis on Thursday, August 02, 2001 - 09:10 am: Edit

As I was reading Heiko's latest post, AtGuard told me:

Rule "Default Inbound NetBIOS" blocked
Details: Inbound UDP packet
Local address,service is (xxx,nbname)
Remote address,service is (209.219.129.2,nbname)
Process name is "N/A"

Sam Spade (I highly recommend it) tells me that IP belongs to Micronetix Corp. Who are they and why are they considering connecting to my computer? I don't know but fuck em. That's why you need a firewall.

By Heiko on Thursday, August 02, 2001 - 08:54 am: Edit

I was told recently there's a linux hardware firewall available on only one floppy disc. You just need an old computer with two network adapters, boot it with this floppy and there you go.
I don't know what it's called, I have to ask a friend about it. I guess a linux hardware firewall would be a lot better than any windows based software firewall.

By Artemis on Thursday, August 02, 2001 - 08:41 am: Edit

"It looks as though ZoneAlarm IS faring better than Blackice."

I thought as much, but didn't want to say so since I don't use either.

"the best testing can be done at grc.com, ... (if) it passes Steve's tests, you should be clear."

Agreed. Steve is the man. My computer is invisible to his "Shields Up" test. I remember a piece on Steve's site recently wherein it was said a certain attack got past EVERY firewall EXCEPT ZoneAlarm because of its unique nature. I downloaded ZoneAlarm as a result, but never installed it, because after checking it out I realized that the *way* I use AtGuard (I never give any program blanket permission to do anything), I was okay with AtGuard.

" ... uninstalling every network protocol except tcp/ip and remove the binding of tcp/ip to the windows login."

This is essential. I use an almost original version of Windows 95. I could not get my machine completely invisible to Shields Up! until I did as Heiko says.

"What are the benefits of a firewall to an average individual?"

With a firewall, YOU decide what other computers your computer connects to. Without it, somebody else can and may make that decision for you, and without you even knowing it. Do you give the keys to your house to random strangers? It's really that simple. As Heiko said, it's not a matter of what you have on your machine. It's a question of whether somebody is mad enough or bored enough to fuck with you.

Melinelly, if you want to check out AtGuard, you'll have to find one of the hacked versions available on the net. It used to be shareware, but Symantec bought it, so there's no longer anybody to send your money to. Too bad, because it had an excellent user forum wherein the author of the software (a guy called Debeli) answered questions. I learned much from him. Imagine getting personal assistance from Symantec.

By Missthing on Thursday, August 02, 2001 - 08:25 am: Edit

Whilst being on a dialup connection reduces the risk considerably, it's still a good idea to have a firewall. Read some of the articles at grc.com for more information, there's lots of reasons why your boring old computer with nothing of interest to anyone could be targeted.

By Heiko on Thursday, August 02, 2001 - 08:08 am: Edit

"What are the benefits of a firewall to an average individual?"

- Someone gets a grip of your computer and starts hacking into a webserver from your machine, using your IP... or releases the worst virus ever using your IP (spoofing his own).

- If your computer is not saved at all and installed in a wrong way, it might have many open/listening ports. From outside, the responses your machine gives look like you're a server farm, waiting to be hacked. Then the intruder finds out he wasted his time on a boring computer, gets angry about it and formats your HD...

By Heiko on Thursday, August 02, 2001 - 08:01 am: Edit

I had a "nice" Zonealarm warning recently. It blocked about 15 ICMP echo REPLIES from my subnet in 1 minute. That means my machine sent an ICMP echo REQUEST to the subnet. I didn't do it, so who did?
Most of the warnings I get are just the usual broadcast by windows machines in our network (university subnet).
You can keep your machine from doing this by uninstalling every network protocol except tcp/ip and remove the binding of tcp/ip to the windows login. In addition to that you need a firewall, of course!

By Zack on Thursday, August 02, 2001 - 05:05 am: Edit

Wow, I never thought about getting a firewall untill I read this thread. I have a crappy dial-up connection and didn't think anyone would be messing with me, but seems I was wrong. I downloaded Zonealarm about 5 hours ago and I have already had 9 attempts...they must have found all my beastiality porno.

By Lordhobgoblin on Thursday, August 02, 2001 - 03:39 am: Edit

What are the benefits of a firewall to an average individual?

The contents of my PC would be enough to bore any intruder to death, there is nothing that would be of any use at all to anyone but myself. I can't see how rummaging around in the contents of my PC would remotely interest anyone. It'd be about as rivetting and useful to them as rummaging around in my sock drawer.

Hobgoblin

By Melinelly on Wednesday, August 01, 2001 - 10:28 pm: Edit

glad this thread got posted. i've been using blackice def. for a while, but i noticed that since the last time i upgraded it, i don't get warned when someone is pinging or trying to intrude. today i had about a dozen hits. yesterday was amazingly slow with only two during several hours online. anyhoo. gonna look into this other program y'all are mentioning.

By _Blackjack on Wednesday, August 01, 2001 - 10:21 pm: Edit

If there's one thing I've learned from Pol Pot, it's that it is very important to kill some of your advisors every few years, just to keep them on their toes...

By Head_Prosthesis on Wednesday, August 01, 2001 - 10:13 pm: Edit

I feel safe again. Thanks BJ, thanks all.

By Cheese on Wednesday, August 01, 2001 - 09:57 pm: Edit

Head, the best testing can be done at grc.com, which you've listed. I've it passes Steve's tests, you should be clear.

Very interesting reading was his XP interview with him and a few M$ guys on raw sockets in XP. Another well known hole in their products this time known before the product has even finished development.

By Head_Prosthesis on Wednesday, August 01, 2001 - 09:02 pm: Edit

I'm doing a little comparison of my own.
It looks as though ZoneAlarm IS faring better than Blackice. There is one more test I need to do but tomorrow morning I'll be "replacing" every last person in my group of advisors.

SO I concede that in my haste I promoted something that is apparently an inferior product. I still love my goddamn Serpis though. To hell with the naysayers... TO HELL!!!

By Head_Prosthesis on Wednesday, August 01, 2001 - 08:16 pm: Edit

Ok you must be right then

By _Blackjack on Wednesday, August 01, 2001 - 08:13 pm: Edit

Actually, everything I've read says ZoneAlarm is the much better product and that Black Ice has big holes in it. My system is totally invisible to every test I've run on it.

By Head_Prosthesis on Wednesday, August 01, 2001 - 08:08 pm: Edit

Here's a few security test sites

http://scan.sygatetech.com/

http://www.securitylogics.com/portscan.adp

http://grc.com/x/ne.dll?rh1ck2l2

By Head_Prosthesis on Wednesday, August 01, 2001 - 07:46 pm: Edit

Perhaps "all the time" was an overstatement.

My people advise against it. Zonealarm did not pass the scanning tests that are available online. (I forget where, I'll find out) However that was about 6 months ago. Maybe it has changed.

My advisors are still happy with Blackice.
In any case, if you are being accessed you wouldn't know it. The intruder would slide right in undetected.

Hmmmmm? Sounds like I'm trying to sell something...

Maybe it's simply a matter of personal taste.
If that's true, "if it works don't fix it".

By Artemis on Wednesday, August 01, 2001 - 07:18 pm: Edit

"Zonealarm? Well, you get what you paid for. People hack through that all the time."

That's news to me - it's pretty well regarded in the Privacy & Anonserver newsgroups. Personally, I use AtGuard (last version before Symantec bought it ought and bloated it up).

By Missthing on Wednesday, August 01, 2001 - 07:10 pm: Edit

I'd say it's definitely the worm, Zone Alarm is working overtime for me too.

And what's wrong with Zone Alarm? I'm no expert but it certainly seems to be a well-regarded product by many knowledgeable folks...

By Head_Prosthesis on Wednesday, August 01, 2001 - 06:48 pm: Edit

I logged off and back on and immediately got an HTTP Port Probe (http://advice.networkice.com/advice/Intrusions/2003001/?port=80&reason=Firewalled)

3 attempts so far
IP: 211.XXXXXXX
Node: NEXUS-HJCHOI
Group: NEXUSLTD
NetBIOS: NEXUS-HJCHOI
MAC: 484C0003100C

Happens all the time sweeps, probes, scans... You name it.

Blackice Defender does an excellent job keeping these dufuses out.
Zonealarm? Well, you get what you paid for. People hack through that all the time.

While I was typing the same thing...
IP: 211.XXXXXXXX
Node: KC
NetBIOS: KC
Group: WORKGROUP
MAC: 00E04C01006E
DNS: KC

It may or may not be these people at these i.p.s It could be an attack routed through these two.

By _Blackjack on Wednesday, August 01, 2001 - 06:28 pm: Edit

Ah IIS! It's a security hole that can also be used as a web server!

(Rather like Outlook, which is a security hole that doubles as an email system...)

By Cheese on Wednesday, August 01, 2001 - 06:20 pm: Edit

Could be the worm. Sure hope no one is running an unpatched IIS server. This thing appears to be *nix based system, so we're clear.

*nix admins everywhere delight in these things, knowing that they'll be unaffected.

By _Blackjack on Wednesday, August 01, 2001 - 06:08 pm: Edit

My ZoneAlarm logs are really quite disturbing. I get at least a dozen or so attempted contacts every day. The thing is, most of those are not specific atacks so much as routine automated sweeps to see what is pingable, etc.

By Artemis on Wednesday, August 01, 2001 - 05:40 pm: Edit

What is this, some dipshit trying to sneak into my computer day?

Every time I get online today, my firewall IMMEDIATELY intercepts one or more attempts at TCP inbound connection from Sweden, Venezuela, Korea, etc. and kicks it to the curb.

Anybody else seeing this? Maybe nobody else has a firewall. If you don't, you should. It's fun to laugh at the futility of these clowns even if they had no evil intent.

Administrator's Control Panel -- Board Moderators Only
Administer Page |Delete Conversation |Close Conversation |Move Conversation