Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

General FR Alert.
Free Republic | 10-18-2002 | VANNROX

Posted on 10/18/2002 8:38:06 PM PDT by vannrox

I have been monitoring my PC system, and I have noted a pattern that might be of interest to Freepers. When ever I visit FR I generally get hit with an unauthorized Internet attack. These attacks are low-level, and it appears that someone or something is attempting to probe my PC when ever I log into FR.


I strongly urge other Freepers to make sure that they have somekind of FIREWALL to protect themselves.


I have noticed this before, but I haven't raised this issue, because I thought that it was just random attacks that occurred simply because I was on the Internet. But then I started to monitor it and noticed a correlation between my FR visits and various attacks.


Intruder "Y9K0E0" is most active and engages in the most agressive attempts. But others are involved. Has anyone else noticed this activity?


TOPICS: Constitution/Conservatism; Free Republic; Miscellaneous
KEYWORDS: alert; caution; fr; port; probe; techindex; warning
Navigation: use the links below to view more comments.
first 1-2021-4041-6061 next last
Preface: Netbus probeLogo -Internet Security Systems

Netbus probe

advICE :Intrusions : 2003103
 FAQ
Oh my gosh, I'm being HACKED!!!
How do I report the hacker to my ISP?
I'm seeing lots of attacks, is this normal?

Summary

Somebody has tried to access your machine with the "NetBus Trojan Horse" and failed.

Details

This is a common intrusion detected on the Internet, resulting from hackers looking for systems who might have been compromised with this program. It appears that you haven't been compromised, and that the hacker has gone away.

A Trojan program is one that has some subversive purpose other than what it looks like One of the favorite hacker techniques is to send these programs to people in the hopes they will be fooled into running them. Typical Trojans are those that steal passwords, install a virus, reformat your hard-disk, and so forth.

A particular popular class of Trojans are the Remote Access Trojans. These are programs that provide the hacker complete remote control over your machine. The problem for that hacker is that while they can often send you such Trojans via e-mail, chat, or news programs, they often don't know where on the Internet you are located. For example, they can tell from your e-mail that you use a certain ISP, but they don't know your current IP address. Therefore, if they think they've fooled you into running their program, they must then scan the entire ISP's range for you.

The flip-side to this means that if the hacker isn't after you, you will still see their scans as they search for their other victims. Likewise, the hacker may hope that some other hacker has hoodwinked you into running this Trojan. This means the hacker may be looking for anybody who might be compromised.

Trojan Horse probes are therefore very common. They aren't a cause for concern.

The page on TCP port probe has more information on probing machines for open ports like this. Please see that page for more details.

 more information
advICE: Netbus  
More advice on the Netbus trojan and how to defend yourself against it.  

 parametric information
port This indicates the TCP port that was probed.
reason The reason for the port probe.
Firewalled: the incoming TCP SYN or UDP frame was stopped by the firewall.
RSTsent: the incoming TCP SYN frame was rejected by the computer.
ICMPsent: the incoming UDP frame was rejected by the computer.
NOanswer: there was no response to the incoming SYN frame.
 
Version appeared:  


Privacy Policy |  Copyright Info
1 posted on 10/18/2002 8:38:06 PM PDT by vannrox
[ Post Reply | Private Reply | View Replies]

To: vannrox
Bump...
2 posted on 10/18/2002 8:43:16 PM PDT by tubebender
[ Post Reply | Private Reply | To 1 | View Replies]

To: tubebender
My latest attack was a TCP probe..


Preface: TCP port probeLogo -Internet Security Systems

TCP port probe

advICE :Intrusions : 2003102
 FAQ
Oh my gosh, I'm being HACKED!!!
How do I report the hacker to my ISP?
I'm seeing lots of attacks, is this normal?
Summary

Somebody has tried to access your machine and failed.

Details

This is the most common intrusion detected on the Internet. This is so common because hackers do frequent wide-spread scans looking for one specific exploit they can use to break into systems. The typical hacker scans thousands or millions of machines in a typical scan. In other words, the hacker isn't targeting you personally. In particular, this event is generated upon failed attempts, so there is no reason to worry.

Probes like this result from "script-kiddies", hackers just above the skill level of trained monkeys. They download attack programs (called "scripts") from various sites on the net, then run them against millions of machines. There are thousands of script-kiddies out there, so if you have a always-on connection (cable-modem, DSL), then you can expect about one of these scans per day.

About 10% of these scans are from forged (spoofed) addresses. This means the indicated IP address in the attack is probably from the real attack, but a small percentage of the time the indicated person is completely innocent.

About 20% of these scans are from machines already compromised by a hacker. In other words, if you report this scan back to the originator, they may thank you, because you've discovered a hacked system on their network they didn't know about.

Information on reporting the hacker can be found in our support Knowledge Base article q000016.

Ports

A port is a point of entry into a system. Each program running on a system is reached through its own ports. You rarely see this detail because most port assignments are automatic. For example, most websites run at port 80 on a machine, so you never have to specify it yourself.

This means that if you see a TCP port probe for port 80, then a hacker is most likely testing your system to see if you've installed your own web server. The exact port the intruder probed for is listed on your system in the file "attack-list.csv".

False Positives

The system errs on the side of caution. When your machine attempts to connect to a remote site and fails, sometimes this alert will trigger. Carefully watch the source of the attack in case it is your own machine.

The system triggers on any failed connection. Some web-sites will attempt to contact your machine. For example, chat servers, FTP servers, and multimedia servers (video, audio) often open connections directed at your machine. If the firewall settings block this, then these will be reported as port probes.

 more information
advICE: ports  
A list of some common ports hackers might scan for.  
advICE: port scan  
Explains port scanning in depth, and describes the various types of port scans.  

 parametric information
port This indicates the TCP port that was probed.
reason The reason for the port probe.
Firewalled: the incoming TCP SYN or UDP frame was stopped by the firewall.
RSTsent: the incoming TCP SYN frame was rejected by the computer.
ICMPsent: the incoming UDP frame was rejected by the computer.
NOanswer: there was no response to the incoming SYN frame.
 
Version appeared: 1.8.5.5 

Privacy Policy |  Copyright Info
3 posted on 10/18/2002 8:45:43 PM PDT by vannrox
[ Post Reply | Private Reply | To 2 | View Replies]

To: vannrox
I doubt this has anything to do with FR. Are you active on IRC or some file sharing systems that reveal your IP address?

Just reading (or even logging into FR) doesn't reveal your IP address to anyone. I find it difficult to believe that someone with access to the FR machine(s) would be probling users, so you must be doing something else at the same time.

4 posted on 10/18/2002 8:48:24 PM PDT by libertynews
[ Post Reply | Private Reply | To 1 | View Replies]

To: vannrox
Looks like a scan of TCP ports to try to contact a trojan on your PC.

Should be no problem if it's not already there. However, you may wish to run a virus scan to see what results you get on your PC.

All IMO, naturally.

5 posted on 10/18/2002 8:48:41 PM PDT by d101302
[ Post Reply | Private Reply | To 1 | View Replies]

To: vannrox
Why don't you ping the Robinsons?
6 posted on 10/18/2002 8:50:18 PM PDT by tubebender
[ Post Reply | Private Reply | To 3 | View Replies]

To: libertynews
Yea. These probes all seem to be very generalized. Maybe it's just my own crazy fears...
7 posted on 10/18/2002 8:51:09 PM PDT by vannrox
[ Post Reply | Private Reply | To 4 | View Replies]

To: tubebender
Why don't you ping the Robinsons?

Best idea I've heard.

8 posted on 10/18/2002 8:52:04 PM PDT by Just another Joe
[ Post Reply | Private Reply | To 6 | View Replies]

To: vannrox
My Zone Alarm used to be active when I was using IRC.
9 posted on 10/18/2002 8:54:12 PM PDT by Snowy
[ Post Reply | Private Reply | To 3 | View Replies]

To: vannrox
I have occasionally heard Freepers say that they seem to get pinged while visiting FR. I'm not sure if it's special to the site. I have a LinkSys router hub with a mechanical firewall, as well as ZoneAlarm, and I never see any outside probes any more.

I certainly agree with you that it's a good idea to have a firewall, because hackers seem to send out random probes all the time, and going on-line without a firewall is increasingly risky.

The feds used to monitor FreeRepublic during the clinton years, as demonstrated when the Secret Service came down on people who foolishly threatened violence against public officials as a joke (not funny!), and I assume they still probably do. But monitoring and hacking are too different things.
10 posted on 10/18/2002 8:56:12 PM PDT by Cicero
[ Post Reply | Private Reply | To 3 | View Replies]

To: vannrox
I don't know if this is related, but last night when I first went to FreeRepublic the browser window opened up all grey and music (prince-little red corvette) started playing through my speakers. It was really weird. I also had a bunch of popups. As soon as I killed the popups I ctr-alt-del'd and had no problems after I got back online and went back to FR. In the instant before the screen went black on the reboot I noticed a little JAVA icon in my sys tray. I thought my computer had a brainfart, but I couldn't figure out why it playing a song that is not on my hard drive. Was I 'hit' or what?
11 posted on 10/18/2002 8:56:16 PM PDT by thatdewd
[ Post Reply | Private Reply | To 1 | View Replies]

To: vannrox
General FR Mills Alert.......


12 posted on 10/18/2002 8:57:06 PM PDT by hole_n_one
[ Post Reply | Private Reply | To 1 | View Replies]

To: thatdewd
You might have spyware on your pc. Download AdAware from Lavasoft and scan your drive.
13 posted on 10/18/2002 8:58:44 PM PDT by Sir Gawain
[ Post Reply | Private Reply | To 11 | View Replies]

To: thatdewd
Do you remember what song it played? A friend was telling me the same story today, along with her dial-up modem going berserk, and I thought she had lost it...
14 posted on 10/18/2002 9:01:02 PM PDT by browardchad
[ Post Reply | Private Reply | To 11 | View Replies]

To: browardchad
It sounded like a (bad) Live recording of 'Prince' doing
'Little Red Corvette'.
15 posted on 10/18/2002 9:07:12 PM PDT by thatdewd
[ Post Reply | Private Reply | To 14 | View Replies]

To: Sir Gawain
Downloading software now. Thanks.
16 posted on 10/18/2002 9:08:26 PM PDT by thatdewd
[ Post Reply | Private Reply | To 13 | View Replies]

To: vannrox
I had something weird happen for two days running. I would log onto FR everything would seem fine, but every time I clicked on the "My Comments" icon I would get a pop up secuirty warning screen.

It said something on the order of, "You are attempting to view a page that has not been issued a security certificate"

When I clicked on "details", it said, ISNX5L7 is not a valid agent, certificate issued to F.E.M.A., there was a thumb print algorithem, signature algorithem, etc.

I have no idea what that was about, other than some agent or agency punched in the wrong id in issuing a certificate to F.E.M.A. and it wasn't valid. Eventually it stopped. I was advised that I had most likely gone to some place on the web and picked it up, but I had not surfed the web that I remember, or it could be some random packet that my computer picked up. Of course seeing the F.E.M.A. thing freaked me out a little.

17 posted on 10/18/2002 9:13:20 PM PDT by MissAmericanPie
[ Post Reply | Private Reply | To 1 | View Replies]

To: Sir Gawain
Excellent advice.  I read about AdAlarm in this week's
Time magazine and loaded it up for a scan.  I had some
crap in my registry of unknown function plus a lot of
temp porn files.  The porn files, I could care less.
The registry entry had to do with 'Alexsa' and may
have been a dialup.  It's outta there now.

AdAlarm is free and available through
http://www.lavasoftusa.com.

18 posted on 10/18/2002 9:21:56 PM PDT by gcruse
[ Post Reply | Private Reply | To 13 | View Replies]

To: vannrox
I have Zone Alarm. For the last two weeks I have been getting warnings about every 15 minutes while online.
The very second that I connect to the Net I get a warning.
Methinks some one is watching.
tbird1
19 posted on 10/18/2002 9:27:28 PM PDT by tbird1
[ Post Reply | Private Reply | To 1 | View Replies]

To: Sir Gawain
...you might have spyware on your pc...

I had 54 suspicicous items, about half of them stupid things from the Osama game and other 'twisted humor' junk I had played. The other half could not be identified from the file names, could have been ANYTHING. I Wiped them ALL. Thanks, I never would have known all that crap was in there.

20 posted on 10/18/2002 9:27:34 PM PDT by thatdewd
[ Post Reply | Private Reply | To 13 | View Replies]


Navigation: use the links below to view more comments.
first 1-2021-4041-6061 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson