General FR Alert.

I have been monitoring my PC system, and I have noted a pattern that might be of interest to Freepers. When ever I visit FR I generally get hit with an unauthorized Internet attack. These attacks are low-level, and it appears that someone or something is attempting to probe my PC when ever I log into FR.

I strongly urge other Freepers to make sure that they have somekind of FIREWALL to protect themselves.

I have noticed this before, but I haven't raised this issue, because I thought that it was just random attacks that occurred simply because I was on the Internet. But then I started to monitor it and noticed a correlation between my FR visits and various attacks.

Intruder "Y9K0E0" is most active and engages in the most agressive attempts. But others are involved. Has anyone else noticed this activity?

Thanks for the info gccraig. I knew 1433 was a well-known port and I wondered what it was used for. A hacker would naturally probe it and look for default passwords to gain Admin access.

I'm safe, thanks to ZoneAlarm, the world's greatest freeware program.

Here's what my ports look like under netstat -an



C:\WINDOWS\Desktop>netstat -an

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    0.0.0.0:1030           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:5000           0.0.0.0:0              LISTENING
  TCP    63.155.104.7:9322      0.0.0.0:0              LISTENING
  TCP    63.155.104.7:139       0.0.0.0:0              LISTENING
  TCP    127.0.0.1:1026         0.0.0.0:0              LISTENING
  TCP    127.0.0.1:1029         0.0.0.0:0              LISTENING
  UDP    63.155.104.7:15483     *:*
  UDP    63.155.104.7:137       *:*
  UDP    63.155.104.7:138       *:*
  UDP    127.0.0.1:1616         *:*
  UDP    127.0.0.1:2132         *:*
  UDP    127.0.0.1:1900         *:*

Just now I got another probe. Does FR send to its clients? Jim Robinson?


The firewall has blocked Internet access to your computer (TCP Port 1433) from 203.248.195.112 (TCP Port 4132).

Time: 10/19/2002 8:24:00

"I just had the little red corvette song play, no pop ups. i was looking at FR and Yahoo news...Hmmmm."

Yahoo has been running a GM ad with this song (among others). It is not a pop-up, plays on some of their pages occassionally, but not every time.

Yahoo is ahead of the curve when it comes to advertising mediums. They were one of the first to use pop-ups, but thankfully, no longer use pop ups, but they do use "interactive" ads with various forms of media.

Most of the ones I've seen with audio have been movie ads when looking at the Yahoo movie section, but I did get this ad yesterday on Yahoo's main page, and again later on a Yahoo news page.

So, the song is not spyware, but that doesn't mean you shouldn't look for spyware on your machine. If you're not using a program like adaware, you'll never know, and you'll be subjected with popups and other intrusive advertising on a random basis.

Unless you want to receive these ads, I highly recommend using adaware on your computer.

T2s

My personal theory is, these Windows firewall companies tune their software to a pointless level of sensitivity, and then flash pretty windows with technobabble during each "attack" in order to "show" their customers how many boogeymen are being denied access to their system because their software was installed. This is a marketing gimmick to make the customer feel "protected." I've been running a Linux firewall for years, and not once has it ever popped up a flashy window warning me about an ICMP ping, or UDP packet to port Kalamazoo. In truth, none of these "attacks" would have any affect, as they're all just random probes and other Internet noise.

Personal firewalls are more important in keeping traffic from going out of your computer than from coming in. When up pops a flashy window telling you Keylogger is trying to make a connection to the Internet, and you don't recognize Keylogger as being an authorized program on your computer, then you have something to worry about.

As for attacks occurring when you're on FR-- that is probably just a coincidence. How much of your time is spent on FR vs other sites when you're connected to the Internet?

Also, a number of these warnings can be attributed to a failed www connection. See "False Positives". On some image-laden threads, your web browser may make dozens of www connections (one for each image on the thread.) Most of those connections go to other machines, some of which may be under stress and failing connections.

And, btw, your IP address will be leaked to other websites if you download images off those websites. It is easy enough for that to happen on FR, all one has to do is visit a thread with an image hosted on another website. Most images aren't downloaded from FR, and anybody can post a link to an image. This is not unique to FR, it is a fact of HTML life. If you are truely concerned, you can surf the Internet with images disabled, but really, there isn't much anybody will do with any random IP address they find downloading an image (especially when thousands of hits are recorded each day.) [BTW--people--don't link in images that are hosted on other people's servers unless you have permission.]

We have no software hosted on our machines (IP range 209.157.64.193-209.157.64.254) that will probe your machine when you contact FR. The absolute most that will probably never happen is an ICMP ping or traceroute from me if I'm tracing a network problem (I would likely pull a random address from FR's server, something I know is alive.) ICMP pings are very similar to sonar pings (measures roundtrip time of the "ping") and traceroute lists the network routers between two locations.

We keep our machines clean, there are no third parties messing around, no trojans on our site. We employ several mechanisms to verify the integrity of the system to ensure nobody is fooling around. We keep the software up-to-date with the latest patches as soon as they are made available. I keep an eye on the security portals that note "zero-day exploits." The number of network services we do run is minimal, there isn't much to exploit.

Man-in-the-middle attacks, where a hacker compromises a machine between you and the server, are incredibly rare and difficult. Almost all machines between you and the server are dedicated routers with little or no services to compromise. These are dedicated pieces of hardware with no other function than to move packets around, compromising one would be a difficult act, and the person that has the resources to do that is probably not going to be scanning personal computers.

Having said that, please do let me know if there is any suspicious activity, something that can be reproduced and that can be attributed to FR or any of my servers. Random occurances are most likely meaningless, either coincidence or noise.

I'd like to comment on just a few items. I have never observed any probing, fingering, or port scanning from IP addresses associated with Freerepublic.com.

On the other hand, (as you have noted) it is possible to "spike" a thread with a photo from a different server than those assigned to freerepublic.com IP addresses. When the data is pulled from the third party server (i.e. a yahoo.com news photo), server administrators can review the log files and initiate port scanning themselves (which is what I observed when I hit the jpost.com story on Christians and Jews cooperating).

These are all just the effect of being plugged into the widest ranging digital network on Earth.

Al Queda and PRC operatives are sharing the same bandwidth that we are on. If a PRC or AQ operative spiked a thread with a photo from their server, they can track every IP address of every individual reading that thread on Free Republic. This becomes a future tool to identify potential targets for port scanning and hacking activity.

It is naive to believe that such attacks are "coincidence". We have routinely observed port scanning, pinging, fingering, and TCP/IP hits from IP addresses located in the PRC and Middle East. These hits often are clustered and coincide with international events. You may want to review your logs to identify such patterns.

The reality is that the dedicated men and women who anonymously post to this site are vulnerable to such probing and scanning. If someone has a fixed IP address, it would be possible to host imagery on your home server and dish out the data via the fixed IP address. Review of your server logs would reveal IP addresses for the visitor/intruder.

As you point out, "man-in-the-middle" attacks are less easy to do. However, if you control a major node on the internet, it is definitely possible to record and evaluate data packets moving through the node on the net. This process of "packet sniffing" is not very difficult. In fact, there are desktop applications which permit your home desktop device to packet sniff local traffic on your part of the internet.

If a perp/terrorist plugs this kind of machine near a major node, a significant amount of network traffic can be monitored. I think NSA is probably doing this now (MSG to NSA/CIA: HI GUYS!!! HOW'S MCLEAN, VA, THESE DAYS???)

God bless

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.