Netbus probe |
|
|
FAQ | |||
|
SummarySomebody has tried to access your machine with the "NetBus Trojan Horse" and failed.
Details
This is a common intrusion detected on the Internet, resulting from hackers looking for systems who might have been compromised with this program. It appears that you haven't been compromised, and that the hacker has gone away.
A Trojan program is one that has some subversive purpose other than what it looks like One of the favorite hacker techniques is to send these programs to people in the hopes they will be fooled into running them. Typical Trojans are those that steal passwords, install a virus, reformat your hard-disk, and so forth.
A particular popular class of Trojans are the Remote Access Trojans. These are programs that provide the hacker complete remote control over your machine. The problem for that hacker is that while they can often send you such Trojans via e-mail, chat, or news programs, they often don't know where on the Internet you are located. For example, they can tell from your e-mail that you use a certain ISP, but they don't know your current IP address. Therefore, if they think they've fooled you into running their program, they must then scan the entire ISP's range for you.
The flip-side to this means that if the hacker isn't after you, you will still see their scans as they search for their other victims. Likewise, the hacker may hope that some other hacker has hoodwinked you into running this Trojan. This means the hacker may be looking for anybody who might be compromised.
Trojan Horse probes are therefore very common. They aren't a cause for concern.
The page on TCP port probe has more information on probing machines for open ports like this. Please see that page for more details.
more information |
|
|
Version appeared:
Should be no problem if it's not already there. However, you may wish to run a virus scan to see what results you get on your PC.
All IMO, naturally.
It said something on the order of, "You are attempting to view a page that has not been issued a security certificate"
When I clicked on "details", it said, ISNX5L7 is not a valid agent, certificate issued to F.E.M.A., there was a thumb print algorithem, signature algorithem, etc.
I have no idea what that was about, other than some agent or agency punched in the wrong id in issuing a certificate to F.E.M.A. and it wasn't valid. Eventually it stopped. I was advised that I had most likely gone to some place on the web and picked it up, but I had not surfed the web that I remember, or it could be some random packet that my computer picked up. Of course seeing the F.E.M.A. thing freaked me out a little.
ZoneAlarm has blocked access to port 1433 on your computer
ZoneAlarm has successfully stopped local network or Internet traffic from reaching your computer. No breach in your security has occurred. Your computer is safe. What happened?
ZoneAlarm blocked traffic to port 1433 on your machine from port 2447 on a remote computer whose IP address is 202.29.21.4. This communication attempt may have been a port scan, or simply one of the millions of unsolicited commercial or network control messages that are routinely sent out over the Internet. Such unsolicited messages are often called Internet background noise.
Should I be concerned?
This alert should not be a cause for concern. ZoneAlarm has protected your machine according to the firewall settings you have selected.
Might be a ping from msn, my ISP, or something FR server is doing--or a probe, as others have suggested.
Personal firewalls are more important in keeping traffic from going out of your computer than from coming in. When up pops a flashy window telling you Keylogger is trying to make a connection to the Internet, and you don't recognize Keylogger as being an authorized program on your computer, then you have something to worry about.
As for attacks occurring when you're on FR-- that is probably just a coincidence. How much of your time is spent on FR vs other sites when you're connected to the Internet?
Also, a number of these warnings can be attributed to a failed www connection. See "False Positives". On some image-laden threads, your web browser may make dozens of www connections (one for each image on the thread.) Most of those connections go to other machines, some of which may be under stress and failing connections.
And, btw, your IP address will be leaked to other websites if you download images off those websites. It is easy enough for that to happen on FR, all one has to do is visit a thread with an image hosted on another website. Most images aren't downloaded from FR, and anybody can post a link to an image. This is not unique to FR, it is a fact of HTML life. If you are truely concerned, you can surf the Internet with images disabled, but really, there isn't much anybody will do with any random IP address they find downloading an image (especially when thousands of hits are recorded each day.) [BTW--people--don't link in images that are hosted on other people's servers unless you have permission.]
We have no software hosted on our machines (IP range 209.157.64.193-209.157.64.254) that will probe your machine when you contact FR. The absolute most that will probably never happen is an ICMP ping or traceroute from me if I'm tracing a network problem (I would likely pull a random address from FR's server, something I know is alive.) ICMP pings are very similar to sonar pings (measures roundtrip time of the "ping") and traceroute lists the network routers between two locations.
We keep our machines clean, there are no third parties messing around, no trojans on our site. We employ several mechanisms to verify the integrity of the system to ensure nobody is fooling around. We keep the software up-to-date with the latest patches as soon as they are made available. I keep an eye on the security portals that note "zero-day exploits." The number of network services we do run is minimal, there isn't much to exploit.
Man-in-the-middle attacks, where a hacker compromises a machine between you and the server, are incredibly rare and difficult. Almost all machines between you and the server are dedicated routers with little or no services to compromise. These are dedicated pieces of hardware with no other function than to move packets around, compromising one would be a difficult act, and the person that has the resources to do that is probably not going to be scanning personal computers.
Having said that, please do let me know if there is any suspicious activity, something that can be reproduced and that can be attributed to FR or any of my servers. Random occurances are most likely meaningless, either coincidence or noise.