Summary Somebody has tried to access your machine with the "NetBus Trojan Horse" and failed.
Details
This is a common intrusion detected on the Internet, resulting from hackers looking for systems who might have been compromised with this program. It appears that you haven't been compromised, and that the hacker has gone away.
A Trojan program is one that has some subversive purpose other than what it looks like One of the favorite hacker techniques is to send these programs to people in the hopes they will be fooled into running them. Typical Trojans are those that steal passwords, install a virus, reformat your hard-disk, and so forth.
A particular popular class of Trojans are the Remote Access Trojans. These are programs that provide the hacker complete remote control over your machine. The problem for that hacker is that while they can often send you such Trojans via e-mail, chat, or news programs, they often don't know where on the Internet you are located. For example, they can tell from your e-mail that you use a certain ISP, but they don't know your current IP address. Therefore, if they think they've fooled you into running their program, they must then scan the entire ISP's range for you.
The flip-side to this means that if the hacker isn't after you, you will still see their scans as they search for their other victims. Likewise, the hacker may hope that some other hacker has hoodwinked you into running this Trojan. This means the hacker may be looking for anybody who might be compromised.
Trojan Horse probes are therefore very common. They aren't a cause for concern.
The page on TCP port probe has more information on probing machines for open ports like this. Please see that page for more details.
| port |
This indicates the TCP port that was probed. |
| reason |
The reason for the port probe. |
| Firewalled: |
the incoming TCP SYN or UDP frame was stopped by the firewall. |
| RSTsent: |
the incoming TCP SYN frame was rejected by the computer. |
| ICMPsent: |
the incoming UDP frame was rejected by the computer. |
| NOanswer: |
there was no response to the incoming SYN frame. |
|
Version appeared:
Privacy Policy | Copyright Info
1 posted on
10/18/2002 8:38:06 PM PDT by
vannrox
To: vannrox
Bump...
To: vannrox
I doubt this has anything to do with FR. Are you active on IRC or some file sharing systems that reveal your IP address?
Just reading (or even logging into FR) doesn't reveal your IP address to anyone. I find it difficult to believe that someone with access to the FR machine(s) would be probling users, so you must be doing something else at the same time.
To: vannrox
Looks like a scan of TCP ports to try to contact a trojan on your PC.
Should be no problem if it's not already there. However, you may wish to run a virus scan to see what results you get on your PC.
All IMO, naturally.
5 posted on
10/18/2002 8:48:41 PM PDT by
d101302
To: vannrox
I don't know if this is related, but last night when I first went to FreeRepublic the browser window opened up all grey and music (prince-little red corvette) started playing through my speakers. It was really weird. I also had a bunch of popups. As soon as I killed the popups I ctr-alt-del'd and had no problems after I got back online and went back to FR. In the instant before the screen went black on the reboot I noticed a little JAVA icon in my sys tray. I thought my computer had a brainfart, but I couldn't figure out why it playing a song that is not on my hard drive. Was I 'hit' or what?
11 posted on
10/18/2002 8:56:16 PM PDT by
thatdewd
To: vannrox
General FR Mills Alert.......
To: vannrox
I had something weird happen for two days running. I would log onto FR everything would seem fine, but every time I clicked on the "My Comments" icon I would get a pop up secuirty warning screen.
It said something on the order of, "You are attempting to view a page that has not been issued a security certificate"
When I clicked on "details", it said, ISNX5L7 is not a valid agent, certificate issued to F.E.M.A., there was a thumb print algorithem, signature algorithem, etc.
I have no idea what that was about, other than some agent or agency punched in the wrong id in issuing a certificate to F.E.M.A. and it wasn't valid. Eventually it stopped. I was advised that I had most likely gone to some place on the web and picked it up, but I had not surfed the web that I remember, or it could be some random packet that my computer picked up. Of course seeing the F.E.M.A. thing freaked me out a little.
To: vannrox
I have Zone Alarm. For the last two weeks I have been getting warnings about every 15 minutes while online.
The very second that I connect to the Net I get a warning.
Methinks some one is watching.
tbird1
19 posted on
10/18/2002 9:27:28 PM PDT by
tbird1
To: vannrox
I get pinged, so to speak, or probed on a regular basis. Could be from anywhere in the world. Zone Alarm keeps a log of them for me. The most unusual locations IMHO is from Fairfax, VA, and Universal Blvd in Denver, CO. I may see those the most often. When NATO was having their meeting in Italy earlier this year, I was probed by Tarranto Shipping in Italy (only time).
Personally, I believe the DNC still looks at my stuff. Also, probably keylogged by our friendly gov't snoops. Deny. Deny. Deny.
To: vannrox
A little over a year ago , when I was replying a lot to the TWA-800 SHOOTDOWN Cover-Up posts, (I thought it was terrorism, due to the 25-Knot speedboat that fled the seen, and James Kallstrom morphing the boat into a nebulous helicopter). Well I checked some of my BlackICE pings just for the heck of it throughh ARIN WHOIS at www.arin.net/whois. One number=164.190.200.3 came back as NCC.NCTS.NAVY.MIL
number 138.147.10.10 came back to GATE.NCTS.NAVY.MIL
all came under the umbrella as =DOD Network Information Center (JMCIS-BLOCK) Space and Navy Warfare Systems, Washington DC, 20363-5100.
I printed out a copy of it at the time and will gladly E-mail, or Fax it to any doubting Thomas who asks for a copy!!
I guess they found out I was a harmless poor ole soul from Ohio, and that was the end of them snooping.
23 posted on
10/18/2002 10:13:33 PM PDT by
timestax
To: vannrox
I looked at Zone Alarm and I got this at 12 AM CST:
ZoneAlarm has blocked access to port 1433 on your computer
ZoneAlarm has successfully stopped local network or Internet traffic from reaching your computer. No breach in your security has occurred. Your computer is safe. What happened?
ZoneAlarm blocked traffic to port 1433 on your machine from port 2447 on a remote computer whose IP address is 202.29.21.4. This communication attempt may have been a port scan, or simply one of the millions of unsolicited commercial or network control messages that are routinely sent out over the Internet. Such unsolicited messages are often called Internet background noise.
Should I be concerned?
This alert should not be a cause for concern. ZoneAlarm has protected your machine according to the firewall settings you have selected.
Might be a ping from msn, my ISP, or something FR server is doing--or a probe, as others have suggested.
To: vannrox
bump
26 posted on
10/18/2002 10:49:38 PM PDT by
timestax
To: vannrox
I've got 46 attacks since yesterday morning when I cleared my alerts. I get probed all the time and I usually ignore them, though I do check out who it is every now and then. I do keep my logs though.
To: vannrox; Jim Robinson; John Robinson
Jim and John,
You may want to take a look at this thread.
To: vannrox
Thanks for posting this.
To: vannrox
Yes, I also had those occurances. The most recent occurred after following a link to Jpost.com. Immediately after hitting the jerusalem post weblink, I was hit with close to 20 attempts to penetrate our desktop system, port scanned multiple times, and then probed.
These scans and probes were clearly linked to my hitting the jpost.com website. Using rDNS lookup based on our firewall log lead to us identifying the origins of the pings, fingers, probing, and scanning... it was jpost.com!
If you can post the IP address of the individual attacking your ports, I can do some rDNS work.
To: vannrox; Ernest_at_the_Beach; *tech_index
To: vannrox
Got what proved to be a false Virus attack while trying to reply to shermy last night.
I suspect his pal Bert is involved somehow.
To: All; American Preservative; bonesmccoy; browardchad; Cboldt; Cicero; d101302; dixiechick2000; ...
My personal theory is, these Windows firewall companies tune their software to a pointless level of sensitivity, and then flash pretty windows with technobabble during each "attack" in order to "show" their customers how many boogeymen are being denied access to their system because their software was installed. This is a marketing gimmick to make the customer feel "protected." I've been running a Linux firewall for years, and not once has it ever popped up a flashy window warning me about an ICMP ping, or UDP packet to port Kalamazoo. In truth, none of these "attacks" would have any affect, as they're all just random probes and other Internet noise.
Personal firewalls are more important in keeping traffic from going out of your computer than from coming in. When up pops a flashy window telling you Keylogger is trying to make a connection to the Internet, and you don't recognize Keylogger as being an authorized program on your computer, then you have something to worry about.
As for attacks occurring when you're on FR-- that is probably just a coincidence. How much of your time is spent on FR vs other sites when you're connected to the Internet?
Also, a number of these warnings can be attributed to a failed www connection. See "False Positives". On some image-laden threads, your web browser may make dozens of www connections (one for each image on the thread.) Most of those connections go to other machines, some of which may be under stress and failing connections.
And, btw, your IP address will be leaked to other websites if you download images off those websites. It is easy enough for that to happen on FR, all one has to do is visit a thread with an image hosted on another website. Most images aren't downloaded from FR, and anybody can post a link to an image. This is not unique to FR, it is a fact of HTML life. If you are truely concerned, you can surf the Internet with images disabled, but really, there isn't much anybody will do with any random IP address they find downloading an image (especially when thousands of hits are recorded each day.) [BTW--people--don't link in images that are hosted on other people's servers unless you have permission.]
We have no software hosted on our machines (IP range 209.157.64.193-209.157.64.254) that will probe your machine when you contact FR. The absolute most that will probably never happen is an ICMP ping or traceroute from me if I'm tracing a network problem (I would likely pull a random address from FR's server, something I know is alive.) ICMP pings are very similar to sonar pings (measures roundtrip time of the "ping") and traceroute lists the network routers between two locations.
We keep our machines clean, there are no third parties messing around, no trojans on our site. We employ several mechanisms to verify the integrity of the system to ensure nobody is fooling around. We keep the software up-to-date with the latest patches as soon as they are made available. I keep an eye on the security portals that note "zero-day exploits." The number of network services we do run is minimal, there isn't much to exploit.
Man-in-the-middle attacks, where a hacker compromises a machine between you and the server, are incredibly rare and difficult. Almost all machines between you and the server are dedicated routers with little or no services to compromise. These are dedicated pieces of hardware with no other function than to move packets around, compromising one would be a difficult act, and the person that has the resources to do that is probably not going to be scanning personal computers.
Having said that, please do let me know if there is any suspicious activity, something that can be reproduced and that can be attributed to FR or any of my servers. Random occurances are most likely meaningless, either coincidence or noise.
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson
