Free Republic
Browse · Search
News/Activism
Topics · Post Article

To: vannrox
Bump...
2 posted on 10/18/2002 8:43:16 PM PDT by tubebender
[ Post Reply | Private Reply | To 1 | View Replies ]


To: tubebender
My latest attack was a TCP probe..


Preface: TCP port probeLogo -Internet Security Systems

TCP port probe

advICE :Intrusions : 2003102
 FAQ
Oh my gosh, I'm being HACKED!!!
How do I report the hacker to my ISP?
I'm seeing lots of attacks, is this normal?
Summary

Somebody has tried to access your machine and failed.

Details

This is the most common intrusion detected on the Internet. This is so common because hackers do frequent wide-spread scans looking for one specific exploit they can use to break into systems. The typical hacker scans thousands or millions of machines in a typical scan. In other words, the hacker isn't targeting you personally. In particular, this event is generated upon failed attempts, so there is no reason to worry.

Probes like this result from "script-kiddies", hackers just above the skill level of trained monkeys. They download attack programs (called "scripts") from various sites on the net, then run them against millions of machines. There are thousands of script-kiddies out there, so if you have a always-on connection (cable-modem, DSL), then you can expect about one of these scans per day.

About 10% of these scans are from forged (spoofed) addresses. This means the indicated IP address in the attack is probably from the real attack, but a small percentage of the time the indicated person is completely innocent.

About 20% of these scans are from machines already compromised by a hacker. In other words, if you report this scan back to the originator, they may thank you, because you've discovered a hacked system on their network they didn't know about.

Information on reporting the hacker can be found in our support Knowledge Base article q000016.

Ports

A port is a point of entry into a system. Each program running on a system is reached through its own ports. You rarely see this detail because most port assignments are automatic. For example, most websites run at port 80 on a machine, so you never have to specify it yourself.

This means that if you see a TCP port probe for port 80, then a hacker is most likely testing your system to see if you've installed your own web server. The exact port the intruder probed for is listed on your system in the file "attack-list.csv".

False Positives

The system errs on the side of caution. When your machine attempts to connect to a remote site and fails, sometimes this alert will trigger. Carefully watch the source of the attack in case it is your own machine.

The system triggers on any failed connection. Some web-sites will attempt to contact your machine. For example, chat servers, FTP servers, and multimedia servers (video, audio) often open connections directed at your machine. If the firewall settings block this, then these will be reported as port probes.

 more information
advICE: ports  
A list of some common ports hackers might scan for.  
advICE: port scan  
Explains port scanning in depth, and describes the various types of port scans.  

 parametric information
port This indicates the TCP port that was probed.
reason The reason for the port probe.
Firewalled: the incoming TCP SYN or UDP frame was stopped by the firewall.
RSTsent: the incoming TCP SYN frame was rejected by the computer.
ICMPsent: the incoming UDP frame was rejected by the computer.
NOanswer: there was no response to the incoming SYN frame.
 
Version appeared: 1.8.5.5 

Privacy Policy |  Copyright Info
3 posted on 10/18/2002 8:45:43 PM PDT by vannrox
[ Post Reply | Private Reply | To 2 | View Replies ]

Free Republic
Browse · Search
News/Activism
Topics · Post Article


FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson