I have a PC and G4 which access the internet through a DSL router. I had Blackice on the PC and after it was behind the router the attacks graph flatlined. I hadn't paid much attention to security on it after that.

Now, a short time ago I happened to notice the traffic light on the ethernet port  (PC) was going crazy. The computer was in screensaver and I checked running applications. Only the Browser and virus were running, aside from the usual compnents (this was going on under the screensaver) but there are other system components I'm not familiar with.  

I checked the the hard drive light-blink, blink. I looked at the Blackice traffic and graphs. No attacks, but the traffic graph showed a moderate but  uninterrupted flow of traffic across the niney minute graph. It was not consistent with any browsing behaviour I've seen before.

Lets characterize normal browsing behaviour as short bursts using a few percent of bandwidth. A download will cause a spike  ranging from 60 to 100% of bandwidth.

The graph I saw showed a steady activity in the 15-30% range. Over a period of time, thats a huge amount of traffic.

The thing that is wigging me out aside from that behaviour is that I checked that graph again a couple of minutes later-and the traffic had disappeared from the graph. I don't mean the graph showed that the traffic had stopped (which it had).  I mean the graph changed to show there never had been any traffic at all.

I've deleted blackice BTW.  Zonealarm now. but I'm leaving it off till I find out whats going on.
I know that if an application acts friendly, Blackice won't stop it from accessing the internet. So a trojan wouldn't have a hard time getting through. But getting a trojan on the system in the first place would be a real trick.  

Here's the question. How concerned should I be about some exotic trojan downloading  my hard drive and covering it's tracks? I don't think I've done anything to make myself a high priority target for anyone but this doesn't fit would I would expect from a random hack or virus.

How can I investigate my system to help find out whats going on?

Thanks. I've used ad-aware before and will again now. I can tell you there is no garden variety spyware out there that will send hundreds of megs out though.  

I also will do the standard checks, but this one is a little weird and I'd like to dig a little deeper to see what is going on.

I've been experiencing the same thing lately. The internet traffic light going nuts without even a browser running. If you figure this one out, please post the story.

Lancelot, thanks for the tip on Ad Aware.  I just installed it and found some 160 items that needed deleting.  Since cleaning them out my browser performance has improved substantially.

Opinion:   I have noticed this exact phenomenon since October. Never before. I suspect that all posters on gun and political pages are having their hard drives copied ( maybe only Outlook Express and user created document files)and then run through a search engine that identifies certain words like knife, gun, airplane, bomb, revenge etc. After scoring a high likelihood of terrorist activity it lands in a stack on someones desk in Quantico.

Where can I get Zone Alarm? Its $30.00 on Yahoo. I paid for a download of Blackice once, and it deteriorated quickly, and they wouldn't resend it.

zonelabs.com look for ZoneAlarm download links(not pro - u pay for pro)

I also do this for a living. I would install Zone Alarm now and then watch and see which items are looking for Internet access. You will probably be surprised at all the stuff that wants to go to the Internet.

We use a packet sniffer at work to monitor web access and get email headers. If you do not filter you get buried by all the things that are going on the network. However when things start acting weird, one of the first things I do is turn off all filtering and look at what is talking to who using which port and so on.

I have captured suspicous activity more than once using this method and it alerted me to ports that I needed to seal up on the Internet side.

I have a hardware firewall running NAT at home along with zone Alarm. Occassionally I will make everything to ask for access to the Internet, just to see what is going on.

Good Luck! Install that Zone Alarm now, and go read the articles at [url]www.grc.com[/url] Steve is one of the best out there. He also has lots of neat little  utilities that are helpful.

-elliott

You guys are all paranoid.

:-)

Using a DSL router, you should enact it's own loggin capabilities.  My linksys will all show incoming and outgoing traffic, source and destination IP and ports, and save them automatically to a file, using a syslog application that comes free with the router.

Not to mention, your software firewall should be loggin each and every connection, not just alerts.  Then you can tell exactly what this activity is.

Most of what I see are the stupid port scans from overseas wannabe hackers, setting up scanners to hit entire subnet ranges (big deal) and a lot of activity coming from my own ISP subnets of those using PCAnywhere and the like, which search for other machines using the built in discovery services.  Again, big deal.  They are actually hurting themselves, because this allows me to detect them, and attempt to control THEIR machines.

Anyway... lots of flashing lights does not necessarily mean lots of bandwidth, it means activity.  You could be exeriencing a port scan, experiencing traffic coming from someone else on your ISP network, or most likely, have some pice of software on your machine trying to update itself.

My antivirus product goes out and updates it's sig files every day, then installs that new file.  Sometimes I see all this activity, on my modem, and on my hard drive, and I wonder what is going on.  Check the DSK router logs, and sure enough, an FTP session to auto-update.

99.9% of the traffic out there is not hostile... and all the hacker/virus stories just make people paranoid, IMHO

(not that that is a bad thing tho....)

I am using a cable modem at home. Yes, I part of the orphaned @home user base. Although I must admit the local ISP guys really handled the transition well. But I digress...

I am almost constantly getting port scans on my modem. So for those of you who have nothing in place you should do something because sooner or later someone will come along who can get in and compromise your machine.

Like FALAKAR said. 99% of it is benign.

-elliott

FALARAK, have you read the latest DDOS attack on GRC.com you might find it interesting if you are into preventing such things?

How are you sure that all the hacker wannabe's are overseas, there, FALARAK? When I had Blackice installed I caught a lot of American corporations in my dome. Microsoft controls it all!

ON XP, it freezes up when it starts on the C drive, so it doesn't look supported yet.  XP is a pretty tight OS, and I've had no problems yet, then again, i'm also behind 2 firewalls as well as my own!

I have used Zone Alarm very good. You only need the free version. Do not pay or go through Yahoo. www.zonealarm.com. Now if you have Win 98 to ME or 2000 no problem. XP some trouble also with add aware and XP.

I use a linksys 4 port router, and stopped using zone alarm. Reason being the free version does not work proper with XP and Linksys. I sent Zone alarm a letter and they said have to use Pro and Linksys. So now, linksys has a download to get zonealarm. When I bought the router and asked linksys questions it was OH YOU ONLY NEED the router. Now all of a sudden its ZoneAlarm Pro if you want to use.

If I were, you get a good Antivirus I use PcCillin 2000 on my ME. My Gateway, which I just got, has Norton. If you want, use the Add Aware. Some one told me Google and Yahoo support HCI...That is why I got a Gateway instead of Dell.

Thanks for the tip about ad-aware.

dump BlackICE and get ZoneAlarm.

1) Do you use any instant messaging program?
2) Have you ran windows update? (Do you have critical update installed?)
---a) MAKE SURE IE 6 IS UPDATED
---b) Make sure you’ve update windows media player
---c) Install all the security updates for XP
3) Do you run PWS, IIS or a program that installs apache (like oracle)?
4) Are you running any file sharing utils? (like Limewire, Kaza, etc.)
5) Are you running any distributed computing software?



Another thing you might want to be aware of – XP is set up by default to phone home if you have system problems (like IE crashing), to check for updates and for several other more obscure reasons. Make sure you have that stuff turned off.

I'm running AD-AWARE on XP and haven't had any problems;works like a champ.  Thanks for the info on zonealarm.

Actually, I just found a really cool firewall called NeoWatch available from neoworx.com, mcafee.com or webattack.com).

It's not as difficult to setup as ZoneAlarm and it has a really cool "trace" feature that lets you see where the intrusions are coming from on a map.  Nifty!  If not all that helpful.  Then again, some little hacker kid might get spooked if he runs a scan and then sees a traceroute pinging him back.

You can do that but one of the neat things about most firewalls is that they hide the fact that you even exist at all.  If you are using a program that automatically traces back to the source, that source would know that you really do exist.  I always use an off network location to trace back on any suspicious traffic sources.  If your ISP provides shell access to you, you can most likely use tools they provide from shell to ping or trace an IP hiding your true location.

If you get Zone alarm, you might as well download Zone log also. Keeps track of who,what, when, where, is hitting you. And lets you research who's hitting you and gives an e-mail address. You will find Zone log at  [url]http://zonelog.co.uk.[/url]
Borg

edited to make link good
Borg

I just downloaded and installed both Zone Alarm and Ad Aware.  The Ad Aware scan indicated 44 spyware items.  Zone Alarm indicated 2 hits in the last 10 minutes.  What an eye opener!

Sounds nice, but other than looking cool, would it actually do any good?  I guess you hinted at that issue.

If someone is going through one of those proxy services, wouldn't you run into a dead end?

I'd also have to wonder about the reliability of the information being mapped.  Suppose you would trace back to an ISP in Chicago.  How would we know physically where the particular server was that the suspicious activity was coming from?

Or suppose we tried to report the activity to the authorities or to the host where the problem seemed to be originating from.  I think we'd have to convince them that some serious damage or intrusion was being done in order for them to get interested in helping.

From what I remember of "Cuckoo's Egg", Clifford Stoll had a hell of a time getting any kind of help, and it was only because he was (rightfully) obsessed with tracing the activity that he was EVER able to get the government to do anything about it.

This is not to say I wouldn't like to know what all that hard drive activity is about, but for me the learning curve would be so great it would be extremely difficult for me to make any sense of it all, especially when the bad activity is mixed in with so much of the everyday stuff.

the link above doesn't seem to work, so I'll see if I can do any better.
[url]https://grc.com/x/ne.dll?bh0bkyd2[/url]
Borg
apparently, you can't go directly to that link because it's a secured page, so I'll do another [url]http://grc.com/lt/leaktest.htm[/url] Go down to the bottom and you'll see a link to "Sheilds UP!" and there you'll find the tests for shields AND ports.
Borg

Do not trust GRC!

Check out http://www.grcsucks.com and http://www.attrition.org

Get an older system, load Linux on it (RedHat and/or Mandrake is what I use) and learn about TCP wrappers, ipchains, iptables, SWATCH, Bastille, SAINT, CHEOPS, Snort, NMap, BIND and CHROOT jails.

It's not as difficult as others make it seem.  Linux is pretty nice, you just have to invest a little time into it and then maintain it.

I have very little experience with the OS, but have set up FTP servers that have a 99.9% uptime and not one successful crack to date.  I have used network tools to scan for vulnerabilities on the network and set up an IDS all for free.  Some companies will charge you around $1,000 to do the same on Windows.

Since introducing the above to my company we have gone from a Windows only environment to a hybrid setup that will be introducing two more Linux servers in the near future.

Try clicking on your link, I still can't get through it. I think it's because it's a secured page. I did the same as you, I went to the page and copied the address and pasted it here, and couldn't get through mine either
Borg

    Whats wrong with Blackice now?  I thought they solved the issues. Oh and can you run zonealarm and blackice together? For those of us with tinfoil hats [D:]

I happened to be at a friend's house in Florida. He had worked for IBM for years so knew a lot about 'puters' as he was going through his registry I found a program called PTSNOOP.exe, did a search and found it was a remote access, and pass word logging program. He nearly crapped himself.
  Another friend made an enemy of a city detective LEO in the mid-west. I warned him of possible unauthorized access, and to be careful. The guy got into his computer and took what he wanted. The cop nearly shit himself when my buddy told him he was 'caught' and big trouble was around the corner. I would be very concerned as to safeguarding the contents of my/our hard drive's.
                          Gib187th

I don't seem to ba able to get ahold of any logs so other than investigating my system when I have the chance, I probably won't be able to have much more than that. One hole I found and closed was WAN admin access to my router. This allows a hacker, after he cracks the password, to get into your router and do things like ping your computers or see how many computers you have hooked up. I don't know but this could be useful to attack beyond the router?