User Panel
Posted: 3/9/2002 12:51:17 PM EDT
I have a PC and G4 which access the internet through a DSL router. I had Blackice on the PC and after it was behind the router the attacks graph flatlined. I hadn't paid much attention to security on it after that.
Now, a short time ago I happened to notice the traffic light on the ethernet port (PC) was going crazy. The computer was in screensaver and I checked running applications. Only the Browser and virus were running, aside from the usual compnents (this was going on under the screensaver) but there are other system components I'm not familiar with. I checked the the hard drive light-blink, blink. I looked at the Blackice traffic and graphs. No attacks, but the traffic graph showed a moderate but uninterrupted flow of traffic across the niney minute graph. It was not consistent with any browsing behaviour I've seen before. Lets characterize normal browsing behaviour as short bursts using a few percent of bandwidth. A download will cause a spike ranging from 60 to 100% of bandwidth. The graph I saw showed a steady activity in the 15-30% range. Over a period of time, thats a huge amount of traffic. The thing that is wigging me out aside from that behaviour is that I checked that graph again a couple of minutes later-and the traffic had disappeared from the graph. I don't mean the graph showed that the traffic had stopped (which it had). I mean the graph changed to show there never had been any traffic at all. I've deleted blackice BTW. Zonealarm now. but I'm leaving it off till I find out whats going on. I know that if an application acts friendly, Blackice won't stop it from accessing the internet. So a trojan wouldn't have a hard time getting through. But getting a trojan on the system in the first place would be a real trick. Here's the question. How concerned should I be about some exotic trojan downloading my hard drive and covering it's tracks? I don't think I've done anything to make myself a high priority target for anyone but this doesn't fit would I would expect from a random hack or virus. How can I investigate my system to help find out whats going on? |
|
I do this for a living, and although I can't tell you specifics about my network, I can tell you that we've experienced a lot of problems with users running Black Ice. We of course have both hardware and software firewalls in place, and with all that no network is ever completely safe.
Zone Alarm is by far the best off the shelf firewall you can get, and the free version is as good as any other out there. Open a browser and do a search for "Ad Aware" it is a free application that searches your PC for "Spy Ware." Applications that are dropped onto your hard drive and mascarade as cookies. They then report back to websites about your surfing activities, and trigger pop up or pop under windows. They're relativly harmless except that they do provide information as to where you've been and what you're looking at. The reason is to provide potential marketing information to web sites that gather such things. Ad Aware is free. Install it and it will search for any offending files on your machine. You can then clean them off. You'll have to do that on a regular basis depending on how much you surf. With Zone Alarm and a good virus program, I use Notron's, you should be okay. Remember that with Zone alarm you decide who and what uses your PC. As a personal rule I never grant anything or anyone server rights. You also need to do a Windows update on a regular basis. There are new security patches being released daily for Outlook, Internet Explorer and Netscape. Keep them updated to. You can always do a control/alt/delete and look at what's running and what's sucking up your bandwidth. Lots of applications on your PC will access the internet without your knowledge, hence the need for Zone Alarm or something similar. Hope this helps. |
|
Thanks. I've used ad-aware before and will again now. I can tell you there is no garden variety spyware out there that will send hundreds of megs out though.
I also will do the standard checks, but this one is a little weird and I'd like to dig a little deeper to see what is going on. |
|
I've been experiencing the same thing lately. The internet traffic light going nuts without even a browser running. If you figure this one out, please post the story.
|
|
Anyone tried Ad-aware on XP yet? The FAQ says that some have done it, but it isn't supported in that version (later to come). So, anyone??
Thanx! WWoodworth |
|
Lancelot, thanks for the tip on Ad Aware. I just installed it and found some 160 items that needed deleting. Since cleaning them out my browser performance has improved substantially.
|
|
Opinion: I have noticed this exact phenomenon since October. Never before. I suspect that all posters on gun and political pages are having their hard drives copied ( maybe only Outlook Express and user created document files)and then run through a search engine that identifies certain words like knife, gun, airplane, bomb, revenge etc. After scoring a high likelihood of terrorist activity it lands in a stack on someones desk in Quantico.
|
|
You learn a lot on this site. Thanks for the post. I just downloaded it.
|
|
Where can I get Zone Alarm? Its $30.00 on Yahoo. I paid for a download of Blackice once, and it deteriorated quickly, and they wouldn't resend it.
|
|
zonelabs.com look for ZoneAlarm download links(not pro - u pay for pro)
|
|
I also do this for a living. I would install Zone Alarm now and then watch and see which items are looking for Internet access. You will probably be surprised at all the stuff that wants to go to the Internet.
We use a packet sniffer at work to monitor web access and get email headers. If you do not filter you get buried by all the things that are going on the network. However when things start acting weird, one of the first things I do is turn off all filtering and look at what is talking to who using which port and so on. I have captured suspicous activity more than once using this method and it alerted me to ports that I needed to seal up on the Internet side. I have a hardware firewall running NAT at home along with zone Alarm. Occassionally I will make everything to ask for access to the Internet, just to see what is going on. Good Luck! Install that Zone Alarm now, and go read the articles at [url]www.grc.com[/url] Steve is one of the best out there. He also has lots of neat little utilities that are helpful. -elliott |
|
You guys are all paranoid.
:-) Using a DSL router, you should enact it's own loggin capabilities. My linksys will all show incoming and outgoing traffic, source and destination IP and ports, and save them automatically to a file, using a syslog application that comes free with the router. Not to mention, your software firewall should be loggin each and every connection, not just alerts. Then you can tell exactly what this activity is. Most of what I see are the stupid port scans from overseas wannabe hackers, setting up scanners to hit entire subnet ranges (big deal) and a lot of activity coming from my own ISP subnets of those using PCAnywhere and the like, which search for other machines using the built in discovery services. Again, big deal. They are actually hurting themselves, because this allows me to detect them, and attempt to control THEIR machines. Anyway... lots of flashing lights does not necessarily mean lots of bandwidth, it means activity. You could be exeriencing a port scan, experiencing traffic coming from someone else on your ISP network, or most likely, have some pice of software on your machine trying to update itself. My antivirus product goes out and updates it's sig files every day, then installs that new file. Sometimes I see all this activity, on my modem, and on my hard drive, and I wonder what is going on. Check the DSK router logs, and sure enough, an FTP session to auto-update. 99.9% of the traffic out there is not hostile... and all the hacker/virus stories just make people paranoid, IMHO (not that that is a bad thing tho....) |
|
I am using a cable modem at home. Yes, I part of the orphaned @home user base. Although I must admit the local ISP guys really handled the transition well. But I digress...
I am almost constantly getting port scans on my modem. So for those of you who have nothing in place you should do something because sooner or later someone will come along who can get in and compromise your machine. Like FALAKAR said. 99% of it is benign. -elliott FALARAK, have you read the latest DDOS attack on GRC.com you might find it interesting if you are into preventing such things? |
|
How are you sure that all the hacker wannabe's are overseas, there, FALARAK? When I had Blackice installed I caught a lot of American corporations in my dome. Microsoft controls it all!
|
|
ON XP, it freezes up when it starts on the C drive, so it doesn't look supported yet. XP is a pretty tight OS, and I've had no problems yet, then again, i'm also behind 2 firewalls as well as my own!
|
|
I have used Zone Alarm very good. You only need the free version. Do not pay or go through Yahoo. www.zonealarm.com. Now if you have Win 98 to ME or 2000 no problem. XP some trouble also with add aware and XP.
I use a linksys 4 port router, and stopped using zone alarm. Reason being the free version does not work proper with XP and Linksys. I sent Zone alarm a letter and they said have to use Pro and Linksys. So now, linksys has a download to get zonealarm. When I bought the router and asked linksys questions it was OH YOU ONLY NEED the router. Now all of a sudden its ZoneAlarm Pro if you want to use. If I were, you get a good Antivirus I use PcCillin 2000 on my ME. My Gateway, which I just got, has Norton. If you want, use the Add Aware. Some one told me Google and Yahoo support HCI...That is why I got a Gateway instead of Dell. |
|
1) Do you use any instant messaging program?
2) Have you ran windows update? (Do you have critical update installed?) ---a) MAKE SURE IE 6 IS UPDATED ---b) Make sure you’ve update windows media player ---c) Install all the security updates for XP 3) Do you run PWS, IIS or a program that installs apache (like oracle)? 4) Are you running any file sharing utils? (like Limewire, Kaza, etc.) 5) Are you running any distributed computing software? Another thing you might want to be aware of – XP is set up by default to phone home if you have system problems (like IE crashing), to check for updates and for several other more obscure reasons. Make sure you have that stuff turned off. |
|
I'm running AD-AWARE on XP and haven't had any problems;works like a champ. Thanks for the info on zonealarm.
|
|
Actually, I just found a really cool firewall called NeoWatch available from neoworx.com, mcafee.com or webattack.com).
It's not as difficult to setup as ZoneAlarm and it has a really cool "trace" feature that lets you see where the intrusions are coming from on a map. Nifty! If not all that helpful. Then again, some little hacker kid might get spooked if he runs a scan and then sees a traceroute pinging him back. |
|
Quoted: Then again, some little hacker kid might get spooked if he runs a scan and then sees a traceroute pinging him back. View Quote You can do that but one of the neat things about most firewalls is that they hide the fact that you even exist at all. If you are using a program that automatically traces back to the source, that source would know that you really do exist. I always use an off network location to trace back on any suspicious traffic sources. If your ISP provides shell access to you, you can most likely use tools they provide from shell to ping or trace an IP hiding your true location. |
|
If you get Zone alarm, you might as well download Zone log also. Keeps track of who,what, when, where, is hitting you. And lets you research who's hitting you and gives an e-mail address. You will find Zone log at [url]http://zonelog.co.uk.[/url]
Borg edited to make link good Borg |
|
Quoted: Zone Alarm is by far the best off the shelf firewall you can get, and the free version is as good as any other out there. Open a browser and do a search for "Ad Aware" it is a free application that searches your PC for "Spy Ware." View Quote I just downloaded and installed both Zone Alarm and Ad Aware. The Ad Aware scan indicated 44 spyware items. Zone Alarm indicated 2 hits in the last 10 minutes. What an eye opener! |
|
Quoted: I've been experiencing the same thing lately. The internet traffic light going nuts without even a browser running. If you figure this one out, please post the story. View Quote As posted earlier the "traffic light" is just showing network activity. It is fairly common for your PC and your ISP to exchange information off and on even if you are idle. It is also very common for ISPs to scan everything connected to it in an attempt to figure out who is connected to it. Some ISPs do this for security reasons, and some due it to measure usage. I know for a fact that Quest will do this, and on the "lower end" price plans with DSL service they will drop the connection if you remain idle for to long. This way they save bandwidth by kicking off idle users to free it up for active users. Its even stated in some of their usage agreements. I can't agree more with the previous posts. Black Ice is okay, but causes more problems then it solves. The free version of Zone Alarm is all you need. The paid version doesn't offer much more in features, but grants you a license to use it on a multiple computer network. There is a web site that will test your PC security for free. The link escapes me at the moment, but the page title is "shields up" With Zone Alarm properly configured and running, your PC should be invisible to most of the hackers and attackers out there. If I can find the link I'll post it. Also don't forget to keep your virus software updated, and clean out your internet cache on a regular basis (e.g. cookies.) All the files that get dumped on your machine while you're surfing take up spave and impede perfomrance. A good defrag is in order once every couple of weeks or so. |
|
I found the link. To test how secure your PC is while its connected to the internet.... or anything else, go here:
[url]https://grc.com/x/ne.dll?bh0bkyd2[/url] |
|
Quoted: ...it has a really cool "trace" feature that lets you see where the intrusions are coming from on a map... View Quote Sounds nice, but other than looking cool, would it actually do any good? I guess you hinted at that issue. If someone is going through one of those proxy services, wouldn't you run into a dead end? I'd also have to wonder about the reliability of the information being mapped. Suppose you would trace back to an ISP in Chicago. How would we know physically where the particular server was that the suspicious activity was coming from? Or suppose we tried to report the activity to the authorities or to the host where the problem seemed to be originating from. I think we'd have to convince them that some serious damage or intrusion was being done in order for them to get interested in helping. From what I remember of "Cuckoo's Egg", Clifford Stoll had a hell of a time getting any kind of help, and it was only because he was (rightfully) obsessed with tracing the activity that he was EVER able to get the government to do anything about it. This is not to say I wouldn't like to know what all that hard drive activity is about, but for me the learning curve would be so great it would be extremely difficult for me to make any sense of it all, especially when the bad activity is mixed in with so much of the everyday stuff. |
|
the link above doesn't seem to work, so I'll see if I can do any better.
[url]https://grc.com/x/ne.dll?bh0bkyd2[/url] Borg apparently, you can't go directly to that link because it's a secured page, so I'll do another [url]http://grc.com/lt/leaktest.htm[/url] Go down to the bottom and you'll see a link to "Sheilds UP!" and there you'll find the tests for shields AND ports. Borg |
|
Hmmm. My link works fine. I went to the site and copied the link.
[url]https://grc.com/x/ne.dll?bh0bkyd2[/url] The shields up test is for testing your ability to block incomming traffic. The leak test is designed to test your firewall and your ability to see traffic leaving your computer, or what applications are trying to access the internet. That can be helpful if you are trying to detect a virus. Remember that the new version of Norton's will also scan all outgoing email to ensure that you don't spread a virus. And since some virus or worms will spread through email here's a neat trick. |
|
Put a new conact in your address book. Use the name: 000_ that way it will be at the top of the list. For an email address use: [email protected] - or you can just make one up, just be sure its not real!
This is a bogus address and will come back to you as undeliverable. If suddenly you get this email back, then you know that something has been trying to access your email address book. this is usually a sign that a worm/virus has gotten in and is trying to access your email client. |
|
Do not trust GRC!
Check out http://www.grcsucks.com and http://www.attrition.org Get an older system, load Linux on it (RedHat and/or Mandrake is what I use) and learn about TCP wrappers, ipchains, iptables, SWATCH, Bastille, SAINT, CHEOPS, Snort, NMap, BIND and CHROOT jails. It's not as difficult as others make it seem. Linux is pretty nice, you just have to invest a little time into it and then maintain it. I have very little experience with the OS, but have set up FTP servers that have a 99.9% uptime and not one successful crack to date. I have used network tools to scan for vulnerabilities on the network and set up an IDS all for free. Some companies will charge you around $1,000 to do the same on Windows. Since introducing the above to my company we have gone from a Windows only environment to a hybrid setup that will be introducing two more Linux servers in the near future. |
|
Quoted: Hmmm. My link works fine. I went to the site and copied the link. [url]https://grc.com/x/ne.dll?bh0bkyd2[/url] View Quote Try clicking on your link, I still can't get through it. I think it's because it's a secured page. I did the same as you, I went to the page and copied the address and pasted it here, and couldn't get through mine either Borg |
|
Quoted: Quoted: Hmmm. My link works fine. I went to the site and copied the link. [url]https://grc.com/x/ne.dll?bh0bkyd2[/url] View Quote Try clicking on your link, I still can't get through it. I think it's because it's a secured page. I did the same as you, I went to the page and copied the address and pasted it here, and couldn't get through mine either Borg View Quote Well, try this: [url]grc.com/x/ne.dll?bh0bkyd2[/url] I noticed an interesting thing here. I entered the URL as listed rhe first time. It works when typed into the address line, but doesn't work when you hit the link. Here's why. When you hit the link that is set up with the board code, it apparently defaults to a www prefix. As a result in inserts the mandatory http:// at the front. If you read the address bar when you hit the first link it begins with "https://" The address will never resolve that way. So when I posted it this time, I omitted the http:// from the front of the URL and it now works. Remember you're not stupid, your computer is! |
|
Quoted: Quoted: Quoted: Hmmm. My link works fine. I went to the site and copied the link. [url]https://grc.com/x/ne.dll?bh0bkyd2[/url] View Quote Try clicking on your link, I still can't get through it. I think it's because it's a secured page. I did the same as you, I went to the page and copied the address and pasted it here, and couldn't get through mine either Borg View Quote Well, try this: [url]grc.com/x/ne.dll?bh0bkyd2[/url] I noticed an interesting thing here. I entered the URL as listed rhe first time. It works when typed into the address line, but doesn't work when you hit the link. Here's why. https://grc.com/x/ne.dll?bh0bkyd2 See the problem? When you hit the link that is set up with the board code, it apparently defaults to a www prefix. As a result it inserts the mandatory http:// at the front. If you read the address bar when you hit the first link it begins with "https://" The address will never resolve that way. So when I posted it this time, I omitted the http:// from the front of the URL and it now works. Remember you're not stupid, your computer is! View Quote |
|
Whats wrong with Blackice now? I thought they solved the issues. Oh and can you run zonealarm and blackice together? For those of us with tinfoil hats [D:] |
|
Quoted: You guys are all paranoid. 99.9% of the traffic out there is not hostile... and all the hacker/virus stories just make people paranoid, IMHO (not that that is a bad thing tho....) View Quote I happened to be at a friend's house in Florida. He had worked for IBM for years so knew a lot about 'puters' as he was going through his registry I found a program called PTSNOOP.exe, did a search and found it was a remote access, and pass word logging program. He nearly crapped himself. Another friend made an enemy of a city detective LEO in the mid-west. I warned him of possible unauthorized access, and to be careful. The guy got into his computer and took what he wanted. The cop nearly shit himself when my buddy told him he was 'caught' and big trouble was around the corner. I would be very concerned as to safeguarding the contents of my/our hard drive's. Gib187th |
|
I don't seem to ba able to get ahold of any logs so other than investigating my system when I have the chance, I probably won't be able to have much more than that. One hole I found and closed was WAN admin access to my router. This allows a hacker, after he cracks the password, to get into your router and do things like ping your computers or see how many computers you have hooked up. I don't know but this could be useful to attack beyond the router?
|
|
Sign up for the ARFCOM weekly newsletter and be entered to win a free ARFCOM membership. One new winner* is announced every week!
You will receive an email every Friday morning featuring the latest chatter from the hottest topics, breaking news surrounding legislation, as well as exclusive deals only available to ARFCOM email subscribers.
AR15.COM is the world's largest firearm community and is a gathering place for firearm enthusiasts of all types.
From hunters and military members, to competition shooters and general firearm enthusiasts, we welcome anyone who values and respects the way of the firearm.
Subscribe to our monthly Newsletter to receive firearm news, product discounts from your favorite Industry Partners, and more.
Copyright © 1996-2024 AR15.COM LLC. All Rights Reserved.
Any use of this content without express written consent is prohibited.
AR15.Com reserves the right to overwrite or replace any affiliate, commercial, or monetizable links, posted by users, with our own.