2 port scans than a application hijack

D

deadman_uk

[H]ard|Gawd
Joined
Jun 30, 2003
Messages
1,982
My sygate firewall for the past 3 nights keeps coming up with the message port scan attack detected.

today it came up again, twice but a different ip this time. The ip is 213.118.92.167.

After doing some research i found out this info....

% This is the RIPE Whois query server #2.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html

inetnum: 213.118.64.0 - 213.118.159.255
netname: TELENET
descr: Telenet Operaties N.V.
country: BE
admin-c: PS396-RIPE
tech-c: PS396-RIPE
status: ASSIGNED PA
mnt-by: TELENET-DBM
mnt-lower: TELENET-DBM
changed: [email protected] 20020418
source: RIPE

route: 213.118.0.0/15
descr: TELENET
origin: AS6848
mnt-by: TELENET-OPS-MNT
changed: [email protected] 20010523
source: RIPE

role: Technical Internet
address: Telenet Operaties N.V.
address: Liersesteenweg 4
address: B-2800 Mechelen
address: Belgium
e-mail: [email protected]
trouble: IMPORTANT: To report intrusion attempts, hacking,
trouble: IMPORTANT: spamming, or other unaccepted behavior
trouble: IMPORTANT: by a Telenet/Pandora customer, please
trouble: IMPORTANT: send a message to [email protected]
trouble: IMPORTANT: Voor het rapporteren van inbraakpogingen,
trouble: IMPORTANT: hacking, spamming, of ander onaanvaardbaar
trouble: IMPORTANT: gedrag van een Telenet/Pandora klant, gelieve
trouble: IMPORTANT: een bericht te zenden naar [email protected]
admin-c: TI346-ORG
tech-c: TI346-ORG
nic-hdl: PS396-RIPE
mnt-by: TELENET-DBM
changed: [email protected] 20000630
source: RIPE

And just a minute ago, sygate fire said logged an application hijack attempt...

Application Hijacking has been detected
The application: C:\WINDOWS\system32\ntvdm.exe try to launch another application: C:\WINDOWS\system32\tracert.exe to go to remote host 213.118.92.167
 
do you really need ntvdm? or tracert?
http://www.iamnotageek.com/a/ntvdm.exe.php


RAMPANT PARANOIA 101
specifically

protect or remove: arp.exe \ at.exe \ cacls.exe \ cmd.exe \ Command.com \ cscript.exe \ debug.exe \ edit.com \ edlin.exe \ finger.exe \ ftp.exe \ pconfig.exe \ Issync.exe \ nbtstat.exe \ net.exe \ Net1.exe \ netstat.exe \ netsh.exe \ nslookup.exe \ ping.exe \ posix.exe \ qbasic.exe \ rcp.exe \ regedit.exe \ regedt32.exe \ regini.exe \ rexec.exe \ rsh.exe \ route.exe \ Runas.exe \ runonce.exe \ telnet.exe \ tftp.exe \ tracert.exe \ Tlntsvr.exe \ wscript.exe \ xcopy.exe
remove the .reg file association from the registry editor
these all make it much harder for someone that has already compromised your computer
it there is a brain behind the attack (a hack or trojan) then they would need to reenable these if they can, which might tip their hand, the same goes for an automated attack like a worm, if it could manage it at all, and many more minor peices of malware\spyware, rely on some of these for infection or more accurately reinfection like runonce.exe, regedit, ect or as the vector for infection in more serious malware like ftp or telnet
Click to expand...
 
simply leaving them where they are but renaming them would prevent anyone (or application) from using them

ntvdmold.exe
tracertold.exe

it seems as if your firewall is working but not actually masking your existance
but your concerned that someone seems to be trying to kick the door in
you could employ a hardware NAT firewall, you can even build one out of an old PC
something (port) is leaking that your there, and someone has your IP
 
I just ran a port scan from symantec security (http://security.symantec.com/ssc/sc...OLROCYAREWTXLGI) and it said this...

Network Vulnerability Scan
At Risk! Show Details
Hide Details

Scan Description:
Attempts to create a connection with, or test for access to your computer to see if unknown or unauthorized Internet communication is allowed.

Scan Results:
WARNING!! The scan was able to make a connection with your computer. This means that you could potentially be vulnerable to attack by malicious people who gain access to your computer and can potentially view, copy, delete, or modify data on your computer.

To Fix This Problem:

Install a personal firewall on your computer
If you have a firewall installed on your computer it may not be properly configured to make you computer invisible on the Internet

Ice czar so if i find both

ntvdmold.exe
tracertold.exe

and rename them, im safe? but what would renaming them do? renaming them would make both of these processes useless wont it?
 
actually you listed their locations
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\system32\tracert.exe
and youd rename them to
ntvdmold.exe
tracertold.exe

but all that does is backup the block the firewall already made
(and potentially cause issues with any real ap that tries to call on them, so note down what you do)
the fact your computer failed that port scan is the real concern
you want to be totally masked
Id start with running the Microsoft Baseline Security Analyzer
and fixing any issues it sees

and identifying exactly which ports are being detected
a few more port scan services
http://radified.com/Articles/internet_security.htm
(scroll down)

past that you should consider the steps outlined in the Rampant Paranoia 101 link

get serious about your config and security audits
investigate setting up a dedicated Intrusion Detection box (advanced)
get a Hardware NAT Firewall (typical in most routers these days)

rampant paranoia 101


a personal checklist
---------------------------------------------------------------
install Service Pack and hotfixes
close the vulnerable NetBIOS ports and cleanup bindings
Cofigure IPSec
Retrict access to LSA info

disable unecessary services

disable Guest account
setup my user account
rename Administrator account
create fake Administrator account (disabled)
enable network lockout of the true Administrator account
Limit the number of logon accounts

remove the "Everyone" group and replace with "Authenticated Users" shares
disable default hidden shares, administrative shares, IPC$

disable HTML in e-mail
disable ActiveX
disabling or limiting WHS\VB\Java\Java Scripts (install HTAstop, Script Defender, noscript.exe)
rename shscrap.dll to shscrapold;
Unhide File extensions, protected files, all files and folders

Enable Encrypted File System
Encrypt the Temp Directory
setup to clear the paging file at shutdown
lockdown the registry

disable dumpfile creation
remove insecure subsystems (OS/2 and POSIX)

protect or remove: arp.exe \ at.exe \ cacls.exe \ cmd.exe \ Command.com \ cscript.exe \ debug.exe \ edit.com \ edlin.exe \ finger.exe \ ftp.exe \ pconfig.exe \ Issync.exe \ nbtstat.exe \ net.exe \ Net1.exe \ netstat.exe \ netsh.exe \ nslookup.exe \ ping.exe \ posix.exe \ qbasic.exe \ rcp.exe \ regedit.exe \ regedt32.exe \ regini.exe \ rexec.exe \ rsh.exe \ route.exe \ Runas.exe \ runonce.exe \ telnet.exe \ tftp.exe \ tracert.exe \ Tlntsvr.exe \ wscript.exe \ xcopy.exe
remove the .reg file association from the registry editor
these all make it much harder for someone that has already compromised your computer
it there is a brain behind the attack (a hack or trojan) then they would need to reenable these if they can, which might tip their hand, the same goes for an automated attack like a worm, if it could manage it at all, and many more minor peices of malware\spyware, rely on some of these for infection or more accurately reinfection like runonce.exe, regedit, ect or as the vector for infection in more serious malware like ftp or telnet

Install and schedual trojan scanner, anti virus and intrusion detection
Install and configure Worm Guard

configure security policy control
enable auditing (logon, object, privilege, account management, policy, system)
set permissions on the security event log
set account lockout policy
assign user rights
set security options
configure firewall

Test
Run Baseline Security Analyzer (freeware)
> connect to the internet
Run NessusWX (freeware)

Do a remote Port Scan

Its extremely rare any one box would get all of those
but I consider all of them
--------------------------------------------------------------------------------------------------------------------------------
 
I ran Microsoft Baseline Security Analyzer the only thing i did that it suggested was rename admin (which i did) and disable the guest account. I also disabled telnet in the services.

But it said stuff like install office service pack 1 and stuff like that.

I renamed C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\system32\tracert.exe to what you suggested, i hope i dont get any problems but if i do, ill rename them back.

I made a new user account called Administrator and set it to disabled.

I also deleted the account EVERYONE and made a new account called Authenticated Users which i read. Not sure what the hell im doing but i did it now.

I got NessusWX but couldnt see how to use it or even load it. There is no exe at all.

Should i buy a router? I really am short of cash, i dont know what to do. How do i properly configure my sygate firewall?
 
I still really need help, why am i getting 4 bad things on this test (http://www.securitymetrics.com/portscan.adp) and why are none of them stealth... all my friends have stealth!

http://homepage.ntlworld.com/stephanie.mirza/Ports/portscanlog.htm

Here are the 4 things that are open

SSH - Secure Shell (SSH) uses encryption to secure information sent over a network. While it typically improves security there are numerous problems with older versions of SSH which may allow brute force attacks.

DNS - Domain Name Services are used to tell other computers what your IP address is. There are several exploits associated with this service.

HTTP - World Wide Web services allow you to publish web pages to the Internet. There are hundreds of severe security vulnerabilities associated with this service. Keep your WWW server software updated.

HTTP Proxy - HTTP Proxy provides a way for a hacker to pretend to be your computer. Others who may have been hacked may see your computer address and want you to justify why you hacked them.

they are all on danger please someone help!

It listed possible fixes and for the SSH port 22, it said update to the latest SSH which i did, i downloaded SSH Secure Shell Client and installed but it still comes up as danger.

For the DNS port 53, it said rt click network icon & select properties\rt click local area network icon & select properties\select TCP for your nic & click properties\click advanced button\click DNS tab\remove check next to Register this connection's address with DNS" - then disable DNS Client Service.

I did that but it still comes up as danager and the port is still open!
 
if I was you I would just spend a good $50 and get a NAT router.
problem solved...

www.computergeeks.com has refurb DI-614+ for $30, it's what I use. have been for 2 years.

~edit~ also try webwasher www.webwasher.com it makes EVEN IE run more secure then firefox, if you turn all the options on. the 'trial' is free for personal use, and can be run on a server for up to 2 clients.
 
I live in the UK so prices are alot more expensive than US prices. Not to mention the fact that just about everything other here has VAT tax added to it. So the prices go up from $30 to around $80

I dont see how making IE safer can help me but thanks
 
yup if your not behind a router then hacking your pc is ALOT easier.

sounds like your firewall is working as the other guys said, but go get a router asap.. if someone has your number and already tried to hack you then they are gunna try it again.
best to be nice and safe behind a router.
 
if you want I can show you the portscans and outright hack attempts on my machine. I host several websites, a forum, and a few game servers off my IP, and it gets literally blasted by this stuff. its all safe and sound by a very well trusted D link router. trust me you want to get a NAT router that gets good reviews for being secure. the only vuln the 614+ has is thati fy ou use older firmware and have DHCP enabled people can reboot it from the WAN side. that's it. ive got the new firmware that fixes it AND I dont believe in DHCP so hey its disabled ;)
 
Im behind a router but i have to disable my SPI firewall, so my FTP will work. but i still got all good reviews ecept the 1st for seagate telling me it can connect to my computer... im like TEll me something i dont know plz... I mean i have FTP of course i need that open.
 
I dont know if a hacker tried to hack me thats the thing, it could just be a program like adaware trying to gain access for an update or something.

Ive closed port 1025 which was open, i blocked incoming traffic for that port. I have diamondsCS Port Explorer so i can see exactly whats going in and out, ill monitor it for a few days and see what happens.
 
sorry I was away

1st > NAT Cheapseats > Linux Router Project step by step
If you head on over to the operating System Forum > Linux Subforum and ask
there are quitre a few other distros, but that one has pretty bulletproof instructions

2nd Nessus is a pretty advanced project, the client I linked requires you to set up a server\scanner as well > http://www.nessus.org/features/
it can be done on your computer and doesnt have to be remote, but youll need to run it under cgywin or Uwin(?)

damn, looks like you dont have to do that anymore :eek:
use NeWT 2.1 and NessusWX
(I know what I'll be doing tommorow :p )

3rd I edited your post to conform to the rules
there is no substuitute for keeping the OS patched, till you can your vulnerable
period
if you cant afford what you have, learn linux ;)

4th if there is an SSH server on your box and you didnt install it
who did?
you running a secure remote administration or something? VNC?
 
Czar -

with the simplefact that he dont understand whats happening now why even try to send him to a linux forum which isnt going to hep him at all with windows XP.

and telling him to learn linux is retarded. sorry big guy but it is.... linux is less secure than windows , yes you heard me right and you know im right too. the only way linux becomes air tight is if you go thru hours of setting up hardcore security.
and besides #2 - Windows can be jsut as secure as a tight linux box, its just that only hardcore windows server admins know all the tricks, and that too takes hours to set up. and learn.

and learning linux sheesh boss,, what are you trying to do, give him a brain tumor and make him spend the next 5 years reading books and experimenting.



dude just go get a router and you will not have this problem anymore,, and you wont need that firewall cuz the router is your firewall..
 
No way im installing linux, I'm happy with windows.

What is SSH? I read if you install the latest SSH your port will be more secure but it doesnt seem that way.

I might get a router, but i dont know if i need one right now, ive had no more attacks recently.

thanks for the help guys, ive learnt alot
 
You can find routers for 30 bucks and less... I would also recomend a router. i mean i saw in some sunday paper ad from bestbuy a wireless 54g router for 24 dollars after rebates! you cant beat that.
 
Thank you, Ive been saying that. a NAT router is best option for 'end users' hands down. simple, easy protection.
 
I didn't say steve gibson was a security expert, I was saying that the port scan they provide is good insomuch as it scans a large number of ports quickly.
 
yah in ie with default settings :rolleyes: disable a setting or use a diff browser and you cant tell which ports are doing what.
 
v_lestat said:
Czar -

with the simplefact that he dont understand whats happening now why even try to send him to a linux forum which isnt going to hep him at all with windows XP.

and telling him to learn linux is retarded. sorry big guy but it is.... linux is less secure than windows , yes you heard me right and you know im right too. the only way linux becomes air tight is if you go thru hours of setting up hardcore security.
and besides #2 - Windows can be jsut as secure as a tight linux box, its just that only hardcore windows server admins know all the tricks, and that too takes hours to set up. and learn.

and learning linux sheesh boss,, what are you trying to do, give him a brain tumor and make him spend the next 5 years reading books and experimenting.



dude just go get a router and you will not have this problem anymore,, and you wont need that firewall cuz the router is your firewall..
Click to expand...



because of what I edited out of his post, which had you been reading inbetween the lines you would have caught :p
 
LadyJaqie said:
yah in ie with default settings :rolleyes: disable a setting or use a diff browser and you cant tell which ports are doing what.
Click to expand...
Wait, what? I just ran a scan with firefox and it worked exactly the same as IE.

Whatever, the point is moot and the suggestions provided are adequate. I was simply offering an alternative test to confirm his security when he finally gets some protection.
 
ah, ok. Ive tried it with several others, and I disableone little thing in even IE and all the little 'pips' turn into red X's. I honestly don't know which of the myriad things I disable makes them dissappear, but I really don't care. I know what's open and what's not in my router. IDENT is closed unless I blackhole it, any ports I forwarded are just that, and the rest are stealthed. pings are dropped or returned depending on which I set them to. Ahh, I love D link routers.
 
LadyJaqie said:
ah, ok. Ive tried it with several others, and I disableone little thing in even IE and all the little 'pips' turn into red X's. I honestly don't know which of the myriad things I disable makes them dissappear, but I really don't care. I know what's open and what's not in my router. IDENT is closed unless I blackhole it, any ports I forwarded are just that, and the rest are stealthed. pings are dropped or returned depending on which I set them to. Ahh, I love D link routers.
Click to expand...

DI-614+ here for me... works like a charm :D

I do have an infatuation with sonicwalls though... so dern sexy!
 
LOLZ same router here.
wcloset_t.jpg


all my specs and more of this server and my other systems can be found at my FoxenForums: http://foxenforums.mine.nu/
you're looking at the owner, superadmin, and proprietor. that case is the server of that and much much more! :cool:
 
deadman, people around here are correct, you need some sort of NAT router (really, just any old broadband router will do). Connecting directly to the Internet is scary enough for corporate servers, let alone a home Windows XP box with a host-based firewall. I personally will usually not help people who do not have a router for their home broadband connection. You could be very good at hardening your OS and applications, but you are still just putting your computer on the Internet, and that's just not good.

There are probably plenty of people on here who can do a remote nmap/nessus or just regular old port scan of your computer. We might not offer much help beyond that, but we can at least verify open ports and programs better than most web-based scanners can do. This does mean giving them your IP address though (www.whatismyip.com), so I suggest priv messages only, and not posting it on here for every kid to scan away at.

If you have a friend on the net with a Windows XP/2000 box, they can do it too. :) Tell them your IP as shown at www.whatismyip.com. Then have them check out SuperScan or a port scanner below.

Other suggestions for tools you could use:
SuperScan - port scanner from Foundstone that your friend can use. http://www.foundstone.com/index.htm...&subcontent=/resources/proddesc/superscan.htm
Advanced Port Scanner - Remote port scanner that your friend can use. http://www.download.com/Advanced-Port-Scanner/3000-2381_4-10127847.html?tag=lst-0-1
TCPView - This will tell you everything your computer is currently connecting to (or what is connecting to you!). Will also tell you what program is doing the accessing. Don't know what they are? Google them! http://www.sysinternals.com/ntw2k/source/tcpview.shtml
Active Ports - Lists all your active ports http://www.ntutility.com

Here are some other observations:

1) Sygate's firewall does have stealth (I believe, I use it myself on one box), but if it is allowing connections out for web, and you've allowed them, then stealth does you no good. Below you say HTTP and SSH and other connections are scannable. If the firewall is letting those out, then it's letting those out, stealth or not.

Find a manual on the Sygate home page for their firewall. Click Tools->Test Firewall or Tools->Applications to see more details on stuff. Sygate is a nice firewall for Windows (especially for ICS Windows boxes (don't ask if you don't know), but it is admittedly a bit more complicated and confusing than something like ZoneAlarm. I suggest reading up on it.

2) You say HTTP is coming up as open. Uhh, are you serving up web pages? I really hope not, because IIS with Windows XP is amazingly insecure. Please turn off IIS by going to Start->Control Panel->Add/Remove Programs->Windows Components, and uncheck IIS or Web Server. Reboot.

3) You say SSH is open. Do you know what an SSH client is? Is there a real reason you should be using it? If not, then YOU didn't put that SSH opening on your computer, someone else did. I would uninstall all SSH clients you have listed in Add/Remove Programs, and I would set that Sygate firewall to block that application or port. You can also click Start->Run-> type in "cmd" and press Ok. Then type "netstat -a" without the quotes into the command window, and press enter. This should list your open ports. You should see a port 22 LISTENING in there if you truly have SSH listening. Once it is uninstalled, it shouldn't be listening anymore.

4) You say you have DNS running? Follow the steps in Part 2, only replace IIS with DNS Server. I don't think XP can be a DNS server, but maybe it can. Maybe this is just referring to port 445...which you can only block using a real firewall or a router.

5) Renaming ntvdm and tracert will do you no good unless you know for certain that that was the way in. If you rename them, and they were not the vector a malicious attacker used to get in, then they can still get in.

6) You might want to check your system and see what accounts you now have. rt click My computer-> Manage-> expand Users and Groups-> click Users. Delete any you didn't put on (but leave things like IUSR or IWAM...removing IIS should remove those). Change your administrative and any other account passwords you have.

7) If you didn't put on SSH, if you see other accounts on your computer, if you see lots of connections you are not opening when you do netstat -a and you google up those ports and they alarm you, reformat your computer. Save what data you can, reformat, reinstall XP, and get a router. Once you have a computer that is owned or suspected owned, and you're not a forensics expert, you cannot trust your computer any longer.
 
Ooo I missed that you had Port Exporter. Can't say I know that prog, but I might have to look for it, especially if it is easily made freeware. :)
 
LonerVamp Port Explorer
think you should check it out, one of the few with features that might justify forking over some $$$

sort of depends on what you value
one of the features some members like is
"Bandwidth throttling allows you to restrict how much data a program or socket can receive or send."
but its made by the folks that did TDS-3 and its main sales point is detecting possible trojans (which it highlights for those less experienced)

reviewed here > http://www.winnetmag.com/WindowsScripting/Article/ArticleID/40313/WindowsScripting_40313.html

personally I use my Firewall most of the time (Kerio) or Foundstone
but Ive used most of those in your list at one time or another

there is also local host proxy aps like Naviscope it can route everything through port 80 and mask the browser, but as you mentioned not foolproof, just another layer of deception and privacy
 
You must log in or register to reply here.
Back
Top