joe2987
@swbell.net
| How can the average joe know when ur online?
hi i have this dilemma that has been going on for a while now, a couple of months, and i don't know what to do. it seems like every time i'm on the internet surfing i get bombarded with packets coming from different IP's and they all point to one port. i'm not a total newbie when it comes to this but not a guru, if there was a scale from newbie to guru being the scale 1-100 i guess i would be at 15.
i've been trying to fix this problem for a while now, and i think that i have improved it, but haven't fixed it yet since i don't understand networking.
it seems like the person or persons that send me all this packets know when i'm online. for example i was watching tv right now with computer on and everything was fine, but as soon as i started surfing the net my surfing slowed down and connection dropped. i looked at my logs and saw inbound blocks to port 11025 in the 100's mostly TCP but some UDP and the packets started coming right after i started surfing, i looked at the log time. i am not concern about ppl getting in my comp since i dont use the comp for banking or keep any personal info in it. is just more of a pain in the arse.
i also notice blocks on ports 1026, 1027 coming from different IP's. some from china others from columbia but i read somewhere that this r mainly messenger spam and those r spoofed addresses. this blocks happened 24/7.
my current configuration is
internet => 2wire bridge modem => monowall => switch =>zone alarm pro
i have all outbound blocked except the needed ports like 80, 53, 445...etc. and i also have port explorerhttp://www.diamondcs.com.au/portexplorer/ and packet snifferhttp://www.etherdetect.com/ and leave em on all day to see if something is phoning home but i dont see nothing bad just microsoft upadtes, but i have that disabled but it still phoning microsoft i dont know if this could be it but other then that nothing else. i check the IP that comp is phoning to and it belongs to microsoft updates and confirmed it by typing it in the browser.
the other think i could think of if its even possible is when i use yahelite to chat and then get my IP and bam! but i havent been on it for a while now. also, i googled about this and read it's almost inposible when chatting because ur IP goes through chat servers unless u share files then it would be like p2p where both comps talk to each other without yahoo servers in the middle, but then again the person who wrote the article could be wrong... so wat gives.
any insight will be much appreciated...
-so how can they know when i'm online?
-and what can i do about this?
-can they track me by knowing my mac address since it never changes?
-if yes by changing nic card with help?
-can i report this to ppl who know how to take care of this?
this may be a lot to ask but if i can get some input in just one question that would be enough
thanx |
|
aka Iceman
join:2007-02-11
|
If your computer is infected...lets say with a trojan or bot or root kit......the hacker would be able to access these programs an use your computer.....or at the very least try to use the computer...(you may have the needed ports blocked...which any half-decent hacker could change)
you failed to mention if you have run any scans such as virus or trojan...if not do so....an if you do not have the needed programs for such scans simply ask an someone will drop by with suggestions.....
you mention ports being blocked...but I do not understand what you are meaning by this.....are you saying that certain ports have been sized....it is possible for a person to captured ports on another computer but to do so some form of trojan would need to be installed......
perhaps others here can offer you more help...in the mean time run those scans......an if you post back try to give a little more info on what programs you are using...such as virus and anti spyware...
best of luck
regards |
|
jp10558
Premium
join:2005-06-24
Willseyville, NY
| reply to joe2987
First, let me point you at Wireshark for packetsniffing, and save you some money.
What does ZA show connecting out? Anything?
Please run some scans - see: »Security »I think my computer is infected or hijacked. What should I do? |
|
joe2987
@swbell.net
| reply to aka Iceman
iceman
hello, this is a freshlly installed windows xp with
-all the unneeded services disabled
-has Administrator Account Password similar to this *&%@!&^I&^%^&%&^!%@&%&^%!&^@%&$RI& set as outo login with microsoft tweakui
-guest account password same manner ass admin
-windows xp up to date
-many tweaks like this:
1) disable netbios over tcp/ip {no side effect unless u using netbios names}
goto start--->control panel ---->network and internet connections
--->network connections
right click on your (local , whatever u use) connection and goto properties
right click tcp/ip goto options , click on advanced and select the tab WINS, clear the disable netbios over tcp/ip checkbox.
2) While being there you might ass well disable (better uninstall)
client for microsoft networks and file and printer sharing.
Really the only thing you need is tcp/ip ( the standard internet protocol)
this might affect sharing files with icq or msn, aim etc, which is bad anyway. Kazaa and overnet file sharing programs remain unaffected by this
procedure.
3)Change your computer name to something less usual like a underscore
4)goto start ---> run and press browse
browse to C:\WINDOWS\system32\ddeshare.exe
and press enter, disable all mentioned shares present, like the hearts (port 135), blackjack etc, ever wondered where this port 135 comes from ?
6)Regedit part
goto start--->run and enter "regedit"
before going any further make a backup off the registry by exporting the current registry settings under file--->export etc
goto HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlset\Control\Lsa......restrictanonymous
double click on this reg key and enter the the value 2
this disables totally null session enumeration (nobody can't enumerate
accounts etc)
restrictanonymoussam should be at value 1 , can't go to a higher value
7)goto
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlset\Services\LanManServer
click on the + in front off LanManServer and click on Parameters
on the right half off the regeditor double click on NullSessionPipes
Delete everything what's there as value
Same goes for lanmanworkstation
8) goto
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlset\Services\Tcpip\Parameters
double click on EnableIcmpRedirect and enter the value 0 ( disabled)
same goes for DeadGwDetect
double click on EnableSecurityFilters and enter the value 1 ( enabled)
export ( save) your new registry settings to a floppy , for later use .
Security: Disabling services, Posix, and OS/2
Posted 6/6/2003 by TweakXP Member
Heed the following from Winguides' website:
"Disable OS/2 and POSIX Subsystems (Windows 2000/XP)
To conserve system resources you may want to prevent the Windows session manager (SMSS) from loading any optional subsystems, such as OS/2 or POSIX. This tweak can be used to disable these optional subsystems.
"Warning: Make sure you use REGEDT32 to changes this value. Using Regedit may cause the system to crash.
Open your registry using REGEDT32 and find the key below.
"When the OS/2 and Posix sub-systems are enabled the value called "Optional" will be set to "Posix" or "OS2 Posix". To disable those sub-systems double-click on the "Optional" value and delete the "Posix" data in the window.
"Restart Windows for the change to take effect.
"Note: The benefits of not loading these subsystems can be increased memory and system resources."
Heed also the following from PC Magazines' website:
" POSIX. Windows XP still ships with a subsystem called POSIX, which allows the use of Unix commands. Disabling POSIX prevents hackers from using Unix commands against your system. Go to Run and type regedt32 (not regedit). Find HKEY_ local_machine\system\currentcontrolset\Control\Session Manager\SubSystems and click on the multistring called Optional in the right-hand pane. By default, the multistring's value will be POSIX; delete that value and leave the space empty (but don't delete the Optional multistring). Then click on the actual POSIX multistring in the same pane. Note that it points to a file in your Windows System32 directory called Psxss.exe. Delete that file using Windows Explorer, use the Registry Editor to delete the POSIX string, and then reboot."
Always back up your registry, and set a System Restore point, before applying these tweaks.
------------------------------------------------------------------------
sorry if i didn't explained myself correctly. by port blocks i mean they show in monowall firewall logs attemps being blocked from WAN to LAN example:
[click to select action] 22:47:12.827803 WAN 221.208.208.101, port 58702 192.168.1.65, port 1026 UDP
[click to select action] 22:46:58.642778 WAN 67.42.117.227, port 4100 192.168.1.65, port 23896 TCP
[click to select action] 22:46:33.691718 WAN 70.94.9.251, port 60050 192.168.1.65, port 23896 TCP
[click to select action] 22:46:32.011874 WAN 70.94.9.251, port 60019 192.168.1.65, port 23896 TCP
[click to select action] 22:46:29.073616 WAN 70.94.9.251, port 60019 192.168.1.65, port 23896 TCP
[click to select action] 22:46:18.601835 WAN 208.101.86.193, port 3334 192.168.1.65, port 13188 TCP
[click to select action] 22:45:56.577176 WAN 67.42.117.227, port 3974 192.168.1.65, port 23896 TCP
[click to select action] 22:45:41.367505 WAN 70.57.249.227, port 4221 192.168.1.65, port 23896 TCP
[click to select action] 22:45:38.558555 WAN 67.42.117.227, port 3935 192.168.1.65, port 23896 TCP
[click to select action] 22:45:38.447403 WAN 70.57.249.227, port 4221 192.168.1.65, port 23896 TCP
[click to select action] 22:45:34.554141 WAN 70.57.249.227, port 4208 192.168.1.65, port 23896 TCP
[click to select action] 22:45:22.210658 WAN 67.42.117.227, port 4655 192.168.1.65, port 23896 TCP
[click to select action] 22:45:16.177350 WAN 67.42.117.227, port 4655 192.168.1.65, port 23896 TCP
[click to select action] 22:45:13.049138 WAN 67.42.117.227, port 4655 192.168.1.65, port 23896 TCP
[click to select action] 22:44:26.039775 WAN 70.94.9.251, port 63535 192.168.1.65, port 23896 TCP |
|
joe2987
@swbell.net | reply to joe2987
OOPS! i hit post now by accident sorry but yeah the main thing i think is some one knows when i'm online and likes to knock me off the net because i get constant hits with many packets even if i renew my IP. and it's been going on for a while |
|
joe2987
@swbell.net
| Re: How can the average joe know when ur online?
sorry if i'm spamming just trying to get my details across for better diagnose.
-my av is up to date
-spybot is up to date
-ad-aware up to date
-nothis in the OS is set to start at boot except AV and firewall
the main thing here is that some knows when i'm online and likes to knock me off the internet by flooding my line. |
|
joe2987
@sbcglobal.net
| reply to joe2987
sorry if i'm spamming just trying to get my details out for better diagnosing. i'm sure the webmaster can delete this but yeah
did a scan this morning
-AV is up to date
-also spybot
-ad-aware too
-nothing is set to start at windows boot except firewall and AV
the main thing here is that i'm getting knocked off the net by the same ppl or person that knows when i'm online even
if i change my IP, hense the questions at first post.
my monowall has simiral password
*O&(*E^&^@%&*@QEW^QYUTW&^Q%E&^@%#$@%^$*%&^$#@(&*^*%#^%(&*&IUW |
|
aka Iceman
join:2007-02-11
| reply to joe2987
By the way....having a password for the ADMISTRATOR ACCOUNT does not fully protect the computer....by default xp has the GUEST ACCOUNT.....an even if this account is so-called "turned off"...it actually can still be accessed.....this info is rarely mention..if ever...(its to late at night for me to give full details...time for bed).....so, if you are using XP Pro.....password protect the Guest Account.........on XP Home this can be done as well but would need to be done by way of making changes in the registry......off hand I do not recall the hoe to's and what for's on that registry change...but will see if I wrote it down somewhere. You may also consider locking "xp-autoadminshare"
Oh....you again failed to mention what if any programs you have installed that will detect trojans.....you can install a free one if needed......anti virus also.
About those Services changes you made....some I would have to question their actual vaule..if any....be careful you do not crash your computer....just a suggestion.
Before offering any real suggestions a person will need to know if you have an anti virus and anti spyware program(s) installed.......thereafter, then someone could suggest programs that may aid you.
Regards |
|
joe2987
@sbcglobal.net | reply to joe2987
holly crap!
my post were not showing so i keep posting and now they are.
i apologize i'm not use to posting on forums  :):-P |
|
aka Iceman
join:2007-02-11 | reply to aka Iceman
opps...I just re-read you post...an noticed that you do have the Guest Account password protect.....sorry I did not notice that earlier |
|
rstrandb
Premium
join:2003-04-17
Albany, GA
 ·Mediacom
| reply to joe2987
Sounds almost like a DOS (denial of service) attack. Do you have a static IP? If you are on a dynamic IP then shut down your router for say....half an hour, then restart so it should pick up a different IP address.
--
Fight the war against secular progressives before the ideals that made this country great are lost forever |
|
aka Iceman
join:2007-02-11 | reply to aka Iceman
Ok...now I am seeing your posts.....an you did scan....an if you are not infected.....then it could just be some infect computer that is slaming you....you could contact your ip....an they may be able to change your present address..... |
|
joe2987
@sbcglobal.net | reply to joe2987
thanx is 8pm here so i still got atleast an hr or so before catching sum Z's so i'm going to do some reading at the link jp10558 suggested |
|
joe2987
@sbcglobal.net
| reply to joe2987
my IP changes every 24hrs i think i know is not static. now that i remember my sisters computer, wich is connected to same router, use to have trojans and microsoft messenger kept on starting on it's own all the time, in other words was infected. but i reinstalled windows on it wich brings me to another question.
if my sisters computer was infected and she was using it to do school work and save files in floppies and usb drives. could it ba that before i did the windows reinstalled some malware copied itself to the floppies or usb or any other media and then got back on the freshly installed comp through them??
|
|
aka Iceman
join:2007-02-11
1 edit |
Hey Joe.....in response to your question about floppies.......depending on the type of virus/trojan....yes, floppies can get infected if they are not write protected....an yes those floppies can re-infect a computer.......this explanation could go into more details but its being kept simple.......
Use your anti virus and anti spyware programs to scan the floppies......DO NOT OPEN THE FLOPPIES....just insert them into the drive then open My Computer...locate your floppy drive....an scan the floppy.
Good Luck......
Regards |
|
