a² online check - any thoughts?
Hi,

we just finished the online check of a² today. I would like to invite everyone to try it:
http://onlinecheck.emsisoft.com/en


In fact the test does the following things:
1. Portscans of the well known ports (application and trojan ports)
2. Checks the browser for several hijackers and downloaders used by Dialers
3. Checks the windows network if there are shares available to the internet.
4. Tries to collect as much information about you as possible and displays them.
5. Checks for enabled active scripting and other potential dangerous browser technologies.

What do you think about? Any suggestions or thoughts? What do you like or dislike?

Looking forward to your feedback,
Forum--->
http://forum.emsisoft.com/viewtopic.php?p=3547#3547

sorry and thanks for the move ;)
was not sure where to put it??

The first time I went to the site, I got in.
I have not been able to reach it since.
Either My system won't let me go there or the server is not able to handle the traffic :(

controler

Looks good Andreas :)

I think my IP has been blocked from this site. I still can't reach it >:(

Can you ping onlinecheck.emsisoft.com? :)

Hi,

A question regarding the online scanner?
What is the point of me dropping my firewall security to scan my computer because, if i do so it is bound to show open ports?
Because the firewall is not there to stop the port scans!
I am just working on the principle of the scan that is done on the GRC Gibson site.
Where that tests my computer with the firewall in place, which in turn tests both the firewall and my computer security.

Well, while I rarely alter my security to test my security, there is a key point in such tests...

Some people do not know what services (or even malware programs) are running and listening on their systems. Many of the online tests (a² is not unique in this), do ask for security software to be disabled just to inform the user about what is running on their systems.

Yes, in some ways it is misleading, but, in other ways it tells the users about just what their system is doing.

Whether a² is right in this or not, I can't say. But, I will say what I always say - "it is better to know than not know. If you don't want to test this way, that's fine too of course. But some people do want to try this type of scan.

And there is another important point. The online scan tries to be comprehensive. We always do a full connect portscan. That means:

The a² scan server connects to your ports and even tests if the service is a real service or not. For example if it seems your port 21 is open the test would try to figure out if its a real FTP there and if its able to login anonymously.

This "comprehensive" testing has a big disadvantage:
If your firewall is in stealth mode (which means no RST packets are sent back if a port is closed) we have to wait for a timeout. This means:

The port scan can take 20 or 30 minutes (instead of 0.5 or 1 minute).

So everyone is advised to deactivate the firewall.

By the way:
LWM is exactly right. Especially cause packet filters can be easily fooled. There are some standard rules in nearly all firewall's standard rulesets that permit traffic from port 53/tcp and 53/udp (DNS) or other ports used by DHCP or BOOTP for example. That makes it easy to circumwent the packet filter. Just be sure you send the packets from port 53 ;).

Hi,

I followed your advice and disabled the firewall, and the Portscan result is below:

The following ports were identified as open on your PC:

Port 1025

These programs or services use this port by default:
Windows RPC, Scheduled Tasks

These Trojans or Malware files use this port by default:
NetSpy; Maverick's Matrix; RemoteStorm

Is this anything to worry about?

Also the other test results are below:
------------------------------------------------------------------------------------------
Security Check result:

No public information about your PC resp. your network could be determined.

---------------------------------------------------------------------------------------------
Exploit Test result:

No harmful ActiveX components were detected.

---------------------------------------------------------------------------------------------
Browser Check results:

Browser-Check:
Your browser configuration will be checked for risks now.

Visual Basic Script (VBScript) Test: VBScript is activated!
VBScript is not dangerous in general. But it is used by worm virus authors to embed harmful code in HTML emails. Ensure to have the latest security updates of your browser installed to stay protected against harmful VBScripts.

Secure ActiveX Test: Invocation of secure ActiveX controls is activated.
ActiveX controls are a kind of enhancement plugins for the browser (as e.g. the Flash plugin). The classification if an ActiveX control is secure or not is done by the developer of the control. So it is also possible that a secure control can contain insecure code. Please notice, that the online Windows-Update doesn't work without ActiveX controls.

Insecure ActiveX Test: Invocation of insecure ActiveX controls is deactivated.
Insecure ActiveX controls may contain harmful code and therefore they should be deactivated or set to prompt the user before running to block controls of Dialers, etc.

Internet Explorer makes a difference between signed and unsigned ActiveX controls. Always check controls with invalid signatures before you accept them and let them install on your computer.

------------------------------------------------------------------------------------
Can anyone explain please if these are good or bad results.
Many thanks in advance.

Looks OK, with the notes Andreas' site gives you.

I'm guessing you're running W2K or XP (NT family) and have disabled a number of the native services that hold ports open. 1025 is a port one would expect to see open on such systems. (I'm guessing perhaps you couldn't close all ports without also cutting off your internet connection if your ISP uses DHCP? At least some people say they can't close all ports without losing internet connectivity also.)

If you're running a W9X system, however, I'd check to see what was holding the port open. It would have to be some server or service or perhaps even malware.

Browser results are as expected for a default install of IE. Safest settings are to disable scripting and ActiveX but you will find that a lot of sites won't work properly since they rely on such stuff. What some people do is disable them in the Internet Zone and only put the really trusted websites that require ActiveX and scripting to function in the trusted zone where the security settings are lower.

Right now, perhaps the most common problems that hits the average user occur while they are surfing the net. (And not necessarily on "questionable" sites.) A lot of different kinds of spyware is installed via ActiveX while the user is just browsing the net. Enabling ActiveX esentially allows for programs to be installed by your brower without any prompt to the user. That could be good so you can see a flashy cool site the way it was intended. But it can be bad if you get some spyware that hijacks your browser to specific sites and craps up your system. (Check out the privacy section here where people are asking for help to get rid of spyware that installed itself to their machine without their knowledge.)

Scripting is another thing that can be good for site functionality as long as you don't hit the wrong site where someone's put a bad script that your browser will download as long as scripting is enabled.

Anyway, if you do continue to surf with ActiveX enabled, if you don't already you should use Spybot Search and Destroy and/or Adaware (both freeware) to check out your PC to see if there's anything that should be cleaned out. These programs do updates like AV's on occasion to add new spyware for detection and cleaning. Also, to help protect yourself against the installation of various kinds of spyware, etc you can install SpywareBlaster and SpywareGuard by Javacool. Free (donationware) programs that you only have to update occasionally as updates are issued. Check out Javacool's forum here at Wilders and there should be links to his site where you can download the programs.

I'm assuming you also run an AV and some AV's are now including some spyware apps in their databases....that's how bad it's gotten. You already have a firewall. So you're in better shape than some. ;)

Hope this helps.

Hi,

I am using Windows XP Home (all updates installed), and also Ad-Aware, Spybot, SpywareBlaster, Spyware Guard, ID-Blaster and Mailwasher.
My anti-virus is AVG Free.
My firewall is Norton, and the Norton anti-virus is an on demand scanner for a second opinion.
I also use the GRC site for checking every so often to make sure all my ports are blocked.
And i have to use AOL for my internet connection.

i just found a link to this from another site and was going to start a new thread, but it has already been done. thanks, Andreas - a² :)

I thought the results running various browsers was interesting. (I've shortened this as much as possible - example: closed ports not shown, open ports descriptions not included, etc.).

This one for FireFox:

Starting a² Online-Check for IP 206.74.106.226 on 1/25/2005 3:44:10 PM

Portscan:
You computer is scanned for open ports now.

2140: open!
20034: open!
6667: open!
12345: open!
1243: open!
80: open!
27374: open!
31337: open!
23: open!
Security-Test:
Public available information about your PC resp. your network are collected.

Your IP address: 206.74.106.226
Your operating system: Windows XP
Your browser: Gecko
Full browser identification: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0
Browser languages: en-us, en;q=0.5

You did run the Online-Check 0 times before.

Public information about your IP address from the Whois Server:

OrgName: Info Avenue Internet Services, LLC
OrgID: IAVE
Address: 3545 Centre Circle dr.
Address: Suite A
City: Fort Mill
StateProv: SC
PostalCode: 29716
Country: US

NetRange: 206.74.0.0 - 206.74.255.255
CIDR: 206.74.0.0/16
NetName: IAVE-4
NetHandle: NET-206-74-0-0-1
Parent: NET-206-0-0-0-0
NetType: Direct Allocation
NameServer: DNS4.INFOAVE.NET
NameServer: DNS2.INFOAVE.NET
Comment:
RegDate: 1995-07-28
Updated: 2002-04-14

TechHandle: ZI64-ARIN
TechName: IP Administrator
TechPhone: +1-803-802-4600
TechEmail: ipadmin@engdev.infoave.net

OrgAbuseHandle: IAD2-ARIN
OrgAbuseName: InfoAvenue Abuse Department
OrgAbusePhone: +1-803-802-4600
OrgAbuseEmail: abuse@infoave.net

OrgNOCHandle: ZI64-ARIN
OrgNOCName: IP Administrator
OrgNOCPhone: +1-803-802-4600
OrgNOCEmail: ipadmin@engdev.infoave.net

OrgTechHandle: ZI64-ARIN
OrgTechName: IP Administrator
OrgTechPhone: +1-803-802-4600
OrgTechEmail: ipadmin@engdev.infoave.net

Your PC resp. your network is contacted now and public information will be collected.
Note: This check may take up to a minute.

No public information about your PC resp. your network could be determined.

Exploit-Test:
Your browser will be checked for installed ActiveX components of Dialers, etc. now.

This test is only possible with Internet Explorer. So your computer seems to be secure against ActiveX components.

Browser-Check:
Your browser configuration will be checked for risks now.

Visual Basic Script (VBScript) Test: The VBScript-Test is only possible with Internet Explorer. So your computer seems to be secure against ActiveX components.


Secure ActiveX Test: The ActiveX Test is only possible with Internet Explorer. So your computer seems to be secure against ActiveX components.


Insecure ActiveX Test: The ActiveX Test is only possible with Internet Explorer. So your computer seems to be secure against ActiveX components.

a² Online-Check finished on 1/25/2005 3:45:07 PM
_________________________________________________________________

This one for IE running through Tor/Privoxy:

Starting a² Online-Check for IP 82.94.251.206 on 1/25/2005 3:55:32 PM

Portscan:
You computer is scanned for open ports now.
443: open!
80: open!

Security-Test:
Public available information about your PC resp. your network are collected.

Your IP address: 82.94.251.206
Your operating system: Windows XP
Your browser: MS Internet Explorer
Full browser identification: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Browser languages: en-us

You did run the Online-Check 0 times before.

Public information about your IP address from the Whois Server:
%
inetnum: 82.94.251.192 - 82.94.251.207
netname: colonah6
descr: NAH6 BV
country: NL
admin-c: RG2248-RIPE
tech-c: RG2248-RIPE
tech-c: XS42-RIPE
status: ASSIGNED PA
notify: netmaster@xs4all.nl
mnt-by: XS4ALL-MNT
changed: oliver@xs4all.nl 20040923
source: RIPE

route: 82.92.0.0/14
descr: XS4ALL networking
origin: AS3265
notify: as-guardian@xs4all.nl
mnt-by: XS4ALL-MNT
changed: erik@xs4all.net 20031125
source: RIPE

role: XS4ALL Internet NOC
address: XS4ALL Internet BV
address: Postbus 1848
address: 1000BV Amsterdam
address: The Netherlands
phone: +31 20 3987654
fax-no: +31 20 3987604
e-mail: netmaster@xs4all.nl
admin-c: CB127
tech-c: CB127
tech-c: OD45
tech-c: EB76-RIPE
tech-c: RZ2757-RIPE
tech-c: KAI11-RIPE
nic-hdl: XS42-RIPE
notify: netmaster@xs4all.nl
mnt-by: XS4ALL-MNT
changed: cor@xs4all.nl 19980928
changed: oliver@xs4all.nl 19990312
changed: remcovz@xs4all.net 20020130
changed: kai@xs4all.nl 20031218
source: RIPE

person: R Gonggrijp
address: NAH6 BV
address: Linnaeusparkweg 98
address: 1098 EJ Amsterdam
address: The Netherlands
phone: +31 20 6638558
fax-no: +31 20 6638511
e-mail: rop@rop.nl
nic-hdl: RG2248-RIPE
notify: rop@rop.nl
changed: oliver@xs4all.nl 20040923
source: RIPE

Your PC resp. your network is contacted now and public information will be collected.
Note: This check may take up to a minute.

No public information about your PC resp. your network could be determined.

Exploit-Test:
Your browser will be checked for installed ActiveX components of Dialers, etc. now.

IEAccess2 not found.
BCVoicePlugin not found.
TSCPlugin not found.
MoneyTreeDialer not found.
D9Dialer not found.
CABDialer not found.
SunInfoConnect.snConnect not found.
eConnect.eConn not found.
VLoading not found.
WebInstall not found.
Uloader not found.
ActiveInstall not found.
ActiveXDownload not found.
NTools.ActiveInstaller not found.
MaConnect not found.
xDiver not found.
WebPlugin_Class not found.
WebUpdate not found.
WSD not found.
IELoader not found.
Acceler8or not found.

No harmful ActiveX components were detected.

Browser-Check:
Your browser configuration will be checked for risks now.

Visual Basic Script (VBScript) Test: VBScript is activated!

Secure ActiveX Test: Invocation of secure ActiveX controls is deactivated.

Insecure ActiveX Test: Invocation of insecure ActiveX controls is deactivated.
a² Online-Check finished on 1/25/2005 3:56:14 PM
_________________________________________________________________

And then IE w/Tor/Privoxy/SocksCap:

Starting a² Online-Check for IP 216.17.104.17 on 1/25/2005 4:22:58 PM

Portscan:
You computer is scanned for open ports now.

443: open!
6667: open!
80: open!
53: open!
25: open!
22: open!
21: open!
Security-Test:
Public available information about your PC resp. your network are collected.

Your IP address: 216.17.104.17
Your operating system: Windows XP
Your browser: MS Internet Explorer
Full browser identification: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Browser languages: en-us

You did run the Online-Check 1 times before.

Public information about your IP address from the Whois Server:

Phatservers.net PHATSERVERS-NET1 (NET-216-17-104-0-1)
216.17.104.0 - 216.17.111.255
A1COLO.COM A1COLO (NET-216-17-96-0-1)
216.17.96.0 - 216.17.111.255

Your PC resp. your network is contacted now and public information will be collected.
Note: This check may take up to a minute.

No public information about your PC resp. your network could be determined.

Exploit-Test:
Your browser will be checked for installed ActiveX components of Dialers, etc. now.

IEAccess2 not found.
BCVoicePlugin not found.
TSCPlugin not found.
MoneyTreeDialer not found.
D9Dialer not found.
CABDialer not found.
SunInfoConnect.snConnect not found.
eConnect.eConn not found.
VLoading not found.
WebInstall not found.
Uloader not found.
ActiveInstall not found.
ActiveXDownload not found.
NTools.ActiveInstaller not found.
MaConnect not found.
xDiver not found.
WebPlugin_Class not found.
WebUpdate not found.
WSD not found.
IELoader not found.
Acceler8or not found.

No harmful ActiveX components were detected.

Browser-Check:
Your browser configuration will be checked for risks now.

Visual Basic Script (VBScript) Test: VBScript is activated!


Secure ActiveX Test: Invocation of secure ActiveX controls is deactivated.
Insecure ActiveX Test: Invocation of insecure ActiveX controls is deactivated.

a² Online-Check finished on 1/25/2005 4:24:04 PM
_________________________________________________________________

Opera:

Starting a˛ Online-Check for IP 206.74.106.226 on 1/25/2005 4:40:33 PM

Portscan:
You computer is scanned for open ports now.

2140: open!
20034: open!
6667: open!
1243: open!
80: open!
27374: open!
31337: open!
23: open!
12345: open!

Security-Test:
Public available information about your PC resp. your network are collected.

Your IP address: 206.74.106.226
Your operating system: Windows XP
Your browser: Opera
Full browser identification: Opera/7.54u1 (Windows NT 5.1; U) [en]
Browser languages: en

You did run the Online-Check 0 times before.

Public information about your IP address from the Whois Server:

OrgName: Info Avenue Internet Services, LLC
OrgID: IAVE
Address: 3545 Centre Circle dr.
Address: Suite A
City: Fort Mill
StateProv: SC
PostalCode: 29716
Country: US

NetRange: 206.74.0.0 - 206.74.255.255
CIDR: 206.74.0.0/16
NetName: IAVE-4
NetHandle: NET-206-74-0-0-1
Parent: NET-206-0-0-0-0
NetType: Direct Allocation
NameServer: DNS4.INFOAVE.NET
NameServer: DNS2.INFOAVE.NET
Comment:
RegDate: 1995-07-28
Updated: 2002-04-14

TechHandle: ZI64-ARIN
TechName: IP Administrator
TechPhone: +1-803-802-4600
TechEmail: ipadmin@engdev.infoave.net

OrgAbuseHandle: IAD2-ARIN
OrgAbuseName: InfoAvenue Abuse Department
OrgAbusePhone: +1-803-802-4600
OrgAbuseEmail: abuse@infoave.net

OrgNOCHandle: ZI64-ARIN
OrgNOCName: IP Administrator
OrgNOCPhone: +1-803-802-4600
OrgNOCEmail: ipadmin@engdev.infoave.net

OrgTechHandle: ZI64-ARIN
OrgTechName: IP Administrator
OrgTechPhone: +1-803-802-4600
OrgTechEmail: ipadmin@engdev.infoave.net

Your PC resp. your network is contacted now and public information will be collected.
Note: This check may take up to a minute.

No public information about your PC resp. your network could be determined.

Exploit-Test:
Your browser will be checked for installed ActiveX components of Dialers, etc. now.

This test is only possible with Internet Explorer. So your computer seems to be secure against ActiveX components.

Browser-Check:
Your browser configuration will be checked for risks now.

Visual Basic Script (VBScript) Test: The VBScript-Test is only possible with Internet Explorer. So your computer seems to be secure against ActiveX components.

Secure ActiveX Test: The ActiveX Test is only possible with Internet Explorer. So your computer seems to be secure against ActiveX components.

Insecure ActiveX Test: The ActiveX Test is only possible with Internet Explorer. So your computer seems to be secure against ActiveX components.

a˛ Online-Check finished on 1/25/2005 4:41:35 PM
_________________________________________________________________

Port hits were affected by KillerWall (which I left running, by mistake, sorry) (1243,2140,6667,20034,12345,27374,31337) and SpyBlocker (port 80).

I found it puzzling that port 1243 took a hit in Opera that it did NOT get in FireFox, and that port 6667 took a hit running IE Tor//Privoxy/SocksCap that it did NOT get running IE Tor/Privoxy alone.

Just in case anyone's interested. Pete

Hi Spy1 thanks for posting your IP address and details about your computer.

Ronin - You're quite welcome.

Since it's my IP address and my details, I guess I'll publish them if I want to.

But thank you for your concern - feel free to use any of that info as you see fit - I get tired of all my defensive programs sitting here with nothing to do. :P Pete

yes Spy1, I am gonna hack your ... :D

<g> Hack away, INFINITY - but remember, you don't win unless you totally "own" my computer. Pete

-{ Quote: "<g> Hack away, INFINITY - but remember, you don't win unless you totally "own" my computer. Pete" }-

And here is mine 67.240.79.173 also..I will leave the lights on for ya..you can have all the viagra email ads you can find on the system..just don't get stuck in the honey pot or drink all my beer. ;D