Okay, in a nutshell ~~ I think I'm the one with the problem. For a while now, I've been seeing some rather strange results when scanning local (my LAN) and remote IP addresses using TDS-3. It doesn't matter which way I ask TDS-3 to perform a scan (remote scan, targeted scan, interrogate, common ports check, etc.)... I always see the same ports being reported as open to incomming connection requests.

Rather than bore anyone here with a convoluted recounting of multiple events, I've attached a netstat from a fresh winME box (ip addr 192.168.1.101 on my LAN) and the log from TDS-3 (run from 192.168.1.100 on my LAN). It doesn't take a rocket scientist to see something strange here.

My current hardware config is RoadRunner cable in front of a Linksys BEFSR-41, which handles the LAN through it's 4-port switch. The box running TDS-3 is an XP pro install that is clean. Reinstalling TDS-3 and/or playing with it's configuration changes nothing as far as mis-reporting open ports goes. Also, did I mention that the winME box is fresh, too?

I would be eternally happy if someone could explain exactly what I'm doing wrong (because god-forbid it should be TDS-3's fault) without telling me I need lessons in networking and sockets (hi Wayne!)

Best regards to all here.
Hilly.

[year-old attachment deleted by admin]

I couldn't add another attachment to my post, so here's the log from TDS-3...


[year-old attachment deleted by admin]

Congradulations !!!!!!!!!!!!!

You have my IP address now what?
Maybe the Wilders Web Master would care to elaborate on this? Does this new poster share my IP?

Also dude? Please turn word rap on !!!!!!!!!!!!!

-{ Quote: " quoting: controler link=board=5;threadid=2194;start=0#15656 date=1025970393]
Congradulations !!!!!!!!!!!!!

You have my IP address now what?
Maybe the Wilders Web Master would care to elaborate on this? Does this new poster share my IP?

Also dude? Please turn word rap on !!!!!!!!!!!!!
" }-

:) IP addresses like 192.168.xxx.xxx are private, non-routable addresses that are given to machines running on a local network. If you're posting from a box on a LAN then it might have the same 192.168.xxx.xxx address. That does not mean your WAN address is the same as mine. BTW, you have no way of knowing what -my- WAN address is unless you're a moderator here. Just FYI it's 24.58.230.189.

Sorry about the extra-wide post, I'm thinking it's due to the image I posted. I don't see where to implement word-wrap in this forum, but if I'm wrong then someone can tell me.

Hey, thanks for the thoughtful, intelligent reply. :)

Regards,
Hilly.

Only teasing !!!!!!!!!!! ;D

I don't think I want to publish my DSN address My lease expires 7/12/2002 10:49:20 AM though or before since I am moving again and will be going back to DSL and an old Cisco 675 router

Cool that you are using the same router as me though.
Have you tried connecting without your router?

The strange results I'm getting disappear when I physically remove the router from my configuration. It seems (not properly verified) that others using TDS-3 and a Linksys router get similar, incorrect results when scanning me.

What's a DSN address?

Regards,
Hilly.

-{ Quote: " quoting: Pawthentic link=board=5;threadid=2194;start=0#15660 date=1025972360]
What's a DSN address?

Hilly.
" }-

I think Controler mistyped something, maybe he was a little stoned :P

He meanes with DSN: DNS (Domain Main System).

Ciao,

Smokey

Oh Dawd

I need to stop posting after only one cup a coffee in the mornings
Yes that is what I ment..

DNS Domain Name System
Address is the Wan address

Is your router default configured from the factory ?

DNS is how host and domain names get resolved into IP addresses. Your WAN address has little or nothing to do with the address of your (or your ISP's) DNS servers. When you log in with your ISP, your computer is issued a unique (WAN) IP address. Your computer will routinely go to the address (specified in your network settings) of whatever DNS server you want to resolve host/domain names to IP addresses. Reverse DNS is used to resolve IP addresses to host or domain names.

All of this has nothing to do with what I started this thread for, but might be an indication that you guys need more coffee.

Controler, to answer your question ~~ No. My Linksys does not have the factory's 'defaut' configuration. I use the web-interface (192.168.1.1 for the Linksys) to change things to my liking. Either way, if other people who have routers (at least a Linksys, anyway) scan me and report ports open and/or services running that I know aren't there, what does it matter how I have my router configured??

Please note that it's only with TDS-3 that I (and at least one other person that I know of) get these strange results.

Routers don't open oprts, or cause services to magically appear.

Regards,
Hilly.

With that web interface doesn't it ask for your username and Password?

I am sure you have checked Linksys's site allready but if not here ya go. I am sure Gavin will respond to your TDS-3 question.

http://www.linksys.com/support/support.asp?spid=86

-{ Quote: " quoting: controler link=board=5;threadid=2194;start=0#15668 date=1025977106]
With that web interface doesn't it ask for your username and Password?
" }-

>:(
Of course it asks for a password, but what does that have to do with anything?

As far as DCS answering me, all I've gotten so far from them is a suggestion to
Google for info on networking and sockets. (hi Wayne!)

Again, I'm not saying this is a -problem- with TDS-3 (but I'm not convinced it isn't
a problem, either). All I'm saying is that I see strange, incorrect results when
using TDS-3 in conjunction with my Linksys router. I've also seen one other
person who used TDS-3 to scan me (while my router was in place) and he -also-
received incorrect results on his end .

I can live with the possibility that TDS-3 doesn't play well with routers, but I sure
wish I knew that before I went and did something silly like _relying_ on the
results I get from scanning with TDS-3.

I have searched, but found no information anywhere (including from DCS)
regarding the usage of TDS-3 with a router. I would think that if there _is_ a
compatability issue, then I wouldn't be the first to see these -incorrect- results.

I keep teling myself that it's me, that I must be doing something wrong, that I'm
a goofball who doesn't know about networking and sockets (hi Wayne!)... but if
it's all about me, how come someone else using TDS-3 to scan my IP address
received the same strange, incorrect results?

All these questions could be probably answered by DCS, but I think they're kind
of busy with TDS-4 and other stuff ~~ so it looks like I'm on my own with this.

Regards, and sorry for wasting the space.
Hilly.

I am sure you have the latest firmware update?

to download firmware version 1.42.7 that supports enhanced Internet security using ZoneAlarmPro TM and PC-cillin TM.
Extract the files
Read the UPGRADE.DOC for upgrade instructions
*Linksys will not offer technical support for the 3rd party enhanced security features.


ftp://ftp.linksys.com/pub/network/befsr-fw1427.zip

-{ Quote: " quoting: controler link=board=5;threadid=2194;start=0#15672 date=1025978529]
I am sure you have the latest firmware update?

" }-

Thank you (sincerely) for trying to help, controler. I have used the last 3
firmware images that Linksys released, and I got them directly from Linksys.

Firmware in the router isn't the problem.

Regards,
Hilly.

Hilly - temper, temper! ;D

I haven't a clue, myself, as to why you're getting flaky results (only you , BTW, would know if they are flaky results or not, I think).

Would a proper re-statement of the problem be that, while TDS is telling you certain ports are open (when scanned by other TDS users' ) - all the other tests you take elsewhere are telling you that you don't have any ports open?

(Forgive me if that sounds too simplistic, or isn't correct - I'm the dumbest one here. If you can explain it to me to where I can understand the problem, it'll probably go a long way towards having it stated to where others more knowledgeable will be able to help). Pete

Hmm, you did explain the problem more clearly in the TDS private forum!

Okay, when you scan someone else with TDS, TDS tells you that they have certain ports open - but they actually don't , right?

Or, if someone scans you with TDS, TDS tells them that you have certain ports open - but you don't, correct?

I wonder why my scan of you came up with the right results?

Is everyone involved using the latest version of TDS-3?
Pete

Hello Pete.

It all started when I noticed that -all- the scans I was performing from TDS-3 on my XP box showed the same common ports as open... and note that these were scans done on remote IP addresses. I wasn't worried until more than a few people became angry with me because I was saying that my scans of them (scanning with TDS-3) showed ports open that they were sure they didn't have. In a few instances, I used the TCP Connect feature in TDS-3 to actually connect to port 25 on -remote- addresses (after they showed as open and accepting incomming connections). To me, this means that the remote addresses were actually running the services that TDS-3 reported. If that's a bad assumption on my part, then at least it's a given that TDS-3 was reporting to me these IP addresses had ports open and listening for incomming connection requests. After getting my ass chewed on for a while, I decided to run my own tests.

I have a small LAN set-up here. Yesterday, I was wiping and reinstalling a friend's winME box (an HP Pav 7850). After the o/s was installed and updated fully, but before I put any third-party apps on it, I used TDS-3 from my XP pro box to run the interrogate scan on it. In this thread, I posted both the netstat from the winME box, and the TDS-3 log from the XP box. The netstat from winME shows nothing, but the log from TDS-3 shows, well you can see for yourself.

The same thing happens whenever I scan anything, local or remote, as long as my Linksys is physically in the configuration. Using the DMZ in the router changes nothing, I need to -remove- the router from the network (physically) to get valid results from TDS-3.

Last week, in the DCS forums, I had someone (who also uses TDS-3 and a router) run Interrogate on my IP address. He got the SAME bogus results that showed I was running all kinds of services (ports listening for incomming connection requests). I promise, there are no such services running anywhere near my LAN.

Once the router is removed (physically), the problem I'm seeing goes away.

Thanks for the help, Pete.

Regards,
Hilly.

-{ Quote: " quoting: spy1 link=board=5;threadid=2194;start=0#15675 date=1025980112]
I wonder why my scan of you came up with the right results?
" }-

Are you 65.196.250.34 ? If so, I just scanned you and found this...

------
14:34:31 [Interrogate] Interrogation scan on 65.196.250.34 started.
14:34:32 [Interrogate] 65.196.250.34:25: Connected
14:34:52 [Interrogate] 65.196.250.34:80: Connected
14:34:52 [Interrogate] 65.196.250.34:110: Connected
14:34:53 [Interrogate] 65.196.250.34:110: Connected
14:35:13 [Interrogate] 65.196.250.34:2: Closed - connection closed immediately.
14:35:13 [Interrogate] 65.196.250.34:1080: Connected
14:35:14 [Interrogate] 65.196.250.34:3: Closed - connection closed immediately.
14:35:35 [Interrogate] 65.196.250.34:9: Closed - connection closed immediately.
------

Are you running these services?

Regards,
Hilly.

Well, i hope they didn't mind - because that wasn't me. PM'ing you my #. Pete

I just ran some scans of your IP with TDS-3 on my WinXP Home and found none open. 135 remained silent

-{ Quote: " quoting: spy1 link=board=5;threadid=2194;start=0#15675 date=1025980112]
I wonder why my scan of you came up with the right results?

" }-

I bet you're not using a Linksys router...

:P
Hilly.

Okay, you're right, I'm NOT running a router. There's no possibility that linksys has some kind of honey-pot feature, is there?

(Pardon me if that's a stupid question - you're dealing with Pete here! ).

Hilly, do you have ICQ? If you do, crank it up, would you? Pete

Hi Pete. :)

ICQ?! Eeeewww. ;)

For you, I'll install it rightnow. (give me a few minutes...)

Regards,
Hilly.

yea them silly ISP push the router on us so our hard drive is not just
blowing in open air. They seem to like Linksys ::)
Some say if you have a good firewall like ZoneAlarm
You can chuck the router. I am using a Wireless Internet connection.
Today I keep losing connection and have not had that happen before
Why are we not finding the false open ports you are speaking of?

is chucking the router actually an option if he's running a LAN?

Perhaps a scan with a different scaner will shed some light.

Permission to use Nmap on you? It is the common *nix scanner, very good. I trust it more so that any other.

Also with TDS instead of using interogate, use the tcp scanner to scan the first 1024 ports of the ip. I beleive that will be a better indication of what is going on.

I have the same features on my router except I use a wireless
ISP. In the Web interface Router setup there is an option called
DMZ (Demiliterized Zone)
This option will enable ONE intranet computer to be exposed to the internet, "Honey Pot"
Zero is Off and One is On...
If you want to the send file option with this router, You need to
make a special setting also.
You can enable incomming and outgoing access Logs which you send to whatever Intranet IP you chose. Default is 192.168.1.255
In the advanced config the defaults are
Block WAN request = enable
IPSec Passthru =enable
PPTP Passthru =enable
Remote Managment =Disable
Remote Upgrade =Disable

am I rattling again Spy 1? LOL

-{ Quote: " quoting: UNICRON link=board=5;threadid=2194;start=15#15691 date=1025986384]
Perhaps a scan with a different scaner will shed some light.

Permission to use Nmap on you?
" }-

Yes, of course, but please wait, as I have the router out of the line-up. I'll post here again in a few minutes...

Thanks very much!
Hilly.

-{ Quote: " quoting: UNICRON link=board=5;threadid=2194;start=15#15691 date=1025986384]
Permission to use Nmap on you?
" }-

Yes, please fire away. May I reciprocate with TDS-3's interrogate scan? I'll need your IP address.

:)
Hilly.

Unicron - Get on ICQ with him if you haven't already, okay? PM'ing you his temporary ICQ #.

controler - Let me know if you want his ICQ # , okay? Pete

(Pete's an interested quad at an olympic ping-pong match! ;D ).

I don't use ICQ, I'll have to make an account. Give a bit to do that.

Pawthentic, I PM'd you an IP to test back with, and some nmap results.

Also for UNICRON ~~

If you would be so kind, could you use TDS-3 on my IP address?

Hilly.

I am running Linux right now. No TDS install. I could install the dem o on a windows box that belongs to a freind that is in for repairs perhaps.

No, that won't be necessary. The entire issue here, with me, is the fact that I consistently get bogus results when using TDS-3 behind a router, and today in testing with Spy1 I even got strange results (ports open/services running) without the router in line.

Did you run NMAP against me?

Regards,
Hilly.

-{ Quote: " quoting: UNICRON link=board=5;threadid=2194;start=15#15691 date=1025986384]
Perhaps a scan with a different scaner will shed some light.
" }-

The only light shed is a dark one. Foundstone's SuperScan port scanner shows none of the open ports I see when scanning Spy1's IP address with TDS-3.

-{ Quote: "
Also with TDS instead of using interogate, use the tcp scanner to scan the first 1024 ports of the ip. I beleive that will be a better indication of what is going on.
" }-

TDS-3 still shows bogus results for me, when running the regular TCP scanner against Spy1's IP address. This time, I wasn't behind the router.

Well, since we're all running in circles here (at least I know _I'm_ running in circles) ~~ I'll be down for a few hours while I completely wipe clean and reinstall my XP box.

I'll be back, we'll see if I'm still screwed or not.

Thank you to all here who helped me today.

Wayne, you're still punished, and I'm adding 1 month to the amount of time that you're grounded. Now GO TO YOUR ROOM!

Hilly.

Hilly - it's possible that the out-of-the-ordinary results without the router were due to the fact that I was running Jammer 1.95 as well as TDS-3 at the time. Just thought I'd let you know.
Pete

Hi Hilly,

Nice nick, btw ;)

I'll contact DCS in regard to this issue. For the moment, please hold your horses for some days - at least until Monday/Tuesday. Even the DCS guys deserve a weekend to relax (once in a while..).

As for comments concerning wrapping and image sizing; don't bother. We have chosen not to limit.

Enjoy your weekend!

regards,

paul

-{ Quote: " quoting: spy1 link=board=5;threadid=2194;start=30#15709 date=1025992769]
Hilly - it's possible that the out-of-the-ordinary results without the router were due to the fact that I was running Jammer 1.95 as well as TDS-3 at the time. Just thought I'd let you know.
Pete
" }-

Hi again, Pete.

For discussion purposes only, let's (for a moment) not talk about any remote scanning of me, or done by me. Let's talk about my LAN. ~~~~

Box#1 - WinXP, less than a month old, bi-daily full scans with TDS-3 and NAV, both fully updated.

Box#2 - WinME, squeaky-clean install, no 3rd party apps. Fully updated.

Box#3 - Win2k pro, squeaky-clean install, no 3rd party apps, no IIS, no services enabled. SP2 done and fully updated.

Linksys BEFSR-41 used as gateway to cable modem. 4-port 10/100 switch built-in to Linky handles networking.

All 3 machines trade ICMP without a problem. File/printer sharing is disabled all the way around.

Netstat run on all 3 boxes shows nothing out-of-the-ordinary.

TDS-3 on the XP box reports incorrectly that many common ports are open and listening on both the winME and win2k boxes.

Right now, I've got the fresh winME box connected to the LAN. Here's the netstat dump from it:
------
TCP 192.168.1.100:139 0.0.0.0:0 LISTENING
UDP 192.168.1.100:137 *:*
UDP 192.168.1.100:138 *:*
------

...and here's TDS-3's log from an Interrogate scan run minutes ago:
------
01:49:10 [Init] Trojan Defence Suite v3.2.0 - Registered to Hilly Waldman
01:49:10 [Init] Started 07-07-02 01:49:10 Eastern Standard Time (UTC: 5), Internet Time @284.14
01:49:10 [Init] Loading TDS-3 Systems ...
01:49:10 [Init] • Plugins : OK. Loaded 13
01:49:10 [Init] • Exec Protection : Not Installed
01:49:10 [Init] Loading Radius Advanced Scanning Systems ... <R3 Engine, DCS Labs>
01:49:14 [Init] • Radius Advanced Specialist Extensions on standby for 13 trojan families
01:49:14 [Init] • Systems Initialised [15043 references - 4746 primaries/3429 traces/6868 variants/other]
01:49:14 [Init] Radius Systems loaded. <Databases updated 04-07-2002>
01:49:14 [Init] TDS-3 Ready. <Hilly@192.168.1.101, 127.0.0.1 - United States>
01:49:14 [Tip Of The Day] The Target Host menu is dedicated to finding out information about remote computers, from backdoors to system information to network positioning.
01:49:14 [TDS] Good morning Hilly. What are you doing up at this time?
01:49:16 [Memory Scan] Memory scan started, please wait a moment ...
01:49:17 [Memory Scan] Memory scan complete.
01:49:17 [Mutex Memory Scan] Started...
01:49:18 [Mutex Memory Scan] Finished (no trojan mutexes found).
01:49:18 [Trace Scan] Started...
01:49:21 [Trace Scan] Finished.
01:49:53 [Interrogate] Interrogation scan on 192.168.1.101 started.
01:49:53 [Interrogate] 192.168.1.101:25: Connected
01:49:54 [Interrogate] 192.168.1.101:135: Connected
01:49:54 [Interrogate] 192.168.1.101:110: Connected
01:49:54 [Interrogate] 192.168.1.101:80: Connected
01:49:54 [Interrogate] 192.168.1.101:80: Connected
01:49:55 [Interrogate] 192.168.1.101:1080: Connected
01:49:55 [Interrogate] 192.168.1.101:139: Connected
01:49:55 [Interrogate] 192.168.1.101:139: Connected
01:49:55 [Interrogate] 192.168.1.101:2: Closed - connection closed immediately.
01:49:56 [Interrogate] 192.168.1.101:135: Closed - remained silent.
01:49:56 [Interrogate] 192.168.1.101:6: Closed - connection closed immediately.
01:50:10 [Interrogate] 192.168.1.101:83: Connected
01:50:10 [Interrogate] 192.168.1.101:82: Connected
01:50:10 [Interrogate] 192.168.1.101:81: Connected
01:50:11 [Interrogate] 192.168.1.101:88: Closed - connection closed immediately.
01:50:11 [Interrogate] 192.168.1.101:88: Closed - connection closed immediately.
01:50:11 [Interrogate] 192.168.1.101:88: Closed - connection closed immediately.
01:50:25 [Interrogate] 192.168.1.101:139: Closed - Error (Connection is aborted due to timeout or other failure)
01:50:31 [Interrogate] Interrogation of 192.168.1.101 finished.
------

Now, does this look like incorrect results? Am I not reading the console log properly? Should TDS-3 be showing as 'connected' to all of those common ports?

Correct me if I'm wrong, but my router's WAN side doesn't even come into the picture here, as all of this is taking place on my LAN.

If I'm really that stupid, and I don't know what I'm seeing, then why is it so hard for me to get a qualified answer?

Now, if we want to discuss -remote- scanning done by me, and done to me, then that may or may not be a different issue. FWIW I can get the same results, showing the same common ports as open when I scan just about anyone else. You personally saw my scans of you today, and they also reported you were open and listening on many common ports that would indicate you're running services like HTTP, SMTP, POP3, etc. While you may have TDS-3 set to initialize sockets, I'd bet you don't have it set-up to listen on those common ports, but in fact are listening on trojan ports.

There is definitely something wacky going on here, and although it may be my fault or ignorance, the fact that I can't get any help from DCS sure does disappoint me. :'(

Regards, Pete.
Hilly.

-{ Quote: " quoting: Forum Admin link=board=5;threadid=2194;start=30#15710 date=1025993664]
I'll contact DCS in regard to this issue. For the moment, please hold your horses for some days - at least until Monday/Tuesday. Even the DCS guys deserve a weekend to relax (once in a while..).
" }-

Hi Paul. Thanks for the reply, and nice to talk to you again. :)

Nobody expects to have instant access to 7-day/24hour support, least of all me.

I've already been in contact with DCS, and I really wasn't too happy with what I was told. I outright admitted that whatever problem I was seeing was possibly (probably) my fault. Here, read for yourself. This is a portion of the last e-mail I sent Wayne, on June 28th:
------
Wayne wrote:
[]
> but questions relating to sockets and routers should be
> directed somewhere more appropriate, not an anti-trojan
> company.

But my question is about TDS-3, and why I'm seeing such strange scan
results. I totally agree (and understand) that this is most likely
something on my end.

* Quick questions: *
1. Are you aware of any issues when running TDS-3 behind a router?
2. Is TDS-3's operation behind a router covered anywhere in the TDS-3
documentation?
3. Have any other TDS-3 users asked about running behind a router?
4. Do you agree that what I'm seeing, and what Jim sees when scanning me,
is abnormal?
5. Should I never use the word 'router' when e-mailing you? <g>

Please note Jim Martin's reply to me in the forum.

http://www.dcsresearch.com/forum/showthread.php?s=91c3a4923e6445c827b75826a1
835688&threadid=1043

He is runing win2k sp2 and his scan of me, while I was behind a router, is
way, way off. I promise I'm not running any services like HTTP, NNTP, POP,
SMTP, etc. I would see practically the same results when scanning remote
addresses from winxp pro. Again, I'm not saying it's TDS-3's fault, but if
running scans from behind a router is something I need to learn about before
I can use TDS-3 effectively, then why isn't it covered in the documentation?
------

I haven't heard anything back from him yet, and today makes 9 days since I last e-mailed him.

I can only guess that my questons are so incredibly stupid that Wayne and Gavin are too busy laughing to reply with some helpful information. Of course, the TDS-4 carrot-on-a-stick-hanging-in-fromt-of-our-noses is probably keeping them busy, too ~~ but too busy to help a paying customer, especially since my questions are directly related to TDS-3? I'm left here asking myself what the heck I did wrong, and why won't DCS help with this?

Please don't misunderstand me, I will use and defend TDS-3 (and DCS) forever. I'm convinced that they're good guys, and make a fine product. In the past, I've stood by them while they were being virtually attacked on the newsgroups at GRC. I'm always telling people how great TDS-3 is, and how wonderful the support for it is. Excuse me while I go put on my dunce-cap. 8)

Can you imagine my embarrasment when being confronted by numerous people, all saying that I can't possibly be getting valid results from TDS-3 after scanning them and finding the same open ports, then reporting that to them? I finally realized that I was seeing the same results being reported, so I did some testing on my LAN, where I saw again, the same results reported... but on my LAN I can run netstat on the other (scanned) boxes. That's when I started getting upset. Netstat on fresh boxes with no 3rd party apps says no, TDS-3 says yes, who do I believe?

Well, anyway, thanks again for the reply.

Best Regards, Paul.
Hilly.

I prolly should have got out of this discussion along time ago
But Paw even though it is early again this morn,
I look at your last post and to me it reads
You did a netstat on the Win Me box, you then did a scan of that
Win Me box with your Win XP box and TDS-3 which are both connected to the router. Your Win ME box is using ending 101 as the Lan IP and your XP is using ending 100 IP. You say you have no third partry software
on your ME machine. Why would you not have open ports on your ME machine?

-{ Quote: " quoting: controler link=board=5;threadid=2194;start=30#15770 date=1026050709]
I prolly should have got out of this discussion along time ago
" }-

No, you shouldn't have. You were the first to reply to me in this thread, and if what is being said here has you interested or curious, then you have every right to read, reply, and offer input. I greatly appreciate all comments. ;D

-{ Quote: "
You say you have no third partry software
on your ME machine. Why would you not have open ports on your ME machine?
" }-

For a port to be open, which means that it is listening for incoming connection requests, there has to be something holding it open. A fresh install of winME has nothing to hold ports open, besides what is shown in the netstat dump that I posted. If, for example, I were to install Apache (a popular web-server), then my netstat would show TCP port 80 as open, listening for incoming connection requests.

If you were to run TDS-3's Interrogate scan (or any other, for that matter) and saw a 'connection' on port 25, then that would indicate that I was either running a mail server (SMTP) or had some other program holding that port (25) open, listening for incoming connection requests.

This morning, someone over in the DCS forums (who is running behind a Linksys router) ran both TDS-3's Interrogate scan and NMAP against my IP address. The results he got with TDS-3 were incorrect, but NMAP correctly reported that all scanned ports were filtered. So, here I am saying that not only is TDS-3 mis-reporting scans on my LAN, but also that others using TDS-3 to scan my IP address remotely are also seeing incorrect results. Please note that my router may or may not have anything to do with this. At this point I'm still not sure of just what is going on, but I feel REALLY CONFIDENT that there's someing wrong.

Is it me? Fine, great, I can deal with that. Just let someone tell me what I'm doing wrong. Let someone who knows come here and say "Hey you dummy, read the frigging manual! It's right there."

Is it my router? Fine also. Let someone tell me that, then explain to me why nobody warned me that TDS-3 won't work properly behind a router. I really don't care if some functions of TDS-3 can't be used if I'm behind a router, but TELL ME. What about the other TDS-3 users who are behind (Linksys?) routers? Don't they have the right to know, and shouldn't we ALL have been informed of this?

I can just see it now... "Dear Hilly, blah blah blah router. Blah blah blah TDS-3. By the way, all licensed TDS-3 users will receive a free upgrade to TDS-4, and a substancial discount on TDS-4 Scanner and TDS-4 ActiveGuard." (hi Wayne!) ::)

Of course, if I'm wrong, then all of this could have been avoided by some e-mail from DCS; which, by the way, it's now been 10 days since I last e-mailed them.

Regards, controler,
Hilly.

I was confused again ;)

I thought you were only showing ports open when you went
between your lan connected computers and not when comming in from the outside through your Cable modem but since others are getting wierd reading after scanning your IP with TDS then I am still confused. When I scanned your IP I didn't see anything unusual
and I am running the same router. I was wishing you had a spare router to verify it is NOT the router. If you lived close, Heck You could borrow my router. Some ISP's are not even installing routers on cable
for home users and that's not good. It is just wierd you are showing open ports from the outside and inside and not when taking out router. Makes me wonder if router isn't bad.
I wish you the best of luck in getting this figured out.

-{ Quote: " quoting: controler link=board=5;threadid=2194;start=30#15783 date=1026056013]
When I scanned your IP I didn't see anything unusual
" }-

Controler, would you please post the part of your TDS-3 log that shows the results of your scanning me? If you weren't aware, the log can be read (and copied to clipboard) by going to the top of the TDS-3 console, left-click on 'TDS', then left-click on 'View Logfile', then select this month (July), then select today's date (the 7th). Highlight the portion you want to copy, then right-click on it and select 'Copy'. Finally, reply to this post and in your reply right-click and select 'Paste'.

Apologies if I'm giving you instructions for something you already know how to do. :-X

Thanks very much, Controler.

Regards,
Hilly.

I am not sure if this is normal for the trial version which I have
but the scan was not saved and the tracert was.
I can try it again and see if it saves it. I know there is a bunch of this dissabled in the trial version.

Here is what I just got with the targeted port scanner

110: Remained silent.
25: Remained silent.
21: Remained silent.

Hi Controler.

I'm not sure if logging is disabled in the trial version, but I can't imagine that it would be.

The only thing that get logged this way are scans that show-up in the console (main window). If you run any scans that open seperate windows then they don't get placed in the log... at least that's what I'm seeing over here.

The Interrogate plug-in runs in the main window, is that the scan that you ran?

Thanks again,
Hilly.

yep I do get logs but the remote scan log was not saved for some reason. Is there another scan I should be trying?

-{ Quote: " quoting: controler link=board=5;threadid=2194;start=45#15791 date=1026058480]
yep I do get logs but the remote scan log was not saved for some reason. Is there another scan I should be trying?

" }-

The 'remote scan' wasn't saved because (I'm guessing) it spawns a seperate window. I'm seeing here (on my end) that nothing in any window aside from the main window (console) gets logged. Heck, I've seen one TDS-3 scan that takes place in a non-resizable window with no scroll-bar, so there's no scrolling-up to see all the results -and- it doesn't get logged. Oh, well... another feature request for TDS-4?

Try the Interrogate scan. It's under 'Plugins' on the top of the main TDS-3 window. Make sure my IP address is in the 'Target Host' box. It's still 24.58.230.189 ;)

Regards,
Hilly.

This is the first time I used the interrogate from plugins :D

11:52:18 [Interrogate] Interrogation scan on 24.58.230.189 started.
11:52:18 [Interrogate] 24.58.230.189 :21: Connected
11:52:18 [Interrogate] 24.58.230.189 :25: Connected
11:52:39 [Interrogate] 24.58.230.189 :135: Closed - connection closed immediately.
11:52:39 [Interrogate] 24.58.230.189 :135: Closed - connection closed immediately.
11:52:39 [Interrogate] 24.58.230.189 :135: Closed - connection closed immediately.
11:53:00 [Interrogate] 24.58.230.189 :3: Closed - connection closed immediately.

Hi Pawthentic! Hope you don't mind but I did an Interrogate Scan with my TDS-3 too. I would have replied sooner but I had some trouble with my png files. Ah, b**ger the png files! Here's the info. (Should have done it by hand, anyway. Sigh.)

11:32:47 [Interrogate] 24.58.230.189:1025: Connected
11:33:32 [Interrogate] 24.58.230.189:1025: Connected
11:34:17 [Interrogate] 24.58.230.189:1: Closed - connection closed immediately.

Then I waited about 5 minutes and got nothing more. Hope it helps. (Noticed LOTS of inquiries by your IP on my Firewall Log! Want a copy?) Should of told you first, I guess. Apologies.

I sure am getting a whole bunch of incoming over here. :D

I'm not sure who it is, and I'll modify the addresses to protect thos who don't want their IP address posted, but whoever has this address: xxx.xxx.71.174 ~~ I have a queston for you.

Keeping in mind that I'm here saying that TDS-3 is not giving me correct scan results, here is the log from MY running the Interrogate plugin on your IP address (xxx.xxx.71.174)...

------
12:41:34 [Interrogate] Interrogation scan on xxx.xxx.71.174 started.
12:41:34 [Interrogate] xxx.xxx.71.174:25: Connected
12:41:55 [Interrogate] xxx.xxx.71.174:110: Connected
12:41:55 [Interrogate] xxx.xxx.71.174:80: Connected
12:41:55 [Interrogate] xxx.xxx.71.174:135: Closed - connection closed immediately.
12:42:16 [Interrogate] xxx.xxx.71.174:1080: Connected
12:42:16 [Interrogate] xxx.xxx.71.174:1080: Connected
12:42:16 [Interrogate] xxx.xxx.71.174:3: Closed - connection closed immediately.
12:42:18 [Interrogate] xxx.xxx.71.174:1080: Closed - remained silent.
12:44:45 [Interrogate] xxx.xxx.71.174:53: Connected
12:44:47 [Interrogate] xxx.xxx.71.174:53: Closed - remained silent.
12:46:28 [Interrogate] xxx.xxx.71.174:82: Connected
12:46:28 [Interrogate] xxx.xxx.71.174:81: Connected
12:46:28 [Interrogate] xxx.xxx.71.174:83: Connected
12:46:28 [Interrogate] xxx.xxx.71.174:85: Closed - connection closed immediately.
12:46:49 [Interrogate] xxx.xxx.71.174:89: Closed - connection closed immediately.
12:46:49 [Interrogate] xxx.xxx.71.174:90: Closed - connection closed immediately.
12:53:07 [Interrogate] Interrogation of xxx.xxx.71.174 finished.
------

Now, my question is this ~~~~ If I e-mailed you, and said that you SEEM to be running services. If I said that I'm using the best trojan-killer in the universe, and it's saying that you APPEAR to be exposed on more than a few common ports, which would indicate that you're either running services (like HTTP, SMTP, etc.) or you have other apps that are holding those common ports open to incoming connection requests... what would you do?

Well, being a smart person, like you are, you would immediately investigate whether-or-not you actually WERE running services, or had apps holding ports open. Now, if after your investigation, you find that you're NOT running those services, and you don't have those ports open, surely you would say that I'm a fruitcake (with nuts).

This is my situation. I need to know if what I'm seeing is my problem (stupdity, mis-configuration, didn't read the manual, etc.) or a problem with TDS-3. Either way, I've got some apologizing and explaining to do, because I staunchly defended the reliability and accuracy of TDS-3, while more than a few people who I have recently scanned and reported incorrect results to were swearing up and down that I was wrong. Now, if this is all my fault, then I'll be happy, no ~~ overjoyed to post here with full apology to any and all who have been inconvienienced by this thread. To convince me that the fault is mine, someone is going to have to show me what I did wrong, or how I messed-up TDS-3 by it's configuration.

If the fault lies with my router, then it also lies with my neighbor's router (also a Linky BEFSR41). I swapped with him earlier and repeated the results on my LAN (remember, where a fresh winME box APPEARS to be running all kinds of services, if TDS-3 is correct). On my LAN, the crazy results I have seen are avoidable if NEITHER computer (the one doing the scan and the one being scanned) is behind a router. I am in the dark as to why or how a router can affect OUTBOUND scans, or scans done internally on the LAN, but since MSN Messenger and others have trouble with routers, it's not out-of-the-question that TDS-3 does, too. It's a given that router will block INBOUND scans, because that's what they do. ;) Please note that I have already been scanned by a TDS-3 user who is behind a router... and in that case there were two routers in the mix (mine and his). He reported to me THE SAME BOGUS RESULTS THAT I'VE SEEN WHEN SCANNING OTHERS. Sorry for the caps, but I wanted the emphasis to be loud. :)

I don't want any trouble. I don't want to stop using TDS-3. I don't want to be forced to stop supporting DCS, both financially and morally. I don't want to keep punishing Wayne (hi Wayne!)... and I definitely don't want to keep bothering you wonderful people with this whining and crying. I do want to know what is going on, so when I eat crow and apologize in front of all the people I lied to, I'll have all the facts.

I hope my little rant here has given all of you a little insight as to why I'm freaking. :o

Best Regards to all.

Hilly.

-{ Quote: " quoting: controler link=board=5;threadid=2194;start=45#15794 date=1026060748]
This is the first time I used the interrogate from plugins :D

11:52:18 [Interrogate] Interrogation scan on 24.58.230.189 started.
11:52:18 [Interrogate] 24.58.230.189 :21: Connected
11:52:18 [Interrogate] 24.58.230.189 :25: Connected
11:52:39 [Interrogate] 24.58.230.189 :135: Closed - connection closed immediately.
11:52:39 [Interrogate] 24.58.230.189 :135: Closed - connection closed immediately.
11:52:39 [Interrogate] 24.58.230.189 :135: Closed - connection closed immediately.
11:53:00 [Interrogate] 24.58.230.189 :3: Closed - connection closed immediately.

" }-

:) Hi Controler.

Oh, look! You are behind a router, and your TDS-3 is lying to you... OR ~~ the word "Connected" doesn't really mean connected.

Thank you!

Hilly.

Hi Pawthentic! This is interesting! I was busy editing my last post so didn't see your next one. No, I do not hide my IP. I use ZoneAlarm. I can give you an annotated list of your hits but that would be redundant. I was just trying to help you out. I am also behind a router! It's part of my DSL hookup. ;D Didn't mean to startle you!

-{ Quote: " quoting: Prince_Serendip link=board=5;threadid=2194;start=45#15803 date=1026063785]
Didn't mean to startle you!
" }-

Hi. No, I promise you didn't startle me. I routinely get all kinds of incoming, and the only things that scare me are apps and utilities that I run here at home. ;)

Can I correctly assume that you're the one who I scanned after seeing your IP address in my router's log? (xxx.xxx.71.174)

If so, did you see my Interrogation of -your- IP address? Are you actually running anything that would hold those common ports open?

Thanks for replying, feel free to run whatever tools you wish against my IP address.

Regards,
Hilly.

:) Would like to add...Thanks for not publishing my IP. And, I am part of a LAN, which would influence your readings to some extent. ;D

This is weird. Each time I make a posting, you post at the same time. Good wavelength. Yes, I am the one referred to. ;)

(This is also a good test of ZoneAlarm! Thanks!)

-{ Quote: " quoting: Prince_Serendip link=board=5;threadid=2194;start=45#15806 date=1026064203]
:) Would like to add...Thanks for not publishing my IP. And, I am part of a LAN, which would influence your readings to some extent. ;D
" }-

Your welcome, and I should be the one thanking you for posting in this thread and helping me. :)

I understand that you being behind a LAN will have significance when I scan your WAN IP address, but are you at home or at work? Don't answer that. :-X What I meant to ask is -- Do you know if your LAN has Mail, Web, and DNS services running? If you're at work, then this is probaly why I saw the connections, and they could be seen as accurate then. If you're at home, you'll know if you're running those services... are you?

Thanks again.
Regards,
Hilly.

note: I'll be offline for a couple of hours now, but I'll be back later today.

I get the same results with the TCP inspector Plugin
but like you pointed out Paw, No way to copy the info
can only do screen shots quickly LOL
One nice thing about the TCP inspector is the explaination of the ports
being scanned. FTP, backdoor ect.

Hi all,
sorry i keep out of the discussion, which is not my field of knowledge, so to spare you unnecessary bandwidth.
But for the copying of the TDS screens i can tell you:
in most TDS screens it's possible to just click the mouse somewhere in it, you might need to select/hightlight all first, click contr+C and contr+V to find it on your clipboard and from there you can easily copy it to where you want.
Same with some lines from the main console: highlight the part you want, contr+C / contr+V or copy it from the logfile of course.
Just tried it out with this TCP inspector and that copies fine this way!
Have fun with them!

I just wanted to post a note saying that my IP address is -still- 24.58.230.189.

...because I'm seeing crazy-mad hits inbound, obviously because many people are reading this thread and trying TDS-3 (and various other tools?) on me.

All I ask is that anyone who does so, and sees any results indicating that I'm running common services or open ports, please post here with some info ~~ like are you behind a router or not... what is your scan(s) reporting to you... etc.

Thanks again to everybody. :D

Regards,
Hilly.

Sorry for coming so late with this reaction:
also in the trial version i might suppose the logging works, if you enable it in the TDS > Configuration > Options, check enable logging > Save
You should find the log files from the console TDS > View logfile. If not, manually in the logs folder in the TDS-3 directory.

I can't get a copy from the TCP Inspector screen while it is running
After I highlight it kicks my highlight out as it is still running
Jooske try it on yours. Try copy and paste while the scanner is still running
Oh perty please? :-[

You have to wait till the scan is over. As with selecting / highlighting in general, with a mouseclick or movement the selection is undone, so also with the running inspector.

Hilly seems now either off line or has closed the router and all rulesettings so tight... ! No, no ping answer, no trace to the last address, not any TCP inspector results, so is off line. What a pity :)
Triend on myself and all connections failed.
Hmm, thought i could have been in my own local trusted zone and all ports wide open for my own local scans, but not! Ping and trace ok, but not that inspector.

-{ Quote: " quoting: Jooske link=board=5;threadid=2194;start=60#15863 date=1026084787]
Hilly seems now either off line or has closed the router and all rulesettings so tight... ! No, no ping answer, no trace to the last address, not any TCP inspector results, so is off line. What a pity :)
" }-

Hi Jooske. I'm still here. Router set to block pings, so pinging me won't work, and traceroute to me will die after a few hops.

Believe me, I'm not going anywhere until someone at DCS helps me. :o

Best Regards,
Hilly.

Then you know with the TDS Inspector i did not get any results on you, interrogate this moment..... not even 135!
Just ordinary FW and TDS, nothing more on my side.

-{ Quote: " quoting: Jooske link=board=5;threadid=2194;start=60#15865 date=1026085582]
Then you know with the TDS Inspector i did not get any results on you, interrogate this moment..... not even 135!
Just ordinary FW and TDS, nothing more on my side.
" }-

Jooske, I want to thank you for jumping in and helping ~~ every bit counts!

The results you're seeing right now are exactly what you should be seeing, because I'm behind a router. I can make a good guess that you aren't behind a router, if you were I think you would get drastically different results... or maybe your TDS-3 isn't broken like mine is. ???

I have your IP address, may I please run some scans against you?

Regards,
Hilly.

I'll even wave at you in the meantime :)
But don't post the results in the open ;D I'll uncheck even some things, so you should have about full access (so much trust)

-{ Quote: " quoting: Jooske link=board=5;threadid=2194;start=60#15867 date=1026086571]
I'll even wave at you in the meantime :)

I'll uncheck even some things, " }-

Okay on the waving. ::Hilly waves back::

Not okay on unchecking things. It would be best if I hit as much of a brick wall as I can. I don't want open doors, I want locked ones.

Thanks -so- much. ;)

Regards,
Hilly.

Hihi, tried to tcp connect and udc broadcast, but....
ahh forgot to open the port listening to see you coming in!
hmm should only work on one port at a time. I hear my system activity! You're quite busy :)

Okay Jooske, I'm finished. I definitely didn't get my usual results when scanning you with Interrogate under TDS-3. I also ran nmapNT against you, and got more strange results.

If I promise to blank-out any and all possibly identifying information, may I post the results here?

Thanks and Regards,
Hilly.

I've always been strange already :) so what else to expect? I scanned some of you in the meantime, broadcasting and connecting, pinging and backtracing you and in this case not even used one of the nice emu scripts :(
You know what's in the logging, so you can see if there is any danger when blanked out the personal parts. But of course i like a copy in the PM with all included (or email, whatever you'd prefer).
Of course i'm very curious now what you got for me!

-{ Quote: " quoting: Jooske link=board=5;threadid=2194;start=60#15876 date=1026088819]
Of course i'm very curious now what you got for me!
" }-

PM sent.

Thank you, Jooske.

Regards,
Hilly.

Hi Hilly,

I do remember this GRC issue very well - our mail server has been bombed heavily for days in a row ;).

On topic: As stated before, DCS has been contacted to jump in. Seems fair to wait for their reply. Thus, I'm closing this thread for the moment. DCS/Wayne will open it as soon as he's available. For the record: I'm not doubting your good intentions for one single moment; be assured of that!

regards.

paul