Script to get rid of port 137 scan logs

Discussion in 'Trojan Defence Suite' started by DolfTraanberg, Dec 20, 2002.

Thread Status:
Not open for further replies.
  1. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    I stole Jooske’s idea to let TDS listen on port 137 and modified a SS3 script to do so
    Dolf

    Code:
    Sub Main
      Call LoadSocket(137)   'xsocket(0) - listen on port 137
      Call CheckListening(CInt(0))'test that the socket is listening
    End Sub
    
    Sub LoadSocket(xPort)  'xPort = port to listen on
    On Error Resume Next
     Call LoadObject("xSocket",0)
     If xSocket(0).State <> 0 Then xSocket(0).Close
     xSocket(0).LocalPort = xPort
     xSocket(0).Listen
    End Sub
    
    Sub CheckListening(xIndex)
    On Error Resume Next
     If xSocket(0).State = 2 Then
        Call AddLine("Socket","Listening on Port:" & CStr(xSocket(0).LocalPort))
     Else
        Call AddLine("Socket","Could not listen!")
     End If
    End Sub
    
    Sub xSocket_Error
     Call AddLine("Socket","Error: " & CStr(xSocket(xSocketIndex).Tag))
    End Sub
    
     
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Re:Script to get rid of port 137 scan logs in ZoneAlarm

    :D Excellent work Dollefile. Don't run ZA myself but I am sure ZA / TDS users will appreciate it.
    Looking at my WallWatcher log I am still getting hundreds of hits a day still :'(
     
  3. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Re:Script to get rid of port 137 scan logs in ZoneAlarm

    Dolf reported the thread locked I believe I did it inadvertantly? Sorry :oops:- Should be OK now
     
  4. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Re:Script to get rid of port 137 scan logs in ZoneAlarm

    Nice script Dolf, for me it works, TDS listening nicely on both TCP and UDP 137, nothing in the logs for ZAPro. In PE it gives nicely the TDS icon for it, and till now did not see connections, while normally without a port listening on that i have them still every few seconds.
    To you the honor to post it in the members forum. You might like to paste it in the other script to be started by button click.
     
  5. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    Re:Script to get rid of port 137 scan logs in ZoneAlarm

    My first version was actually working with buttons, but then I asked myself the question: :”why do I want to be able to turn it off?” and removed them again, so that they can be used for other purposes.
    Dolf
     
  6. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Re:Script to get rid of port 137 scan logs in ZoneAlarm

    Can also add them under one of the buttons ScriptCmd 1/2 in the console.
    If you make a Form1, button calling Form2, other button on Form2 back to Form1, maybe another button on either Form1 or Form2 going to Form3, etc so you can chain your scripts. In TDS-3 you can run only one script active at a time, but nothing against calling another script to be temporary active till you call another one.
    The form/button is one way, the dropdown menus are nice too to practice with, or a thing asking to fill in which port we like to listen and rightclick on the console opens the stuff, whatever...... Very nice things!
     
  7. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    I changed the name of the thread because I think that it might work with other firewalls as well.
    Dolf
     
  8. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Thanks for changing the title yes. For me it is ok, but seeing Pilli above with Wallwatcher still full with knocks, not sure if that is with or without running the script?
     
  9. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    :D Jooske,
    I use a Linksys router, so for me it is not a problem, I just port forward to an imaginary PC on my LAN such as 192.168.1.109 (creating a blackhole). No need for TDS to do the work.
     
  10. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    But doesn't that give miles long logfiles for portscans, or Ddos effect or any other negative effect on your resources or bandwidth?
    Can imagine no need for TDS for this matter, with routers and all around. In fact i'm surprised ISPs collectively seem not to have been able to get rid f them somehow in other ways t closing temporary infected accounts like they did here with the Yaha/Lentin outbreak.
     
  11. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Jooske,
    You can decide exactly what you want to log with WallWatcher, Just inbound or outbound or even exclude individual addresses or URL's My lagrest logfile over 24hours since October is 72K, For instance I do not log any POP/SMTP servers as this creates a lot of entries over a day.

    Here is a small part of yestredays logs showing the 137 rubbish:
    You will notice that they are all routed to the 192.168.1.9 blackhole.
    I have noticed no bandwidth degradation using ths method.

    2002/12/21 08:36:27.22 I 218.10.208.40 1086 192.168.1.9 137
    2002/12/21 08:42:25.19 I 218.93.255.90 1026 192.168.1.9 137
    2002/12/21 08:50:50.64 I e16086.upc-e.chello.nl(213.93.16.86) 1071 192.168.1.9 137
    2002/12/21 08:51:08.67 I 208.200.80.7 54253 192.168.1.9 137
    2002/12/21 08:51:43.91 I w069.z067105165.nyc-ny.dsl.cnc.net(67.105.165.69) 1025 192.168.1.9 137
    2002/12/21 08:53:11.28 I 61.171.69.81 1029 192.168.1.9 137
    2002/12/21 08:56:21.77 I red-corb1-200382-206.telnor.net(200.38.2.206) 18032 192.168.1.9 137
    2002/12/21 09:04:55.52 I 210.65.54.86 1027 192.168.1.9 137
    2002/12/21 09:10:11.52 I 218.58.209.9 2600 192.168.1.9 137
    2002/12/21 09:12:16.48 I sw59-207-177.adsl.seed.net.tw(61.59.207.177) 1028 192.168.1.9 137
    2002/12/21 09:12:40.56 I 203-195-136-108.now-india.net.in(203.195.136.10:cool: 1031 192.168.1.9 137
    2002/12/21 09:17:56.05 I 218.16.39.138 1028 192.168.1.9 137
    2002/12/21 09:19:03.81 I 217.131.33.196 1028 192.168.1.9 137
    2002/12/21 09:20:51.11 I 200.223.216.2 1026 192.168.1.9 137
    2002/12/21 09:21:12.67 I pc3-alde1-5-cust24.glfd.cable.ntl.com(80.6.25.24) 1038 192.168.1.9 137
    2002/12/21 09:24:40.92 I 212.19.79.192 48465 192.168.1.9 137
    2002/12/21 09:27:33.92 I 219.240.15.73 1028 192.168.1.9 137
     
  12. DolfTraanberg

    DolfTraanberg Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    676
    Location:
    Amsterdam
    Hey phili
    You're doing great, its the same thing Jooske and me are doing, just get it and dump it.
    But maybe someone can use a hand.
    Dolf
     
  13. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    :D Thanks Dolf,
    I also use the same technique for port 80 and 8080.
    Put a dummy PC in the DMZ of the router & forward the ports to it for guarranteed stealth.

    Have noticed very little effect on performance I can still DL at 73KBs on a 75 KBs (600kbs) cable connection, providing the site I DL from can handle it.

    Use Sygate Pro 5 as a back up software firewall mainly for ougoing connections + Port Explorer monitoring processes and connections.
     
Thread Status:
Not open for further replies.