A² Online-check Available Now

Discussion in 'other anti-trojan software' started by hayc59, Jan 28, 2004.

Thread Status:
Not open for further replies.
  1. hayc59

    hayc59 Guest

    a² online check - any thoughts?
    Hi,

    we just finished the online check of a² today. I would like to invite everyone to try it:
    http://onlinecheck.emsisoft.com/en


    In fact the test does the following things:
    1. Portscans of the well known ports (application and trojan ports)
    2. Checks the browser for several hijackers and downloaders used by Dialers
    3. Checks the windows network if there are shares available to the internet.
    4. Tries to collect as much information about you as possible and displays them.
    5. Checks for enabled active scripting and other potential dangerous browser technologies.

    What do you think about? Any suggestions or thoughts? What do you like or dislike?

    Looking forward to your feedback,
    Forum--->
    http://forum.emsisoft.com/viewtopic.php?p=3547#3547
     
  2. hayc59

    hayc59 Guest

    sorry and thanks for the move ;)
    was not sure where to put it??
     
  3. controler

    controler Guest

    The first time I went to the site, I got in.
    I have not been able to reach it since.
    Either My system won't let me go there or the server is not able to handle the traffic :(

    controler
     
  4. Khaine

    Khaine Registered Member

    Joined:
    Oct 2, 2002
    Posts:
    127
    Looks good Andreas :)
     
  5. controler

    controler Guest

    I think my IP has been blocked from this site. I still can't reach it :mad:
     
  6. Andreas Haak

    Andreas Haak Guest

    Can you ping onlinecheck.emsisoft.com? :)
     
  7. Gary Gailey

    Gary Gailey Guest

    Hi,

    A question regarding the online scanner?
    What is the point of me dropping my firewall security to scan my computer because, if i do so it is bound to show open ports?
    Because the firewall is not there to stop the port scans!
    I am just working on the principle of the scan that is done on the GRC Gibson site.
    Where that tests my computer with the firewall in place, which in turn tests both the firewall and my computer security.
     
  8. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,876
    Location:
    New England
    Well, while I rarely alter my security to test my security, there is a key point in such tests...

    Some people do not know what services (or even malware programs) are running and listening on their systems. Many of the online tests (a² is not unique in this), do ask for security software to be disabled just to inform the user about what is running on their systems.

    Yes, in some ways it is misleading, but, in other ways it tells the users about just what their system is doing.

    Whether a² is right in this or not, I can't say. But, I will say what I always say - "it is better to know than not know. If you don't want to test this way, that's fine too of course. But some people do want to try this type of scan.
     
  9. Andreas Haak

    Andreas Haak Guest

    And there is another important point. The online scan tries to be comprehensive. We always do a full connect portscan. That means:

    The a² scan server connects to your ports and even tests if the service is a real service or not. For example if it seems your port 21 is open the test would try to figure out if its a real FTP there and if its able to login anonymously.

    This "comprehensive" testing has a big disadvantage:
    If your firewall is in stealth mode (which means no RST packets are sent back if a port is closed) we have to wait for a timeout. This means:

    The port scan can take 20 or 30 minutes (instead of 0.5 or 1 minute).

    So everyone is advised to deactivate the firewall.

    By the way:
    LWM is exactly right. Especially cause packet filters can be easily fooled. There are some standard rules in nearly all firewall's standard rulesets that permit traffic from port 53/tcp and 53/udp (DNS) or other ports used by DHCP or BOOTP for example. That makes it easy to circumwent the packet filter. Just be sure you send the packets from port 53 ;).
     
  10. Gary Gailey

    Gary Gailey Guest

    Hi,

    I followed your advice and disabled the firewall, and the Portscan result is below:

    The following ports were identified as open on your PC:

    Port 1025

    These programs or services use this port by default:
    Windows RPC, Scheduled Tasks

    These Trojans or Malware files use this port by default:
    NetSpy; Maverick's Matrix; RemoteStorm

    Is this anything to worry about?

    Also the other test results are below:
    ------------------------------------------------------------------------------------------
    Security Check result:

    No public information about your PC resp. your network could be determined.

    ---------------------------------------------------------------------------------------------
    Exploit Test result:

    No harmful ActiveX components were detected.

    ---------------------------------------------------------------------------------------------
    Browser Check results:

    Browser-Check:
    Your browser configuration will be checked for risks now.

    Visual Basic Script (VBScript) Test: VBScript is activated!
    VBScript is not dangerous in general. But it is used by worm virus authors to embed harmful code in HTML emails. Ensure to have the latest security updates of your browser installed to stay protected against harmful VBScripts.

    Secure ActiveX Test: Invocation of secure ActiveX controls is activated.
    ActiveX controls are a kind of enhancement plugins for the browser (as e.g. the Flash plugin). The classification if an ActiveX control is secure or not is done by the developer of the control. So it is also possible that a secure control can contain insecure code. Please notice, that the online Windows-Update doesn't work without ActiveX controls.

    Insecure ActiveX Test: Invocation of insecure ActiveX controls is deactivated.
    Insecure ActiveX controls may contain harmful code and therefore they should be deactivated or set to prompt the user before running to block controls of Dialers, etc.

    Internet Explorer makes a difference between signed and unsigned ActiveX controls. Always check controls with invalid signatures before you accept them and let them install on your computer.

    ------------------------------------------------------------------------------------
    Can anyone explain please if these are good or bad results.
    Many thanks in advance.
     
  11. sig

    sig Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    716
    Looks OK, with the notes Andreas' site gives you.

    I'm guessing you're running W2K or XP (NT family) and have disabled a number of the native services that hold ports open. 1025 is a port one would expect to see open on such systems. (I'm guessing perhaps you couldn't close all ports without also cutting off your internet connection if your ISP uses DHCP? At least some people say they can't close all ports without losing internet connectivity also.)

    If you're running a W9X system, however, I'd check to see what was holding the port open. It would have to be some server or service or perhaps even malware.

    Browser results are as expected for a default install of IE. Safest settings are to disable scripting and ActiveX but you will find that a lot of sites won't work properly since they rely on such stuff. What some people do is disable them in the Internet Zone and only put the really trusted websites that require ActiveX and scripting to function in the trusted zone where the security settings are lower.

    Right now, perhaps the most common problems that hits the average user occur while they are surfing the net. (And not necessarily on "questionable" sites.) A lot of different kinds of spyware is installed via ActiveX while the user is just browsing the net. Enabling ActiveX esentially allows for programs to be installed by your brower without any prompt to the user. That could be good so you can see a flashy cool site the way it was intended. But it can be bad if you get some spyware that hijacks your browser to specific sites and craps up your system. (Check out the privacy section here where people are asking for help to get rid of spyware that installed itself to their machine without their knowledge.)

    Scripting is another thing that can be good for site functionality as long as you don't hit the wrong site where someone's put a bad script that your browser will download as long as scripting is enabled.

    Anyway, if you do continue to surf with ActiveX enabled, if you don't already you should use Spybot Search and Destroy and/or Adaware (both freeware) to check out your PC to see if there's anything that should be cleaned out. These programs do updates like AV's on occasion to add new spyware for detection and cleaning. Also, to help protect yourself against the installation of various kinds of spyware, etc you can install SpywareBlaster and SpywareGuard by Javacool. Free (donationware) programs that you only have to update occasionally as updates are issued. Check out Javacool's forum here at Wilders and there should be links to his site where you can download the programs.

    I'm assuming you also run an AV and some AV's are now including some spyware apps in their databases....that's how bad it's gotten. You already have a firewall. So you're in better shape than some. ;)

    Hope this helps.
     
  12. Gary Gailey

    Gary Gailey Guest

    Hi,

    I am using Windows XP Home (all updates installed), and also Ad-Aware, Spybot, SpywareBlaster, Spyware Guard, ID-Blaster and Mailwasher.
    My anti-virus is AVG Free.
    My firewall is Norton, and the Norton anti-virus is an on demand scanner for a second opinion.
    I also use the GRC site for checking every so often to make sure all my ports are blocked.
    And i have to use AOL for my internet connection.
     
  13. iceni60

    iceni60 ( ^o^)

    Joined:
    Jun 29, 2004
    Posts:
    5,116
    i just found a link to this from another site and was going to start a new thread, but it has already been done. thanks, Andreas - a² :)
     
  14. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    I thought the results running various browsers was interesting. (I've shortened this as much as possible - example: closed ports not shown, open ports descriptions not included, etc.).

    This one for FireFox:

    Starting a² Online-Check for IP 206.74.106.226 on 1/25/2005 3:44:10 PM

    Portscan:
    You computer is scanned for open ports now.

    2140: open!
    20034: open!
    6667: open!
    12345: open!
    1243: open!
    80: open!
    27374: open!
    31337: open!
    23: open!
    Security-Test:
    Public available information about your PC resp. your network are collected.

    Your IP address: 206.74.106.226
    Your operating system: Windows XP
    Your browser: Gecko
    Full browser identification: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0
    Browser languages: en-us, en;q=0.5

    You did run the Online-Check 0 times before.

    Public information about your IP address from the Whois Server:

    OrgName: Info Avenue Internet Services, LLC
    OrgID: IAVE
    Address: 3545 Centre Circle dr.
    Address: Suite A
    City: Fort Mill
    StateProv: SC
    PostalCode: 29716
    Country: US

    NetRange: 206.74.0.0 - 206.74.255.255
    CIDR: 206.74.0.0/16
    NetName: IAVE-4
    NetHandle: NET-206-74-0-0-1
    Parent: NET-206-0-0-0-0
    NetType: Direct Allocation
    NameServer: DNS4.INFOAVE.NET
    NameServer: DNS2.INFOAVE.NET
    Comment:
    RegDate: 1995-07-28
    Updated: 2002-04-14

    TechHandle: ZI64-ARIN
    TechName: IP Administrator
    TechPhone: +1-803-802-4600
    TechEmail: ipadmin@engdev.infoave.net

    OrgAbuseHandle: IAD2-ARIN
    OrgAbuseName: InfoAvenue Abuse Department
    OrgAbusePhone: +1-803-802-4600
    OrgAbuseEmail: abuse@infoave.net

    OrgNOCHandle: ZI64-ARIN
    OrgNOCName: IP Administrator
    OrgNOCPhone: +1-803-802-4600
    OrgNOCEmail: ipadmin@engdev.infoave.net

    OrgTechHandle: ZI64-ARIN
    OrgTechName: IP Administrator
    OrgTechPhone: +1-803-802-4600
    OrgTechEmail: ipadmin@engdev.infoave.net

    Your PC resp. your network is contacted now and public information will be collected.
    Note: This check may take up to a minute.

    No public information about your PC resp. your network could be determined.

    Exploit-Test:
    Your browser will be checked for installed ActiveX components of Dialers, etc. now.

    This test is only possible with Internet Explorer. So your computer seems to be secure against ActiveX components.

    Browser-Check:
    Your browser configuration will be checked for risks now.

    Visual Basic Script (VBScript) Test: The VBScript-Test is only possible with Internet Explorer. So your computer seems to be secure against ActiveX components.


    Secure ActiveX Test: The ActiveX Test is only possible with Internet Explorer. So your computer seems to be secure against ActiveX components.


    Insecure ActiveX Test: The ActiveX Test is only possible with Internet Explorer. So your computer seems to be secure against ActiveX components.

    a² Online-Check finished on 1/25/2005 3:45:07 PM
    _________________________________________________________________

    This one for IE running through Tor/Privoxy:

    Starting a² Online-Check for IP 82.94.251.206 on 1/25/2005 3:55:32 PM

    Portscan:
    You computer is scanned for open ports now.
    443: open!
    80: open!

    Security-Test:
    Public available information about your PC resp. your network are collected.

    Your IP address: 82.94.251.206
    Your operating system: Windows XP
    Your browser: MS Internet Explorer
    Full browser identification: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
    Browser languages: en-us

    You did run the Online-Check 0 times before.

    Public information about your IP address from the Whois Server:
    %
    inetnum: 82.94.251.192 - 82.94.251.207
    netname: colonah6
    descr: NAH6 BV
    country: NL
    admin-c: RG2248-RIPE
    tech-c: RG2248-RIPE
    tech-c: XS42-RIPE
    status: ASSIGNED PA
    notify: netmaster@xs4all.nl
    mnt-by: XS4ALL-MNT
    changed: oliver@xs4all.nl 20040923
    source: RIPE

    route: 82.92.0.0/14
    descr: XS4ALL networking
    origin: AS3265
    notify: as-guardian@xs4all.nl
    mnt-by: XS4ALL-MNT
    changed: erik@xs4all.net 20031125
    source: RIPE

    role: XS4ALL Internet NOC
    address: XS4ALL Internet BV
    address: Postbus 1848
    address: 1000BV Amsterdam
    address: The Netherlands
    phone: +31 20 3987654
    fax-no: +31 20 3987604
    e-mail: netmaster@xs4all.nl
    admin-c: CB127
    tech-c: CB127
    tech-c: OD45
    tech-c: EB76-RIPE
    tech-c: RZ2757-RIPE
    tech-c: KAI11-RIPE
    nic-hdl: XS42-RIPE
    notify: netmaster@xs4all.nl
    mnt-by: XS4ALL-MNT
    changed: cor@xs4all.nl 19980928
    changed: oliver@xs4all.nl 19990312
    changed: remcovz@xs4all.net 20020130
    changed: kai@xs4all.nl 20031218
    source: RIPE

    person: R Gonggrijp
    address: NAH6 BV
    address: Linnaeusparkweg 98
    address: 1098 EJ Amsterdam
    address: The Netherlands
    phone: +31 20 6638558
    fax-no: +31 20 6638511
    e-mail: rop@rop.nl
    nic-hdl: RG2248-RIPE
    notify: rop@rop.nl
    changed: oliver@xs4all.nl 20040923
    source: RIPE

    Your PC resp. your network is contacted now and public information will be collected.
    Note: This check may take up to a minute.

    No public information about your PC resp. your network could be determined.

    Exploit-Test:
    Your browser will be checked for installed ActiveX components of Dialers, etc. now.

    IEAccess2 not found.
    BCVoicePlugin not found.
    TSCPlugin not found.
    MoneyTreeDialer not found.
    D9Dialer not found.
    CABDialer not found.
    SunInfoConnect.snConnect not found.
    eConnect.eConn not found.
    VLoading not found.
    WebInstall not found.
    Uloader not found.
    ActiveInstall not found.
    ActiveXDownload not found.
    NTools.ActiveInstaller not found.
    MaConnect not found.
    xDiver not found.
    WebPlugin_Class not found.
    WebUpdate not found.
    WSD not found.
    IELoader not found.
    Acceler8or not found.

    No harmful ActiveX components were detected.

    Browser-Check:
    Your browser configuration will be checked for risks now.

    Visual Basic Script (VBScript) Test: VBScript is activated!

    Secure ActiveX Test: Invocation of secure ActiveX controls is deactivated.

    Insecure ActiveX Test: Invocation of insecure ActiveX controls is deactivated.
    a² Online-Check finished on 1/25/2005 3:56:14 PM
    _________________________________________________________________

    And then IE w/Tor/Privoxy/SocksCap:

    Starting a² Online-Check for IP 216.17.104.17 on 1/25/2005 4:22:58 PM

    Portscan:
    You computer is scanned for open ports now.

    443: open!
    6667: open!
    80: open!
    53: open!
    25: open!
    22: open!
    21: open!
    Security-Test:
    Public available information about your PC resp. your network are collected.

    Your IP address: 216.17.104.17
    Your operating system: Windows XP
    Your browser: MS Internet Explorer
    Full browser identification: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
    Browser languages: en-us

    You did run the Online-Check 1 times before.

    Public information about your IP address from the Whois Server:

    Phatservers.net PHATSERVERS-NET1 (NET-216-17-104-0-1)
    216.17.104.0 - 216.17.111.255
    A1COLO.COM A1COLO (NET-216-17-96-0-1)
    216.17.96.0 - 216.17.111.255

    Your PC resp. your network is contacted now and public information will be collected.
    Note: This check may take up to a minute.

    No public information about your PC resp. your network could be determined.

    Exploit-Test:
    Your browser will be checked for installed ActiveX components of Dialers, etc. now.

    IEAccess2 not found.
    BCVoicePlugin not found.
    TSCPlugin not found.
    MoneyTreeDialer not found.
    D9Dialer not found.
    CABDialer not found.
    SunInfoConnect.snConnect not found.
    eConnect.eConn not found.
    VLoading not found.
    WebInstall not found.
    Uloader not found.
    ActiveInstall not found.
    ActiveXDownload not found.
    NTools.ActiveInstaller not found.
    MaConnect not found.
    xDiver not found.
    WebPlugin_Class not found.
    WebUpdate not found.
    WSD not found.
    IELoader not found.
    Acceler8or not found.

    No harmful ActiveX components were detected.

    Browser-Check:
    Your browser configuration will be checked for risks now.

    Visual Basic Script (VBScript) Test: VBScript is activated!


    Secure ActiveX Test: Invocation of secure ActiveX controls is deactivated.
    Insecure ActiveX Test: Invocation of insecure ActiveX controls is deactivated.

    a² Online-Check finished on 1/25/2005 4:24:04 PM
    _________________________________________________________________

    Opera:

    Starting a˛ Online-Check for IP 206.74.106.226 on 1/25/2005 4:40:33 PM

    Portscan:
    You computer is scanned for open ports now.

    2140: open!
    20034: open!
    6667: open!
    1243: open!
    80: open!
    27374: open!
    31337: open!
    23: open!
    12345: open!

    Security-Test:
    Public available information about your PC resp. your network are collected.

    Your IP address: 206.74.106.226
    Your operating system: Windows XP
    Your browser: Opera
    Full browser identification: Opera/7.54u1 (Windows NT 5.1; U) [en]
    Browser languages: en

    You did run the Online-Check 0 times before.

    Public information about your IP address from the Whois Server:

    OrgName: Info Avenue Internet Services, LLC
    OrgID: IAVE
    Address: 3545 Centre Circle dr.
    Address: Suite A
    City: Fort Mill
    StateProv: SC
    PostalCode: 29716
    Country: US

    NetRange: 206.74.0.0 - 206.74.255.255
    CIDR: 206.74.0.0/16
    NetName: IAVE-4
    NetHandle: NET-206-74-0-0-1
    Parent: NET-206-0-0-0-0
    NetType: Direct Allocation
    NameServer: DNS4.INFOAVE.NET
    NameServer: DNS2.INFOAVE.NET
    Comment:
    RegDate: 1995-07-28
    Updated: 2002-04-14

    TechHandle: ZI64-ARIN
    TechName: IP Administrator
    TechPhone: +1-803-802-4600
    TechEmail: ipadmin@engdev.infoave.net

    OrgAbuseHandle: IAD2-ARIN
    OrgAbuseName: InfoAvenue Abuse Department
    OrgAbusePhone: +1-803-802-4600
    OrgAbuseEmail: abuse@infoave.net

    OrgNOCHandle: ZI64-ARIN
    OrgNOCName: IP Administrator
    OrgNOCPhone: +1-803-802-4600
    OrgNOCEmail: ipadmin@engdev.infoave.net

    OrgTechHandle: ZI64-ARIN
    OrgTechName: IP Administrator
    OrgTechPhone: +1-803-802-4600
    OrgTechEmail: ipadmin@engdev.infoave.net

    Your PC resp. your network is contacted now and public information will be collected.
    Note: This check may take up to a minute.

    No public information about your PC resp. your network could be determined.

    Exploit-Test:
    Your browser will be checked for installed ActiveX components of Dialers, etc. now.

    This test is only possible with Internet Explorer. So your computer seems to be secure against ActiveX components.

    Browser-Check:
    Your browser configuration will be checked for risks now.

    Visual Basic Script (VBScript) Test: The VBScript-Test is only possible with Internet Explorer. So your computer seems to be secure against ActiveX components.

    Secure ActiveX Test: The ActiveX Test is only possible with Internet Explorer. So your computer seems to be secure against ActiveX components.

    Insecure ActiveX Test: The ActiveX Test is only possible with Internet Explorer. So your computer seems to be secure against ActiveX components.

    a˛ Online-Check finished on 1/25/2005 4:41:35 PM
    _________________________________________________________________

    Port hits were affected by KillerWall (which I left running, by mistake, sorry) (1243,2140,6667,20034,12345,27374,31337) and SpyBlocker (port 80).

    I found it puzzling that port 1243 took a hit in Opera that it did NOT get in FireFox, and that port 6667 took a hit running IE Tor//Privoxy/SocksCap that it did NOT get running IE Tor/Privoxy alone.

    Just in case anyone's interested. Pete
     
  15. Ronin

    Ronin Guest

    Hi Spy1 thanks for posting your IP address and details about your computer.
     
  16. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Ronin - You're quite welcome.

    Since it's my IP address and my details, I guess I'll publish them if I want to.

    But thank you for your concern - feel free to use any of that info as you see fit - I get tired of all my defensive programs sitting here with nothing to do. :p Pete
     
  17. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    yes Spy1, I am gonna hack your ... :D
     
  18. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    <g> Hack away, INFINITY - but remember, you don't win unless you totally "own" my computer. Pete
     
  19. Primrose

    Primrose Registered Member

    Joined:
    Sep 21, 2002
    Posts:
    2,743
    And here is mine 67.240.79.173 also..I will leave the lights on for ya..you can have all the viagra email ads you can find on the system..just don't get stuck in the honey pot or drink all my beer. :D
     

    Attached Files:

Thread Status:
Not open for further replies.