Attacts on Port Explorer

I have had attacks on Port Explorer when I have have used Whois. By the time I can hit Print Screen for a pic to upload it is gone. It happens as fast as lighting. I would like to think that my firewall still protects me, found any nasties or TDS running in the background. I check my firewall logs but see nothing thats looks unusual. This has only happened just a few times. Can anyone give me anymore info that I should do or check for. Sure wish I had a pic to upload. Maybe if it happens again I will be quick enought to capture the pic.

regards,
hardyhar

 

Hi hardyhar, To capture the events, which sound rather strange to say the least, try "settings" - "Show new sockets for" 10 secs and "Show dead sockets for" 10 secs.
You should also be able to see the connection data in "File Logging" - "View file log" text

In the who is window highlight the text and it will be automatically copied to the clip board. Here is one I have just copied.

% This is the RIPE Whois query server #1.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html

inetnum: 62.253.160.0 - 62.253.167.255
netname: NTL
descr: NTL Internet
descr: Winnersh Datacentre
country: GB
admin-c: NNMC1-RIPE
tech-c: NNMC1-RIPE
status: ASSIGNED PA
mnt-by: AS5089-MNT
changed: hostmaster@ntli.net 20010108
changed: hostmaster@ntli.net 20020815
source: RIPE

route: 62.253.128.0/17
descr: NTL-UK-IP-BLOCK
origin: AS5089
mnt-by: AS5089-MNT
changed: hostmaster@ntli.net 20040929
source: RIPE

role: NTLI Network Management Centre
address: NTL Internet
address: Crawley Court
address: Winchester
address: Hampshire
address: SO21 2QA
trouble: -------------------------------------------------------
trouble: For abuse notifications please -
trouble: file an online case @ http://www.ntlworld.com/netreport
trouble: +44 1633 710142 (Voicemail Only)
trouble: -------------------------------------------------------
trouble: For peering issues/requests please -
trouble: email : peering@ntli.net
trouble: -------------------------------------------------------
admin-c: MH22007-RIPE
admin-c: CF2297-RIPE
admin-c: CM1377-RIPE
tech-c: MH22007-RIPE
tech-c: CF2297-RIPE
tech-c: CM1377-RIPE
nic-hdl: NNMC1-RIPE
mnt-by: AS5089-MNT
notify: data.planning@ntl.com
e-mail: data.planning@ntl.com
changed: hostmaster@ntli.net 20030328
changed: hostmaster@ntli.net 20030401
changed: hostmaster@ntli.net 20030603
changed: hostmaster@ntli.net 20030707
changed: hostmaster@ntli.net 20040303
changed: hostmaster@ntli.net 20040312
changed: hostmaster@ntli.net 20040929
source: RIPE

 

Thanks Pilli,
I had setting set to capture every 1 second, so I changed it to 10 seconds. Looks like my pelog file was 221,767 KB in size and my capturebin is 96,574 KB in size and I have clipboard disabled. I have tried to open pelog with wordpad and notepad but it stops responding because the file is so big.

I take it that its ok to delete them both and capturebin and pelog and they will create new logs when restarted. Is this correct?

The only time I have seen the attack was when I was using Whois and I could see that the port said Last Attack and thats about all the time I had to read what it said. It was listed in red in the place where I have it painted in Black.


Yes, I see the one that you copied to clipboard. I usaully just copy and paste to notepad.

 

Hi hardyhar, I can see nothing unusual in your screenshot but the item that is encircled with black at the bottom of the screenshot is unreadable to me
There should be a text version in the file log though.

Pilli

 

hardyhar,

Look under Settings in the PE window. There are menu items to clear both the Window Logging and the File Logging.

 

Hi Pilli & siliconman01,

Yes Pilli there was a log file and I finally got it open with wordpad, it only took about 45 minutes to open I search for attack and couldn't find it anywhere. The file was set at no limit and thats why it was so big.

Pilli, I was just using the screen shot as an example on where the attack showed up. I wish I had more info to give you but sorry I don't. Like I said before this had only happened maybe 2 or 3 times when I was doing a search with Whois.

Thanks siliconman01 for clearing my mine on the setting.

I have one more question please? Now what about the capture bin being so big in size. Is this normal and what can I do to reduce the size in that too.

You guys probally think I'm an idiot but I wasn't aware of the file setting and that you could controll them. I really do believe that what ever attack took place that my firewall stopped it I hope. I have made the setting adjustments and maybe if this happens again I will be able to give the information that you need to help me with.

Thanks to the both of you for your help so far.

Regards,
hardyhar

 

Ah OK hardyhar,
Hopefully the next time this occurrs you can capture some more information.

To set the file log size limt:
Settings - File logging - And set it to the mnimum 1MB

Cheers. Pilli

 

Yepper thats what I had set it to.
What about the capturebin size being so big?
Any info on that.

Regards,
hardyhar

 

The capture bin can be deleted PE will create a new one when needed. BTW Using socket spy continuously causes many entries.

Pilli

 

Thanks Pilli

Yes I have used socket spy many times before.
That explains the size of the capturebin.

Thanks once again...

Regards,
hardyhar

 

Help

I didn't know where else to go, how do I post a new post? I can't find where it says 'post new thread', do I need new glasses or am I just a ditzi blond? Seriously, I can't find it...so I HAD to tag on the end of this post and HOPE someone sees it... Thanks for any help.

 

Hi Anya and welcome, When you open a sub forum where all the threads are listed look at the top of the list to the left and just above the first entry Click on "New Thread"

HTH Pilli

 

Hey Pilli,
I have an image for you now. Note that I'm running on a proxy and marked out the port and one address.

 

Hi hardyhar

Are you perhaps misinterpreting "LAST_ACK" as indicating an attack?
LAST_ACK is just indicating the state of a connection, in this case one in the process of closing. Had you just been to the Red Hat Enterprise Linux Test Page at the time of that entry?

Regards,

CrazyM

 

Hello CrazyM, Yes I was misinterpreting "LAST_ACK" as indicating an attack. At the time this happened I was using WMP listening to a radio station. I thought that this meant that I had been Attacked and that my firewall had blocked the attack. I did notice when I bootup this morning that The Cleaner Pro let me know that a change had been made to the registry at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce which took me to "C:\Program Files\GhostSurf 2005\DeleteSatellite.exe" nowait

I scanned with the Cleaner and nothing was found. TDS-3 didn't pickup this change since I did have it running at startup, however after I did my scan with the Cleaner I started TDS-3 up and it found nothing that was changed. I haven't done a full scan with TDS-3 in safe mode. I'm I just being a little parinoid?

BTW, I'm running behind a router too

 

One explanation of the states you will see in the status column of PE:

"A connection progresses through a series of states during its lifetime. The states are: LISTEN, SYN-SENT, SYN-RECEIVED, ESTABLISHED, FIN-WAIT-1, FIN-WAIT-2, CLOSE-WAIT, CLOSING, LAST-ACK, TIME-WAIT, and the fictional state CLOSED. CLOSED is fictional because it represents the state when there is no TCB (Transmission Control Block), and therefore, no connection. Briefly the meanings of the states are:

LISTEN - represents waiting for a connection request from any remote TCP and port.

SYN-SENT - represents waiting for a matching connection request after having sent a connection request.

SYN-RECEIVED - represents waiting for a confirming connection request acknowledgment after having both received and sent a connection request.

ESTABLISHED - represents an open connection, data received can be delivered to the user. The normal state for the data transfer phase of the connection.

FIN-WAIT-1 - represents waiting for a connection termination request from the remote TCP, or an acknowledgment of the connection termination request previously sent.

FIN-WAIT-2 - represents waiting for a connection termination request from the remote TCP.

CLOSE-WAIT - represents waiting for a connection termination request from the local user.

CLOSING - represents waiting for a connection termination request acknowledgment from the remote TCP.

LAST-ACK - represents waiting for an acknowledgment of the connection termination request

previously sent to the remote TCP (which includes an acknowledgment of its connection termination request).

TIME-WAIT - represents waiting for enough time to pass to be sure the remote TCP received the acknowledgment of its connection termination request.

CLOSED - represents no connection state at all."

RFC 793

Regards,

CrazyM

 

Thank you very much CrazyM. I understand what happened now, I have my proxy setup to run in IE and Mozilla and I had disabled my proxy in Mozilla and when I went to connect I had forgot about removing the proxy setting and that explains were I got the LAST-ACK - represents waiting for an acknowledgment of the connection termination request. Thats why I also got the alert from The Cleaner. I sometimes forget that google is my friend.

Regards,
hardyhar