I have had attacks on Port Explorer when I have have used Whois. By the time I can hit Print Screen for a pic to upload it is gone. It happens as fast as lighting. I would like to think that my firewall still protects me, found any nasties or TDS running in the background. I check my firewall logs but see nothing thats looks unusual. This has only happened just a few times. Can anyone give me anymore info that I should do or check for. Sure wish I had a pic to upload. Maybe if it happens again I will be quick enought to capture the pic. regards, hardyhar
Hi hardyhar, To capture the events, which sound rather strange to say the least, try "settings" - "Show new sockets for" 10 secs and "Show dead sockets for" 10 secs. You should also be able to see the connection data in "File Logging" - "View file log" text In the who is window highlight the text and it will be automatically copied to the clip board. Here is one I have just copied. % This is the RIPE Whois query server #1. % The objects are in RPSL format. % % Rights restricted by copyright. % See http://www.ripe.net/db/copyright.html inetnum: 62.253.160.0 - 62.253.167.255 netname: NTL descr: NTL Internet descr: Winnersh Datacentre country: GB admin-c: NNMC1-RIPE tech-c: NNMC1-RIPE status: ASSIGNED PA mnt-by: AS5089-MNT changed: hostmaster@ntli.net 20010108 changed: hostmaster@ntli.net 20020815 source: RIPE route: 62.253.128.0/17 descr: NTL-UK-IP-BLOCK origin: AS5089 mnt-by: AS5089-MNT changed: hostmaster@ntli.net 20040929 source: RIPE role: NTLI Network Management Centre address: NTL Internet address: Crawley Court address: Winchester address: Hampshire address: SO21 2QA trouble: ------------------------------------------------------- trouble: For abuse notifications please - trouble: file an online case @ http://www.ntlworld.com/netreport trouble: +44 1633 710142 (Voicemail Only) trouble: ------------------------------------------------------- trouble: For peering issues/requests please - trouble: email : peering@ntli.net trouble: ------------------------------------------------------- admin-c: MH22007-RIPE admin-c: CF2297-RIPE admin-c: CM1377-RIPE tech-c: MH22007-RIPE tech-c: CF2297-RIPE tech-c: CM1377-RIPE nic-hdl: NNMC1-RIPE mnt-by: AS5089-MNT notify: data.planning@ntl.com e-mail: data.planning@ntl.com changed: hostmaster@ntli.net 20030328 changed: hostmaster@ntli.net 20030401 changed: hostmaster@ntli.net 20030603 changed: hostmaster@ntli.net 20030707 changed: hostmaster@ntli.net 20040303 changed: hostmaster@ntli.net 20040312 changed: hostmaster@ntli.net 20040929 source: RIPE
Thanks Pilli, I had setting set to capture every 1 second, so I changed it to 10 seconds. Looks like my pelog file was 221,767 KB in size and my capturebin is 96,574 KB in size and I have clipboard disabled. I have tried to open pelog with wordpad and notepad but it stops responding because the file is so big. I take it that its ok to delete them both and capturebin and pelog and they will create new logs when restarted. Is this correct? The only time I have seen the attack was when I was using Whois and I could see that the port said Last Attack and thats about all the time I had to read what it said. It was listed in red in the place where I have it painted in Black. Yes, I see the one that you copied to clipboard. I usaully just copy and paste to notepad.
Hi hardyhar, I can see nothing unusual in your screenshot but the item that is encircled with black at the bottom of the screenshot is unreadable to me There should be a text version in the file log though. Pilli
hardyhar, Look under Settings in the PE window. There are menu items to clear both the Window Logging and the File Logging.
Hi Pilli & siliconman01, Yes Pilli there was a log file and I finally got it open with wordpad, it only took about 45 minutes to open I search for attack and couldn't find it anywhere. The file was set at no limit and thats why it was so big. Pilli, I was just using the screen shot as an example on where the attack showed up. I wish I had more info to give you but sorry I don't. Like I said before this had only happened maybe 2 or 3 times when I was doing a search with Whois. Thanks siliconman01 for clearing my mine on the setting. I have one more question please? Now what about the capture bin being so big in size. Is this normal and what can I do to reduce the size in that too. You guys probally think I'm an idiot but I wasn't aware of the file setting and that you could controll them. I really do believe that what ever attack took place that my firewall stopped it I hope. I have made the setting adjustments and maybe if this happens again I will be able to give the information that you need to help me with. Thanks to the both of you for your help so far. Regards, hardyhar
Ah OK hardyhar, Hopefully the next time this occurrs you can capture some more information. To set the file log size limt: Settings - File logging - And set it to the mnimum 1MB Cheers. Pilli
Yepper thats what I had set it to. What about the capturebin size being so big? Any info on that. Regards, hardyhar
The capture bin can be deleted PE will create a new one when needed. BTW Using socket spy continuously causes many entries. Pilli
Thanks Pilli Yes I have used socket spy many times before. That explains the size of the capturebin. Thanks once again... Regards, hardyhar
Help I didn't know where else to go, how do I post a new post? I can't find where it says 'post new thread', do I need new glasses or am I just a ditzi blond? Seriously, I can't find it...so I HAD to tag on the end of this post and HOPE someone sees it... Thanks for any help.
Hi Anya and welcome, When you open a sub forum where all the threads are listed look at the top of the list to the left and just above the first entry Click on "New Thread" HTH Pilli
Hey Pilli, I have an image for you now. Note that I'm running on a proxy and marked out the port and one address.
Hi hardyhar Are you perhaps misinterpreting "LAST_ACK" as indicating an attack? LAST_ACK is just indicating the state of a connection, in this case one in the process of closing. Had you just been to the Red Hat Enterprise Linux Test Page at the time of that entry? Regards, CrazyM
Hello CrazyM, Yes I was misinterpreting "LAST_ACK" as indicating an attack. At the time this happened I was using WMP listening to a radio station. I thought that this meant that I had been Attacked and that my firewall had blocked the attack. I did notice when I bootup this morning that The Cleaner Pro let me know that a change had been made to the registry at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce which took me to "C:\Program Files\GhostSurf 2005\DeleteSatellite.exe" nowait I scanned with the Cleaner and nothing was found. TDS-3 didn't pickup this change since I did have it running at startup, however after I did my scan with the Cleaner I started TDS-3 up and it found nothing that was changed. I haven't done a full scan with TDS-3 in safe mode. I'm I just being a little parinoid? BTW, I'm running behind a router too
One explanation of the states you will see in the status column of PE: "A connection progresses through a series of states during its lifetime. The states are: LISTEN, SYN-SENT, SYN-RECEIVED, ESTABLISHED, FIN-WAIT-1, FIN-WAIT-2, CLOSE-WAIT, CLOSING, LAST-ACK, TIME-WAIT, and the fictional state CLOSED. CLOSED is fictional because it represents the state when there is no TCB (Transmission Control Block), and therefore, no connection. Briefly the meanings of the states are: LISTEN - represents waiting for a connection request from any remote TCP and port. SYN-SENT - represents waiting for a matching connection request after having sent a connection request. SYN-RECEIVED - represents waiting for a confirming connection request acknowledgment after having both received and sent a connection request. ESTABLISHED - represents an open connection, data received can be delivered to the user. The normal state for the data transfer phase of the connection. FIN-WAIT-1 - represents waiting for a connection termination request from the remote TCP, or an acknowledgment of the connection termination request previously sent. FIN-WAIT-2 - represents waiting for a connection termination request from the remote TCP. CLOSE-WAIT - represents waiting for a connection termination request from the local user. CLOSING - represents waiting for a connection termination request acknowledgment from the remote TCP. LAST-ACK - represents waiting for an acknowledgment of the connection termination request previously sent to the remote TCP (which includes an acknowledgment of its connection termination request). TIME-WAIT - represents waiting for enough time to pass to be sure the remote TCP received the acknowledgment of its connection termination request. CLOSED - represents no connection state at all." RFC 793 Regards, CrazyM
Thank you very much CrazyM. I understand what happened now, I have my proxy setup to run in IE and Mozilla and I had disabled my proxy in Mozilla and when I went to connect I had forgot about removing the proxy setting and that explains were I got the LAST-ACK - represents waiting for an acknowledgment of the connection termination request. Thats why I also got the alert from The Cleaner. I sometimes forget that google is my friend. Regards, hardyhar