Attacts on Port Explorer

Discussion in 'Port Explorer' started by hardhead, Jan 1, 2005.

Thread Status:
Not open for further replies.
  1. hardhead

    hardhead Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    292
    Location:
    Blue Ridge, Va
    I have had attacks on Port Explorer when I have have used Whois. By the time I can hit Print Screen for a pic to upload it is gone. It happens as fast as lighting. I would like to think that my firewall still protects me, found any nasties or TDS running in the background. I check my firewall logs but see nothing thats looks unusual. This has only happened just a few times. Can anyone give me anymore info that I should do or check for. Sure wish I had a pic to upload. Maybe if it happens again I will be quick enought to capture the pic.

    regards,
    hardyhar
     
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi hardyhar, To capture the events, which sound rather strange to say the least, try "settings" - "Show new sockets for" 10 secs and "Show dead sockets for" 10 secs.
    You should also be able to see the connection data in "File Logging" - "View file log" text

    In the who is window highlight the text and it will be automatically copied to the clip board. Here is one I have just copied.

    % This is the RIPE Whois query server #1.
    % The objects are in RPSL format.
    %
    % Rights restricted by copyright.
    % See http://www.ripe.net/db/copyright.html

    inetnum: 62.253.160.0 - 62.253.167.255
    netname: NTL
    descr: NTL Internet
    descr: Winnersh Datacentre
    country: GB
    admin-c: NNMC1-RIPE
    tech-c: NNMC1-RIPE
    status: ASSIGNED PA
    mnt-by: AS5089-MNT
    changed: hostmaster@ntli.net 20010108
    changed: hostmaster@ntli.net 20020815
    source: RIPE

    route: 62.253.128.0/17
    descr: NTL-UK-IP-BLOCK
    origin: AS5089
    mnt-by: AS5089-MNT
    changed: hostmaster@ntli.net 20040929
    source: RIPE

    role: NTLI Network Management Centre
    address: NTL Internet
    address: Crawley Court
    address: Winchester
    address: Hampshire
    address: SO21 2QA
    trouble: -------------------------------------------------------
    trouble: For abuse notifications please -
    trouble: file an online case @ http://www.ntlworld.com/netreport
    trouble: +44 1633 710142 (Voicemail Only)
    trouble: -------------------------------------------------------
    trouble: For peering issues/requests please -
    trouble: email : peering@ntli.net
    trouble: -------------------------------------------------------
    admin-c: MH22007-RIPE
    admin-c: CF2297-RIPE
    admin-c: CM1377-RIPE
    tech-c: MH22007-RIPE
    tech-c: CF2297-RIPE
    tech-c: CM1377-RIPE
    nic-hdl: NNMC1-RIPE
    mnt-by: AS5089-MNT
    notify: data.planning@ntl.com
    e-mail: data.planning@ntl.com
    changed: hostmaster@ntli.net 20030328
    changed: hostmaster@ntli.net 20030401
    changed: hostmaster@ntli.net 20030603
    changed: hostmaster@ntli.net 20030707
    changed: hostmaster@ntli.net 20040303
    changed: hostmaster@ntli.net 20040312
    changed: hostmaster@ntli.net 20040929
    source: RIPE
     
  3. hardhead

    hardhead Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    292
    Location:
    Blue Ridge, Va
    Thanks Pilli,
    I had setting set to capture every 1 second, so I changed it to 10 seconds. Looks like my pelog file was 221,767 KB in size and my capturebin is 96,574 KB in size and I have clipboard disabled. I have tried to open pelog with wordpad and notepad but it stops responding because the file is so big.

    I take it that its ok to delete them both and capturebin and pelog and they will create new logs when restarted. Is this correct?

    The only time I have seen the attack was when I was using Whois and I could see that the port said Last Attack and thats about all the time I had to read what it said. It was listed in red in the place where I have it painted in Black.


    Yes, I see the one that you copied to clipboard. I usaully just copy and paste to notepad.
     

    Attached Files:

    • pe1.jpg
      pe1.jpg
      File size:
      99.2 KB
      Views:
      571
  4. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi hardyhar, I can see nothing unusual in your screenshot but the item that is encircled with black at the bottom of the screenshot is unreadable to me :(
    There should be a text version in the file log though.

    Pilli
     
  5. siliconman01

    siliconman01 Registered Member

    Joined:
    Mar 6, 2003
    Posts:
    780
    Location:
    West Virginia (USA)
    hardyhar,

    Look under Settings in the PE window. There are menu items to clear both the Window Logging and the File Logging. :)
     
  6. hardhead

    hardhead Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    292
    Location:
    Blue Ridge, Va
    Hi Pilli & siliconman01,

    Yes Pilli there was a log file and I finally got it open with wordpad, it only took about 45 minutes to open :rolleyes: I search for attack and couldn't find it anywhere. The file was set at no limit and thats why it was so big.

    Pilli, I was just using the screen shot as an example on where the attack showed up. I wish I had more info to give you but sorry I don't. :doubt: Like I said before this had only happened maybe 2 or 3 times when I was doing a search with Whois.

    Thanks siliconman01 for clearing my mine on the setting. :D

    I have one more question please? Now what about the capture bin being so big in size. Is this normal and what can I do to reduce the size in that too.

    You guys probally think I'm an idiot but I wasn't aware of the file setting and that you could controll them. I really do believe that what ever attack took place that my firewall stopped it I hope. :eek: I have made the setting adjustments and maybe if this happens again I will be able to give the information that you need to help me with.

    Thanks to the both of you for your help so far. :D

    Regards,
    hardyhar
     
  7. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Ah OK hardyhar, :)
    Hopefully the next time this occurrs you can capture some more information.

    To set the file log size limt:
    Settings - File logging - And set it to the mnimum 1MB

    Cheers. Pilli
     
  8. hardhead

    hardhead Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    292
    Location:
    Blue Ridge, Va
    Yepper thats what I had set it to.
    What about the capturebin size being so big?
    Any info on that.

    Regards,
    hardyhar
     
  9. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    The capture bin can be deleted PE will create a new one when needed. BTW Using socket spy continuously causes many entries.

    Pilli
     
  10. hardhead

    hardhead Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    292
    Location:
    Blue Ridge, Va
    Thanks Pilli :D

    Yes I have used socket spy many times before.
    That explains the size of the capturebin. :rolleyes:

    Thanks once again...

    Regards,
    hardyhar
     
  11. Anya

    Anya Registered Member

    Joined:
    Jan 2, 2005
    Posts:
    1
    Help

    I didn't know where else to go, how do I post a new posto_O? I can't find where it says 'post new thread', do I need new glasses or am I just a ditzi blond? Seriously, I can't find it...so I HAD to tag on the end of this post and HOPE someone sees it... Thanks for any help.
     
  12. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Anya and welcome, When you open a sub forum where all the threads are listed look at the top of the list to the left and just above the first entry Click on "New Thread" :)

    HTH Pilli
     
  13. hardhead

    hardhead Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    292
    Location:
    Blue Ridge, Va
    Hey Pilli,
    I have an image for you now. Note that I'm running on a proxy and marked out the port and one address.
     

    Attached Files:

  14. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi hardyhar

    Are you perhaps misinterpreting "LAST_ACK" as indicating an attack?
    LAST_ACK is just indicating the state of a connection, in this case one in the process of closing. Had you just been to the Red Hat Enterprise Linux Test Page at the time of that entry?

    Regards,

    CrazyM
     
  15. hardhead

    hardhead Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    292
    Location:
    Blue Ridge, Va
    Hello CrazyM, Yes I was misinterpreting "LAST_ACK" as indicating an attack. At the time this happened I was using WMP listening to a radio station. I thought that this meant that I had been Attacked and that my firewall had blocked the attack. I did notice when I bootup this morning that The Cleaner Pro let me know that a change had been made to the registry at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce which took me to "C:\Program Files\GhostSurf 2005\DeleteSatellite.exe" nowait

    I scanned with the Cleaner and nothing was found. TDS-3 didn't pickup this change since I did have it running at startup, however after I did my scan with the Cleaner I started TDS-3 up and it found nothing that was changed. I haven't done a full scan with TDS-3 in safe mode. I'm I just being a little parinoid? :eek:

    BTW, I'm running behind a router too
     
  16. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    One explanation of the states you will see in the status column of PE:

    "A connection progresses through a series of states during its lifetime. The states are: LISTEN, SYN-SENT, SYN-RECEIVED, ESTABLISHED, FIN-WAIT-1, FIN-WAIT-2, CLOSE-WAIT, CLOSING, LAST-ACK, TIME-WAIT, and the fictional state CLOSED. CLOSED is fictional because it represents the state when there is no TCB (Transmission Control Block), and therefore, no connection. Briefly the meanings of the states are:

    LISTEN - represents waiting for a connection request from any remote TCP and port.

    SYN-SENT - represents waiting for a matching connection request after having sent a connection request.

    SYN-RECEIVED - represents waiting for a confirming connection request acknowledgment after having both received and sent a connection request.

    ESTABLISHED - represents an open connection, data received can be delivered to the user. The normal state for the data transfer phase of the connection.

    FIN-WAIT-1 - represents waiting for a connection termination request from the remote TCP, or an acknowledgment of the connection termination request previously sent.

    FIN-WAIT-2 - represents waiting for a connection termination request from the remote TCP.

    CLOSE-WAIT - represents waiting for a connection termination request from the local user.

    CLOSING - represents waiting for a connection termination request acknowledgment from the remote TCP.

    LAST-ACK - represents waiting for an acknowledgment of the connection termination request

    previously sent to the remote TCP (which includes an acknowledgment of its connection termination request).

    TIME-WAIT - represents waiting for enough time to pass to be sure the remote TCP received the acknowledgment of its connection termination request.

    CLOSED - represents no connection state at all."

    RFC 793

    Regards,

    CrazyM
     
  17. hardhead

    hardhead Registered Member

    Joined:
    Mar 4, 2004
    Posts:
    292
    Location:
    Blue Ridge, Va
    Thank you very much CrazyM. :D I understand what happened now, I have my proxy setup to run in IE and Mozilla and I had disabled my proxy in Mozilla and when I went to connect I had forgot about removing the proxy setting and that explains were I got the LAST-ACK - represents waiting for an acknowledgment of the connection termination request. Thats why I also got the alert from The Cleaner. I sometimes forget that google is my friend. :rolleyes:

    Regards,
    hardyhar
     
Thread Status:
Not open for further replies.