Help!!! I'm under attack!!!

Discussion in 'other firewalls' started by DougRees, May 21, 2004.

Thread Status:
Not open for further replies.
  1. DougRees

    DougRees Registered Member

    Joined:
    Jun 2, 2003
    Posts:
    41
    My firewall (Sygate PFP) has recently been giving me lots of messages indicating that my system is under attack. The severity of the attacks has ranged from minor to critical, and they include such things as port scanning and active intrusions.

    In every instance, I performed a "backtrack" on the remote host, and notified the relevant ISPs of what was happening. In each case I included a verbatim transcript from my firewall intrusion log, giving the exact time and date, as well as the nature of the attack.

    I received replies from most of the ISPs that strongly implied they don't intend to do anything. I'm more or less at a loss to know what else to do. I know that the remote hosts I mentioned are probably not the actual hackers, but rather their victims. But still, this is all the information I have, and surely it would help the victims to know that their computers are being used in this way. I have run scans on my system with NOD32 (advanced heuristic) as well as TDS-3, and the results have been negative.
     
  2. snapdragin

    snapdragin Administrator

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    Hi DougRees, and welcome to Wilders.

    This may not be such a good idea to do. If Sygate is blocking the scans (red X over the arrow for incoming) then nothing is getting in from the probes. But if you do a backtrace on the IP's then it is like calling back and saying 'yes, I am here' and possibly giving away any steath you may have had. You can look up the IP from Sygate's logs and then find the ISP for that IP range at a site like http://www.samspade.org/ which would be safer.

    Most of these scans/probes will be from victims machines and they are likely not even aware they are infected as you have said. Reporting the scans to their ISP's and hoping they will inform their customers that they are infected is about all you can do. :doubt:

    If you wanted to show them your firewall's logs, then you can obtain that through your firewall's various log (example the IP's, dates, times, level of scan, and even the remote mac address.) without having to do a backtrace within Sygate.

    But with the above said, it is always wise to do a system scan with an antivirus program if the 'attack' was severe and especially if your firewall crashed because of it.

    Our firewall experts may comment too with other options you might be able to take to ensure your computer is safe. :)

    Regards,

    snap
     
  3. DougRees

    DougRees Registered Member

    Joined:
    Jun 2, 2003
    Posts:
    41
    Your point is well-taken and I will follow the procedure you suggest in the future.

    I just wish there was some way to stop the bastards who do this kind of thing!!! As things stand, they seem to get away scot free. One of my friends was running Raid Level 0 with two hard drives. Yesterday he found he couldn't boot up. It turned out that one of the drives had been reformatted as FAT32 (obviously something that could only be done by an intruder). He's now running only one of the drives, and letting the other sit idle!

    The ISP's just don't seem very interested in correcting the problem. All of my emails to them were courteous, factual, and to the point. One of the responses I received informed me that the ISP in question would not pay any attention to reports that were obscene or abusive. It seems to me that if the ISP was really interested in helping its customers, it would pay attention to all reports, however badly written.

    There are several good free firewalls available (including Sygate's), but most people don't run any kind of firewall at all. Couldn't ISPs at least offer one of these programs to their customers for downloading, in addition to following a strict policy of informing customers when their computers were taken over?
     
    Last edited: May 22, 2004
  4. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Are you familiar with the Dshield site www.dshield.org and the ability to submit yuour logs, so they can alert ISPs in combined reports if there are more complaints?
    There might be a log analyser for your firewall as well like there is for Zonealarm VisualZone for instance which ios connected to that site and forwards your log entries to the general database for that goal and for further statistics.

    I had to report a person who had been scanning several of my ports over 200 times in just a few hours time, but seeing the scan pattern i thought of some infection there, so my complaint is polite telling the ISP i guess their user is infected and if they please can be so kind as to help their user to get clean before he loses the whole system and to spare themself lots of unnecessary bandwidth = money. To that kind of nice innocent emails you might get a nice positive reaction, not always though.

    If you're on a dynamic IP address a good thing would be to disconnect a quarter of an hour to get a new IP and see if it's keeps quiet then.
    If you have a permanent IP address that tric won't work.
    Snap mentioned SamSpade, you might like to download the version to have on your desktop too to do lots of stuff (the email header parser is very handy for spam!) but to whois and do other stuff to dio it via the SamSpade site might be safer indeed.

    If after a re-connect to internet and the scanners come back too, there might be a few things:
    either an infection not discovered yet (your scan found nothing, so the hijackthis log might unveil anything)
    if you fire up Port Explorer from the DiamondCS site too you can see if there are real intrusions and to which application they might be connected and you can either sniff the packets or block / kill those connections immediately; at least you know then what to look for.

    Are you using ICQ or such a populair messagething? With those they can monitor you being online and the current IP address you're using and the attacks can continue again, if it is something personal.

    Many years ago i reported real bad attacks to an ISP too, with the log file and all the proof inexperienced me could gather. That ISP was so kind to forward my complaint with all my email address and the whole lot to the attacker who was identified positively.
    It was in the days before i knew of firewalls nor TDS so i was all innocent and unprotected.
    Maybe the ISP didn't care, ir wanted to teach me a lesson, i don't know. Anyway, result was i got some strange emails and messages in my ICQ, at opening black screen infection (not sure which it was) and attacks started, so bad that my whole system was brought physically to it's knees with combined attacks. I didn't know by then about ICQ used as a monitor for me being online and my IP address and the whole lot. And it ended i had to buy a new system.
    The ISP went further and said he was sorry and asked for my home address to be able to send me something for all the damage; i innocent gave my address and all that, which was really not a good idea. Nice ISP, but not really. And you don't think the police would do anything at all in such cases do you, even though real hacks are criminal court cases? They don't help you with all the proof just telling a girls should switch off internet and be a nice housewife (that was told in my case) --- it was in that time i fortunately found TDS and a new way of dealing with all that, as you can read in the "thankyou Jooske thread" in my signature.
    So of course, let those ISPs, defend yourself with the best protection we can get, programs, education, post in serious forums like this here, etc.
    Hope this story helps you a bit at least too!
     
  5. DougRees

    DougRees Registered Member

    Joined:
    Jun 2, 2003
    Posts:
    41
    Thank you, Jooske. I am running Trillian, since I have friends I chat with on both ICQ and Yahoo Messenger. I have really made a lot of friends all over the world, and would hate to give that up. In fact, I used to kid around that I have a girl in every port!!! I don't know anyone who has a personal grudge against me, but the hackers seem to be looking for anybody they can find and don't need a personal reason.

    I submitted a report to DShield, but received a reply to the effect that they didn't recognise the "format" my log entries were in. I simply sent excerpts from my log with the various components identified. So I guess they won't do much with the information I provided. Thanks anyway.
     
  6. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Ah, the few times i have time to chat i use the CryptoSuite chat (encrypted) so immediately pc to pc and not via some obscure unknown far away server and i know who i'm talking with. If there would be files to share which are too large for emails only then i would probably use temporary another messenger, but this function might be in the plans for a future build of CryptoSuite too. At the moment it's straight without all the witles and bells and fast. You can host your chat and invite as many people as you like to come and talk with you.

    For DShield: On their pages are instructions about ways to configure your logs, some nice tools for it on their site, etc. ZoneAlarm users for instance could use VisualZone and send away their logs automatically every several hours, and so there are more on their site. This way many thousands or milions of people help fill their stats.

    Are the attacks still going on or did it calm down now?
     
  7. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi Doug

    One thing I have never cared for is firewall vendors using the terminology "attack" to describe events in their alerts and/or logs. A blocked inbound packet does not denote an attack or intrusion attempt, it could be any number of things. Most home users will never see or be subject of a deliberate attack that is directed at them specifically.

    What they will see is lots of the usual events resulting from things like misconfigured systems, p2p apps, games, late packets that were part of an established connection and port scans or worm traffic looking for vulnerable systems showing up in their firewall logs. For protected systems these events do not pose much of a threat. For those that run unprotected or unpatched systems, vulnerable services or applications, or have already been compromised by a virus/trojan, it's a different story. Unfortunately a lot of systems still fall in to this latter category in spite of all the recent viruses and worms.

    The fact you are seeing all these events in your firewall logs does not mean that you are infected or compromised in any way. It is simply an indication that your firewall is doing what it is supposed to do.

    Some ISP's are taking steps to better protect their networks and customers. My ISP offers free firewall, anti-virus and spam filtering to broadband customers. Others are starting to offer routers or modem/router combos for basic firewalling. Unfortunately not all are taking these steps or being as proactive as they could be.

    Well hopefully you don't think these events you are seeing in your logs will have an impact on that.

    Most of these scans are automated and there is nothing personal about it.

    As Jooske suggested, dshield is probably your best bet if you want to do something with your logs. Have you tried their utility which should be compatible with Sygate? It will automatically send your logs for you (http://www.dshield.org/windows_clients.php#universal).

    Regards,

    CrazyM
     
    Last edited: May 24, 2004
  8. DougRees

    DougRees Registered Member

    Joined:
    Jun 2, 2003
    Posts:
    41
    I am aware that many legitimate programs can set off a firewall. However, I feel that I am being attacked for several reasons:

    1) My firewall hasn't shown such activity in the past. In fact, all of the activity started within the past three days.

    2) My AV picked up two instances of the IRC/SdBot.ALE trojan today (I deleted it in both cases).

    3) In running Port Explorer, I have noticed several instances of suspicious listening activity (including, most recently, someone in Korea).

    I follow a strict policy of not opening attachments to emails unless I know (and trust) the person sending them, and also know specifically that the attachment is going to be sent. So I'm certain that I did not pick up the infection by that route.

    Thanks for your help.
     
  9. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    It is not unusual to see spikes in firewall events come and go with the latest exploits, worms and viruses etc. If you see a pattern (ie. destination port/service) you could research this and see if it coincides with trends others are seeing. It is also common to see such spikes when these things hit users in your subnet (same ISP). The source IP is an easy way to determine this. What users see in logs will also vary between networks/ISP's. While I like to monitor and follow trends, I may not always see all of these showing up in my logs.

    Were those e-mail related? If so, they are probably unrelated to your firewall event logs.

    If you could provide a little more detail on these listening connections we might be able to determine what you are seeing and is going on. Protocol, source/destination IP's, source/destination ports, application (just xxx out your public IP where applicable).

    Regards,

    CrazyM
     
  10. DougRees

    DougRees Registered Member

    Joined:
    Jun 2, 2003
    Posts:
    41
    The trojans were not email-related. I rarely open attachments, and have not opened one for nearly a month. I am certain the last one I opened was not infected for two reasons: 1) It was a Newsletter from a group I serve as webmaster; and 2) it has been scanned several times by both NOD and TDS with negative results. As I indicated earlier, I follow an extremely cautious policy about opening attachments, and never open them if they don't come from someone I know and trust. It may be a coincidence that NOD picked up the trojans just as my firewall started to go bananas--but I'm inclined to think there was a connection.
     
  11. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi Doug

    Well the NOD alert and logs should give you a place to start as to where the flagged file was and/or came from.

    As for any other connection, we will need some of the more detailed information asked for above to help determine if there are in fact any Internet connections of concern. Sygate itself, Port Explorer or netstat could all be used to monitor your network traffic.

    Regards,

    CrazyM
     
  12. Jooske

    Jooske Registered Member

    Joined:
    Feb 12, 2002
    Posts:
    9,713
    Location:
    Netherlands, EU near the sea
    Hi again!
    You might be aware not all nasties come only by attachments: there can be code included in emails or scripts in them which download them and update them on your system. For instance using the object data exploit on unpatched systems.
    I've seen them forwarding to an URL which is only a download for a file which at execution gets another file and installs all kinds of stuff etc etc etc and can even turn your system into a proxy zombie or use it in a big DDos attack, etc. so this is why it's interesting knowing which applications and connections there are on your system so we know what to look for.
    It's some code in the email body (or website!) like
    <object data= "#104; #116; #116; #112; #58; #47; #47; ..... etc ..... ">
    or a VBS-script trying to do such a thing etc.
    (lot in those software and online medicines spam mails for instance).


    For Port Explorer, at a specific moment freeze the console a moment so you can save that table and post here (like CrazyM said xxx out your own IP)
     
  13. DougRees

    DougRees Registered Member

    Joined:
    Jun 2, 2003
    Posts:
    41
    Thanks Jooske!

    I'm reasonably certain the following are dumb questions, but I'll ask them anyway: 1) I have Mozilla Firefox set as my default browser and Eudora (paid version) as my email client. So if an email opens a web page, it appears in Firefox (which I'm told is safer than IE). Do I still have to worry about nasty executables getting automatically downloaded by websites called by my email? 2) I have Process Guard and Wormguard installed on my system. Wouldn't one of those programs notify me if a nasty executable was about to be run?

    As I said, these are probably dumb questions--so be gentle.

    P.S. The attacks seem to have diminished quite considerably in the last day. None of my scanners has picked anything up, so I hope I'm more or less "out of the woods".
     
Loading...
Thread Status:
Not open for further replies.