Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

General FR Alert.
Free Republic | 10-18-2002 | VANNROX

Posted on 10/18/2002 8:38:06 PM PDT by vannrox

I have been monitoring my PC system, and I have noted a pattern that might be of interest to Freepers. When ever I visit FR I generally get hit with an unauthorized Internet attack. These attacks are low-level, and it appears that someone or something is attempting to probe my PC when ever I log into FR.


I strongly urge other Freepers to make sure that they have somekind of FIREWALL to protect themselves.


I have noticed this before, but I haven't raised this issue, because I thought that it was just random attacks that occurred simply because I was on the Internet. But then I started to monitor it and noticed a correlation between my FR visits and various attacks.


Intruder "Y9K0E0" is most active and engages in the most agressive attempts. But others are involved. Has anyone else noticed this activity?


TOPICS: Constitution/Conservatism; Free Republic; Miscellaneous
KEYWORDS: alert; caution; fr; port; probe; techindex; warning
Navigation: use the links below to view more comments.
first 1-5051-61 next last
Preface: Netbus probeLogo -Internet Security Systems

Netbus probe

advICE :Intrusions : 2003103
 FAQ
Oh my gosh, I'm being HACKED!!!
How do I report the hacker to my ISP?
I'm seeing lots of attacks, is this normal?

Summary

Somebody has tried to access your machine with the "NetBus Trojan Horse" and failed.

Details

This is a common intrusion detected on the Internet, resulting from hackers looking for systems who might have been compromised with this program. It appears that you haven't been compromised, and that the hacker has gone away.

A Trojan program is one that has some subversive purpose other than what it looks like One of the favorite hacker techniques is to send these programs to people in the hopes they will be fooled into running them. Typical Trojans are those that steal passwords, install a virus, reformat your hard-disk, and so forth.

A particular popular class of Trojans are the Remote Access Trojans. These are programs that provide the hacker complete remote control over your machine. The problem for that hacker is that while they can often send you such Trojans via e-mail, chat, or news programs, they often don't know where on the Internet you are located. For example, they can tell from your e-mail that you use a certain ISP, but they don't know your current IP address. Therefore, if they think they've fooled you into running their program, they must then scan the entire ISP's range for you.

The flip-side to this means that if the hacker isn't after you, you will still see their scans as they search for their other victims. Likewise, the hacker may hope that some other hacker has hoodwinked you into running this Trojan. This means the hacker may be looking for anybody who might be compromised.

Trojan Horse probes are therefore very common. They aren't a cause for concern.

The page on TCP port probe has more information on probing machines for open ports like this. Please see that page for more details.

 more information
advICE: Netbus  
More advice on the Netbus trojan and how to defend yourself against it.  

 parametric information
port This indicates the TCP port that was probed.
reason The reason for the port probe.
Firewalled: the incoming TCP SYN or UDP frame was stopped by the firewall.
RSTsent: the incoming TCP SYN frame was rejected by the computer.
ICMPsent: the incoming UDP frame was rejected by the computer.
NOanswer: there was no response to the incoming SYN frame.
 
Version appeared:  


Privacy Policy |  Copyright Info
1 posted on 10/18/2002 8:38:06 PM PDT by vannrox
[ Post Reply | Private Reply | View Replies]

To: vannrox
Bump...
2 posted on 10/18/2002 8:43:16 PM PDT by tubebender
[ Post Reply | Private Reply | To 1 | View Replies]

To: tubebender
My latest attack was a TCP probe..


Preface: TCP port probeLogo -Internet Security Systems

TCP port probe

advICE :Intrusions : 2003102
 FAQ
Oh my gosh, I'm being HACKED!!!
How do I report the hacker to my ISP?
I'm seeing lots of attacks, is this normal?
Summary

Somebody has tried to access your machine and failed.

Details

This is the most common intrusion detected on the Internet. This is so common because hackers do frequent wide-spread scans looking for one specific exploit they can use to break into systems. The typical hacker scans thousands or millions of machines in a typical scan. In other words, the hacker isn't targeting you personally. In particular, this event is generated upon failed attempts, so there is no reason to worry.

Probes like this result from "script-kiddies", hackers just above the skill level of trained monkeys. They download attack programs (called "scripts") from various sites on the net, then run them against millions of machines. There are thousands of script-kiddies out there, so if you have a always-on connection (cable-modem, DSL), then you can expect about one of these scans per day.

About 10% of these scans are from forged (spoofed) addresses. This means the indicated IP address in the attack is probably from the real attack, but a small percentage of the time the indicated person is completely innocent.

About 20% of these scans are from machines already compromised by a hacker. In other words, if you report this scan back to the originator, they may thank you, because you've discovered a hacked system on their network they didn't know about.

Information on reporting the hacker can be found in our support Knowledge Base article q000016.

Ports

A port is a point of entry into a system. Each program running on a system is reached through its own ports. You rarely see this detail because most port assignments are automatic. For example, most websites run at port 80 on a machine, so you never have to specify it yourself.

This means that if you see a TCP port probe for port 80, then a hacker is most likely testing your system to see if you've installed your own web server. The exact port the intruder probed for is listed on your system in the file "attack-list.csv".

False Positives

The system errs on the side of caution. When your machine attempts to connect to a remote site and fails, sometimes this alert will trigger. Carefully watch the source of the attack in case it is your own machine.

The system triggers on any failed connection. Some web-sites will attempt to contact your machine. For example, chat servers, FTP servers, and multimedia servers (video, audio) often open connections directed at your machine. If the firewall settings block this, then these will be reported as port probes.

 more information
advICE: ports  
A list of some common ports hackers might scan for.  
advICE: port scan  
Explains port scanning in depth, and describes the various types of port scans.  

 parametric information
port This indicates the TCP port that was probed.
reason The reason for the port probe.
Firewalled: the incoming TCP SYN or UDP frame was stopped by the firewall.
RSTsent: the incoming TCP SYN frame was rejected by the computer.
ICMPsent: the incoming UDP frame was rejected by the computer.
NOanswer: there was no response to the incoming SYN frame.
 
Version appeared: 1.8.5.5 

Privacy Policy |  Copyright Info
3 posted on 10/18/2002 8:45:43 PM PDT by vannrox
[ Post Reply | Private Reply | To 2 | View Replies]

To: vannrox
I doubt this has anything to do with FR. Are you active on IRC or some file sharing systems that reveal your IP address?

Just reading (or even logging into FR) doesn't reveal your IP address to anyone. I find it difficult to believe that someone with access to the FR machine(s) would be probling users, so you must be doing something else at the same time.

4 posted on 10/18/2002 8:48:24 PM PDT by libertynews
[ Post Reply | Private Reply | To 1 | View Replies]

To: vannrox
Looks like a scan of TCP ports to try to contact a trojan on your PC.

Should be no problem if it's not already there. However, you may wish to run a virus scan to see what results you get on your PC.

All IMO, naturally.

5 posted on 10/18/2002 8:48:41 PM PDT by d101302
[ Post Reply | Private Reply | To 1 | View Replies]

To: vannrox
Why don't you ping the Robinsons?
6 posted on 10/18/2002 8:50:18 PM PDT by tubebender
[ Post Reply | Private Reply | To 3 | View Replies]

To: libertynews
Yea. These probes all seem to be very generalized. Maybe it's just my own crazy fears...
7 posted on 10/18/2002 8:51:09 PM PDT by vannrox
[ Post Reply | Private Reply | To 4 | View Replies]

To: tubebender
Why don't you ping the Robinsons?

Best idea I've heard.

8 posted on 10/18/2002 8:52:04 PM PDT by Just another Joe
[ Post Reply | Private Reply | To 6 | View Replies]

To: vannrox
My Zone Alarm used to be active when I was using IRC.
9 posted on 10/18/2002 8:54:12 PM PDT by Snowy
[ Post Reply | Private Reply | To 3 | View Replies]

To: vannrox
I have occasionally heard Freepers say that they seem to get pinged while visiting FR. I'm not sure if it's special to the site. I have a LinkSys router hub with a mechanical firewall, as well as ZoneAlarm, and I never see any outside probes any more.

I certainly agree with you that it's a good idea to have a firewall, because hackers seem to send out random probes all the time, and going on-line without a firewall is increasingly risky.

The feds used to monitor FreeRepublic during the clinton years, as demonstrated when the Secret Service came down on people who foolishly threatened violence against public officials as a joke (not funny!), and I assume they still probably do. But monitoring and hacking are too different things.
10 posted on 10/18/2002 8:56:12 PM PDT by Cicero
[ Post Reply | Private Reply | To 3 | View Replies]

To: vannrox
I don't know if this is related, but last night when I first went to FreeRepublic the browser window opened up all grey and music (prince-little red corvette) started playing through my speakers. It was really weird. I also had a bunch of popups. As soon as I killed the popups I ctr-alt-del'd and had no problems after I got back online and went back to FR. In the instant before the screen went black on the reboot I noticed a little JAVA icon in my sys tray. I thought my computer had a brainfart, but I couldn't figure out why it playing a song that is not on my hard drive. Was I 'hit' or what?
11 posted on 10/18/2002 8:56:16 PM PDT by thatdewd
[ Post Reply | Private Reply | To 1 | View Replies]

To: vannrox
General FR Mills Alert.......


12 posted on 10/18/2002 8:57:06 PM PDT by hole_n_one
[ Post Reply | Private Reply | To 1 | View Replies]

To: thatdewd
You might have spyware on your pc. Download AdAware from Lavasoft and scan your drive.
13 posted on 10/18/2002 8:58:44 PM PDT by Sir Gawain
[ Post Reply | Private Reply | To 11 | View Replies]

To: thatdewd
Do you remember what song it played? A friend was telling me the same story today, along with her dial-up modem going berserk, and I thought she had lost it...
14 posted on 10/18/2002 9:01:02 PM PDT by browardchad
[ Post Reply | Private Reply | To 11 | View Replies]

To: browardchad
It sounded like a (bad) Live recording of 'Prince' doing
'Little Red Corvette'.
15 posted on 10/18/2002 9:07:12 PM PDT by thatdewd
[ Post Reply | Private Reply | To 14 | View Replies]

To: Sir Gawain
Downloading software now. Thanks.
16 posted on 10/18/2002 9:08:26 PM PDT by thatdewd
[ Post Reply | Private Reply | To 13 | View Replies]

To: vannrox
I had something weird happen for two days running. I would log onto FR everything would seem fine, but every time I clicked on the "My Comments" icon I would get a pop up secuirty warning screen.

It said something on the order of, "You are attempting to view a page that has not been issued a security certificate"

When I clicked on "details", it said, ISNX5L7 is not a valid agent, certificate issued to F.E.M.A., there was a thumb print algorithem, signature algorithem, etc.

I have no idea what that was about, other than some agent or agency punched in the wrong id in issuing a certificate to F.E.M.A. and it wasn't valid. Eventually it stopped. I was advised that I had most likely gone to some place on the web and picked it up, but I had not surfed the web that I remember, or it could be some random packet that my computer picked up. Of course seeing the F.E.M.A. thing freaked me out a little.

17 posted on 10/18/2002 9:13:20 PM PDT by MissAmericanPie
[ Post Reply | Private Reply | To 1 | View Replies]

To: Sir Gawain
Excellent advice.  I read about AdAlarm in this week's
Time magazine and loaded it up for a scan.  I had some
crap in my registry of unknown function plus a lot of
temp porn files.  The porn files, I could care less.
The registry entry had to do with 'Alexsa' and may
have been a dialup.  It's outta there now.

AdAlarm is free and available through
http://www.lavasoftusa.com.

18 posted on 10/18/2002 9:21:56 PM PDT by gcruse
[ Post Reply | Private Reply | To 13 | View Replies]

To: vannrox
I have Zone Alarm. For the last two weeks I have been getting warnings about every 15 minutes while online.
The very second that I connect to the Net I get a warning.
Methinks some one is watching.
tbird1
19 posted on 10/18/2002 9:27:28 PM PDT by tbird1
[ Post Reply | Private Reply | To 1 | View Replies]

To: Sir Gawain
...you might have spyware on your pc...

I had 54 suspicicous items, about half of them stupid things from the Osama game and other 'twisted humor' junk I had played. The other half could not be identified from the file names, could have been ANYTHING. I Wiped them ALL. Thanks, I never would have known all that crap was in there.

20 posted on 10/18/2002 9:27:34 PM PDT by thatdewd
[ Post Reply | Private Reply | To 13 | View Replies]

To: vannrox
I get pinged, so to speak, or probed on a regular basis. Could be from anywhere in the world. Zone Alarm keeps a log of them for me. The most unusual locations IMHO is from Fairfax, VA, and Universal Blvd in Denver, CO. I may see those the most often. When NATO was having their meeting in Italy earlier this year, I was probed by Tarranto Shipping in Italy (only time).

Personally, I believe the DNC still looks at my stuff. Also, probably keylogged by our friendly gov't snoops. Deny. Deny. Deny.
21 posted on 10/18/2002 9:57:27 PM PDT by truth defector
[ Post Reply | Private Reply | To 1 | View Replies]

To: thatdewd; browardchad
What you described sounds exactly like an experience my husband had yesterday. It turned out to be a GMC pop up ad asking him to vote on his favorite song ("Little Red Corvette" was playing). He emailed them a big "NO" vote on the ad, and let them know that, as a very satisified GMC owner, if the ad continued he would seriously reconsider buying a GMC the next time he's in the market for a vehicle.
22 posted on 10/18/2002 10:13:21 PM PDT by dixiechick2000
[ Post Reply | Private Reply | To 11 | View Replies]

To: vannrox
A little over a year ago , when I was replying a lot to the TWA-800 SHOOTDOWN Cover-Up posts, (I thought it was terrorism, due to the 25-Knot speedboat that fled the seen, and James Kallstrom morphing the boat into a nebulous helicopter). Well I checked some of my BlackICE pings just for the heck of it throughh ARIN WHOIS at www.arin.net/whois. One number=164.190.200.3 came back as NCC.NCTS.NAVY.MIL
number 138.147.10.10 came back to GATE.NCTS.NAVY.MIL
all came under the umbrella as =DOD Network Information Center (JMCIS-BLOCK) Space and Navy Warfare Systems, Washington DC, 20363-5100.

I printed out a copy of it at the time and will gladly E-mail, or Fax it to any doubting Thomas who asks for a copy!!
I guess they found out I was a harmless poor ole soul from Ohio, and that was the end of them snooping.
23 posted on 10/18/2002 10:13:33 PM PDT by timestax
[ Post Reply | Private Reply | To 1 | View Replies]

To: vannrox
I looked at Zone Alarm and I got this at 12 AM CST:

ZoneAlarm has blocked access to port 1433 on your computer

ZoneAlarm has successfully stopped local network or Internet traffic from reaching your computer. No breach in your security has occurred. Your computer is safe. What happened?

ZoneAlarm blocked traffic to port 1433 on your machine from port 2447 on a remote computer whose IP address is 202.29.21.4. This communication attempt may have been a port scan, or simply one of the millions of unsolicited commercial or network control messages that are routinely sent out over the Internet. Such unsolicited messages are often called Internet background noise.

Should I be concerned?

This alert should not be a cause for concern. ZoneAlarm has protected your machine according to the firewall settings you have selected.

Might be a ping from msn, my ISP, or something FR server is doing--or a probe, as others have suggested.

24 posted on 10/18/2002 10:15:50 PM PDT by Forgiven_Sinner
[ Post Reply | Private Reply | To 1 | View Replies]

To: gcruse
There is no "authentication certificate" for the Adware I tried downloading - sooooo - I'm hesitating using it...any advice, anyone?
25 posted on 10/18/2002 10:28:19 PM PDT by goodnesswins
[ Post Reply | Private Reply | To 18 | View Replies]

To: vannrox
bump
26 posted on 10/18/2002 10:49:38 PM PDT by timestax
[ Post Reply | Private Reply | To 1 | View Replies]

To: libertynews
Just reading (or even logging into FR) doesn't reveal your IP address to anyone.

Somebody "sniffing" FR's line can collect IP addresses and anything else they want...

And yes, I've noticed the same correlation between visits to FR and an increase in the frequency of port scans.

27 posted on 10/18/2002 11:02:27 PM PDT by FormerLurker
[ Post Reply | Private Reply | To 4 | View Replies]

To: truth defector
Deny,deny deny
28 posted on 10/18/2002 11:11:37 PM PDT by timestax
[ Post Reply | Private Reply | To 21 | View Replies]

To: vannrox
I've got 46 attacks since yesterday morning when I cleared my alerts. I get probed all the time and I usually ignore them, though I do check out who it is every now and then. I do keep my logs though.
29 posted on 10/19/2002 3:41:48 AM PDT by philman_36
[ Post Reply | Private Reply | To 1 | View Replies]

To: vannrox
47
30 posted on 10/19/2002 3:54:01 AM PDT by philman_36
[ Post Reply | Private Reply | To 29 | View Replies]

To: vannrox
And my...aren't there some very interesting and queer attempts.
31 posted on 10/19/2002 6:08:48 AM PDT by philman_36
[ Post Reply | Private Reply | To 30 | View Replies]

To: thatdewd
I just had the little red corvette song play, no pop ups. i was looking at FR and Yahoo news...Hmmmm.
32 posted on 10/19/2002 6:20:10 AM PDT by finnman69
[ Post Reply | Private Reply | To 11 | View Replies]

To: finnman69
bttt
33 posted on 10/19/2002 8:32:02 AM PDT by timestax
[ Post Reply | Private Reply | To 32 | View Replies]

To: vannrox; Jim Robinson; John Robinson
Jim and John,

You may want to take a look at this thread.
34 posted on 10/19/2002 10:39:45 AM PDT by Ms. AntiFeminazi
[ Post Reply | Private Reply | To 1 | View Replies]

To: vannrox
Thanks for posting this.
35 posted on 10/19/2002 11:59:08 AM PDT by Fiddlstix
[ Post Reply | Private Reply | To 1 | View Replies]

bumping to check back later
36 posted on 10/19/2002 12:11:50 PM PDT by Lion's Cub
[ Post Reply | Private Reply | To 35 | View Replies]

To: vannrox
Yes, I also had those occurances. The most recent occurred after following a link to Jpost.com. Immediately after hitting the jerusalem post weblink, I was hit with close to 20 attempts to penetrate our desktop system, port scanned multiple times, and then probed.

These scans and probes were clearly linked to my hitting the jpost.com website. Using rDNS lookup based on our firewall log lead to us identifying the origins of the pings, fingers, probing, and scanning... it was jpost.com!

If you can post the IP address of the individual attacking your ports, I can do some rDNS work.
37 posted on 10/19/2002 1:50:16 PM PDT by bonesmccoy
[ Post Reply | Private Reply | To 1 | View Replies]

To: vannrox; Ernest_at_the_Beach; *tech_index
Thread indexed - FR Bump List (Scroll down to tech index and click.)
38 posted on 10/19/2002 4:23:44 PM PDT by American Preservative
[ Post Reply | Private Reply | To 1 | View Replies]

To: timestax
bumpity uppity
39 posted on 10/19/2002 4:34:06 PM PDT by timestax
[ Post Reply | Private Reply | To 33 | View Replies]

To: Forgiven_Sinner
ZoneAlarm has blocked access to port 1433 on your computer...

1433 is the default Microsoft SQL Server port. Someone is trying to probe your machine for the presence of this software package. If your machine were listening on port 1433 then the remote computer would most likely begin a sequence of well known probes to attempt to hijack your database engine.

You can verify that port 1433 is not active on your machine by loading a command line and typing:

On a windows machine
C:\>netstat -an

Look for port 1433. On a linux / UNIX machine:

#netstat -an | grep 1433

Bottom line... I wouldn't worry about it. Get a firewall if you don't already have one. Take care.

40 posted on 10/19/2002 4:58:27 PM PDT by gcraig
[ Post Reply | Private Reply | To 24 | View Replies]

To: gcraig
bump
41 posted on 10/19/2002 5:11:41 PM PDT by timestax
[ Post Reply | Private Reply | To 40 | View Replies]

To: vannrox
Got what proved to be a false Virus attack while trying to reply to shermy last night.

I suspect his pal Bert is involved somehow.
42 posted on 10/19/2002 5:15:31 PM PDT by PoorMuttly
[ Post Reply | Private Reply | To 1 | View Replies]

To: gcraig; Jim Robinson
Thanks for the info gccraig. I knew 1433 was a well-known port and I wondered what it was used for. A hacker would naturally probe it and look for default passwords to gain Admin access.

I'm safe, thanks to ZoneAlarm, the world's greatest freeware program.

Here's what my ports look like under netstat -an



C:\WINDOWS\Desktop>netstat -an

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    0.0.0.0:1030           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:5000           0.0.0.0:0              LISTENING
  TCP    63.155.104.7:9322      0.0.0.0:0              LISTENING
  TCP    63.155.104.7:139       0.0.0.0:0              LISTENING
  TCP    127.0.0.1:1026         0.0.0.0:0              LISTENING
  TCP    127.0.0.1:1029         0.0.0.0:0              LISTENING
  UDP    63.155.104.7:15483     *:*
  UDP    63.155.104.7:137       *:*
  UDP    63.155.104.7:138       *:*
  UDP    127.0.0.1:1616         *:*
  UDP    127.0.0.1:2132         *:*
  UDP    127.0.0.1:1900         *:*

Just now I got another probe. Does FR send to its clients? Jim Robinson?


The firewall has blocked Internet access to your computer (TCP Port 1433) from 203.248.195.112 (TCP Port 4132).

Time: 10/19/2002 8:24:00

43 posted on 10/19/2002 5:28:12 PM PDT by Forgiven_Sinner
[ Post Reply | Private Reply | To 40 | View Replies]

To: finnman69
"I just had the little red corvette song play, no pop ups. i was looking at FR and Yahoo news...Hmmmm."

Yahoo has been running a GM ad with this song (among others). It is not a pop-up, plays on some of their pages occassionally, but not every time.

Yahoo is ahead of the curve when it comes to advertising mediums. They were one of the first to use pop-ups, but thankfully, no longer use pop ups, but they do use "interactive" ads with various forms of media.

Most of the ones I've seen with audio have been movie ads when looking at the Yahoo movie section, but I did get this ad yesterday on Yahoo's main page, and again later on a Yahoo news page.

So, the song is not spyware, but that doesn't mean you shouldn't look for spyware on your machine. If you're not using a program like adaware, you'll never know, and you'll be subjected with popups and other intrusive advertising on a random basis.

Unless you want to receive these ads, I highly recommend using adaware on your computer.

T2s
44 posted on 10/19/2002 5:36:25 PM PDT by Texas2step
[ Post Reply | Private Reply | To 32 | View Replies]

To: Forgiven_Sinner
Here's some info on the owner of the IP address that you provided:

inetnum: 202.29.20.0 - 202.29.21.255
netname: RIUBON-TH
descr: Rajabhat Institute Ubonratchathani
country: TH
admin-c: PT3-AP
tech-c: PT3-AP
mnt-by: MAINT-TH-UNINET
changed: noc@uni.net.th 20020703
status: ALLOCATED PORTABLE
source: APNIC

person: Prayong Thitithananon
address: Rajabhat Institute Ubonratchathani
address: Jangsanit Rd., Ubonratchathani 34000
country: TH
phone: +66-45-262423-32
fax-no: +66-45-311472
nic-hdl: PT3-AP
mnt-by: MAINT-THAISARN-AP
changed: phong@inet.co.th 970218
source: APNIC

45 posted on 10/19/2002 5:48:51 PM PDT by Ol' Sox
[ Post Reply | Private Reply | To 24 | View Replies]

To: libertynews
Just reading (or even logging into FR) doesn't reveal your IP address to anyone.

As somebody else pointed out, the request for a page does pass through a number of machines, and can be "sniffed" while it is on its way. Also, the act of requesting a page from a website MUST reveal your IP address to at least the site - that's how the site knows where to send the page. Most web-page servers keep a log of web-page requests, including date, time, and IP addy of requestor. Just FYI.

46 posted on 10/19/2002 6:00:11 PM PDT by Cboldt
[ Post Reply | Private Reply | To 4 | View Replies]

To: Cboldt
bump
47 posted on 10/19/2002 9:21:10 PM PDT by timestax
[ Post Reply | Private Reply | To 46 | View Replies]

To: muggs
bump
48 posted on 10/20/2002 11:22:35 AM PDT by timestax
[ Post Reply | Private Reply | To 47 | View Replies]

To: All; American Preservative; bonesmccoy; browardchad; Cboldt; Cicero; d101302; dixiechick2000; ...
My personal theory is, these Windows firewall companies tune their software to a pointless level of sensitivity, and then flash pretty windows with technobabble during each "attack" in order to "show" their customers how many boogeymen are being denied access to their system because their software was installed. This is a marketing gimmick to make the customer feel "protected." I've been running a Linux firewall for years, and not once has it ever popped up a flashy window warning me about an ICMP ping, or UDP packet to port Kalamazoo. In truth, none of these "attacks" would have any affect, as they're all just random probes and other Internet noise.

Personal firewalls are more important in keeping traffic from going out of your computer than from coming in. When up pops a flashy window telling you Keylogger is trying to make a connection to the Internet, and you don't recognize Keylogger as being an authorized program on your computer, then you have something to worry about.

As for attacks occurring when you're on FR-- that is probably just a coincidence. How much of your time is spent on FR vs other sites when you're connected to the Internet?

Also, a number of these warnings can be attributed to a failed www connection. See "False Positives". On some image-laden threads, your web browser may make dozens of www connections (one for each image on the thread.) Most of those connections go to other machines, some of which may be under stress and failing connections.

And, btw, your IP address will be leaked to other websites if you download images off those websites. It is easy enough for that to happen on FR, all one has to do is visit a thread with an image hosted on another website. Most images aren't downloaded from FR, and anybody can post a link to an image. This is not unique to FR, it is a fact of HTML life. If you are truely concerned, you can surf the Internet with images disabled, but really, there isn't much anybody will do with any random IP address they find downloading an image (especially when thousands of hits are recorded each day.) [BTW--people--don't link in images that are hosted on other people's servers unless you have permission.]

We have no software hosted on our machines (IP range 209.157.64.193-209.157.64.254) that will probe your machine when you contact FR. The absolute most that will probably never happen is an ICMP ping or traceroute from me if I'm tracing a network problem (I would likely pull a random address from FR's server, something I know is alive.) ICMP pings are very similar to sonar pings (measures roundtrip time of the "ping") and traceroute lists the network routers between two locations.

We keep our machines clean, there are no third parties messing around, no trojans on our site. We employ several mechanisms to verify the integrity of the system to ensure nobody is fooling around. We keep the software up-to-date with the latest patches as soon as they are made available. I keep an eye on the security portals that note "zero-day exploits." The number of network services we do run is minimal, there isn't much to exploit.

Man-in-the-middle attacks, where a hacker compromises a machine between you and the server, are incredibly rare and difficult. Almost all machines between you and the server are dedicated routers with little or no services to compromise. These are dedicated pieces of hardware with no other function than to move packets around, compromising one would be a difficult act, and the person that has the resources to do that is probably not going to be scanning personal computers.

Having said that, please do let me know if there is any suspicious activity, something that can be reproduced and that can be attributed to FR or any of my servers. Random occurances are most likely meaningless, either coincidence or noise.

49 posted on 10/20/2002 1:01:39 PM PDT by John Robinson
[ Post Reply | Private Reply | To 1 | View Replies]

To: John Robinson
(I should have run that through a spellchecker. Eek!)
50 posted on 10/20/2002 2:24:18 PM PDT by John Robinson
[ Post Reply | Private Reply | To 49 | View Replies]


Navigation: use the links below to view more comments.
first 1-5051-61 next last

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson