Skip to comments.General FR Alert.
Posted on 10/18/2002 8:38:06 PM PDT by vannrox
I have been monitoring my PC system, and I have noted a pattern that might be of interest to Freepers. When ever I visit FR I generally get hit with an unauthorized Internet attack. These attacks are low-level, and it appears that someone or something is attempting to probe my PC when ever I log into FR.
I strongly urge other Freepers to make sure that they have somekind of FIREWALL to protect themselves.
I have noticed this before, but I haven't raised this issue, because I thought that it was just random attacks that occurred simply because I was on the Internet. But then I started to monitor it and noticed a correlation between my FR visits and various attacks.
Intruder "Y9K0E0" is most active and engages in the most agressive attempts. But others are involved. Has anyone else noticed this activity?
Somebody has tried to access your machine with the "NetBus Trojan Horse" and failed.
This is a common intrusion detected on the Internet, resulting from hackers looking for systems who might have been compromised with this program. It appears that you haven't been compromised, and that the hacker has gone away.
A Trojan program is one that has some subversive purpose other than what it looks like One of the favorite hacker techniques is to send these programs to people in the hopes they will be fooled into running them. Typical Trojans are those that steal passwords, install a virus, reformat your hard-disk, and so forth.
A particular popular class of Trojans are the Remote Access Trojans. These are programs that provide the hacker complete remote control over your machine. The problem for that hacker is that while they can often send you such Trojans via e-mail, chat, or news programs, they often don't know where on the Internet you are located. For example, they can tell from your e-mail that you use a certain ISP, but they don't know your current IP address. Therefore, if they think they've fooled you into running their program, they must then scan the entire ISP's range for you.
The flip-side to this means that if the hacker isn't after you, you will still see their scans as they search for their other victims. Likewise, the hacker may hope that some other hacker has hoodwinked you into running this Trojan. This means the hacker may be looking for anybody who might be compromised.
Trojan Horse probes are therefore very common. They aren't a cause for concern.
The page on TCP port probe has more information on probing machines for open ports like this. Please see that page for more details.
TCP port probe
Somebody has tried to access your machine and failed.
This is the most common intrusion detected on the Internet. This is so common because hackers do frequent wide-spread scans looking for one specific exploit they can use to break into systems. The typical hacker scans thousands or millions of machines in a typical scan. In other words, the hacker isn't targeting you personally. In particular, this event is generated upon failed attempts, so there is no reason to worry.
Probes like this result from "script-kiddies", hackers just above the skill level of trained monkeys. They download attack programs (called "scripts") from various sites on the net, then run them against millions of machines. There are thousands of script-kiddies out there, so if you have a always-on connection (cable-modem, DSL), then you can expect about one of these scans per day.
About 10% of these scans are from forged (spoofed) addresses. This means the indicated IP address in the attack is probably from the real attack, but a small percentage of the time the indicated person is completely innocent.
About 20% of these scans are from machines already compromised by a hacker. In other words, if you report this scan back to the originator, they may thank you, because you've discovered a hacked system on their network they didn't know about.
Information on reporting the hacker can be found in our support Knowledge Base article q000016.
A port is a point of entry into a system. Each program running on a system is reached through its own ports. You rarely see this detail because most port assignments are automatic. For example, most websites run at port 80 on a machine, so you never have to specify it yourself.
This means that if you see a TCP port probe for port 80, then a hacker is most likely testing your system to see if you've installed your own web server. The exact port the intruder probed for is listed on your system in the file "attack-list.csv".
The system errs on the side of caution. When your machine attempts to connect to a remote site and fails, sometimes this alert will trigger. Carefully watch the source of the attack in case it is your own machine.
The system triggers on any failed connection. Some web-sites will attempt to contact your machine. For example, chat servers, FTP servers, and multimedia servers (video, audio) often open connections directed at your machine. If the firewall settings block this, then these will be reported as port probes.
Version appeared: 220.127.116.11
Should be no problem if it's not already there. However, you may wish to run a virus scan to see what results you get on your PC.
All IMO, naturally.
Best idea I've heard.
It said something on the order of, "You are attempting to view a page that has not been issued a security certificate"
When I clicked on "details", it said, ISNX5L7 is not a valid agent, certificate issued to F.E.M.A., there was a thumb print algorithem, signature algorithem, etc.
I have no idea what that was about, other than some agent or agency punched in the wrong id in issuing a certificate to F.E.M.A. and it wasn't valid. Eventually it stopped. I was advised that I had most likely gone to some place on the web and picked it up, but I had not surfed the web that I remember, or it could be some random packet that my computer picked up. Of course seeing the F.E.M.A. thing freaked me out a little.
AdAlarm is free and available through
I had 54 suspicicous items, about half of them stupid things from the Osama game and other 'twisted humor' junk I had played. The other half could not be identified from the file names, could have been ANYTHING. I Wiped them ALL. Thanks, I never would have known all that crap was in there.
ZoneAlarm has blocked access to port 1433 on your computer
ZoneAlarm has successfully stopped local network or Internet traffic from reaching your computer. No breach in your security has occurred. Your computer is safe. What happened?
ZoneAlarm blocked traffic to port 1433 on your machine from port 2447 on a remote computer whose IP address is 18.104.22.168. This communication attempt may have been a port scan, or simply one of the millions of unsolicited commercial or network control messages that are routinely sent out over the Internet. Such unsolicited messages are often called Internet background noise.
Should I be concerned?
This alert should not be a cause for concern. ZoneAlarm has protected your machine according to the firewall settings you have selected.
Might be a ping from msn, my ISP, or something FR server is doing--or a probe, as others have suggested.
Somebody "sniffing" FR's line can collect IP addresses and anything else they want...
And yes, I've noticed the same correlation between visits to FR and an increase in the frequency of port scans.
1433 is the default Microsoft SQL Server port. Someone is trying to probe your machine for the presence of this software package. If your machine were listening on port 1433 then the remote computer would most likely begin a sequence of well known probes to attempt to hijack your database engine.
You can verify that port 1433 is not active on your machine by loading a command line and typing:
On a windows machine
Look for port 1433. On a linux / UNIX machine:
#netstat -an | grep 1433
Bottom line... I wouldn't worry about it. Get a firewall if you don't already have one. Take care.
I'm safe, thanks to ZoneAlarm, the world's greatest freeware program.
Here's what my ports look like under netstat -an
C:\WINDOWS\Desktop>netstat -an Active Connections Proto Local Address Foreign Address State TCP 0.0.0.0:1030 0.0.0.0:0 LISTENING TCP 0.0.0.0:135 0.0.0.0:0 LISTENING TCP 0.0.0.0:5000 0.0.0.0:0 LISTENING TCP 22.214.171.124:9322 0.0.0.0:0 LISTENING TCP 126.96.36.199:139 0.0.0.0:0 LISTENING TCP 127.0.0.1:1026 0.0.0.0:0 LISTENING TCP 127.0.0.1:1029 0.0.0.0:0 LISTENING UDP 188.8.131.52:15483 *:* UDP 184.108.40.206:137 *:* UDP 220.127.116.11:138 *:* UDP 127.0.0.1:1616 *:* UDP 127.0.0.1:2132 *:* UDP 127.0.0.1:1900 *:*
Just now I got another probe. Does FR send to its clients? Jim Robinson?
The firewall has blocked Internet access to your computer (TCP Port 1433) from 18.104.22.168 (TCP Port 4132). Time: 10/19/2002 8:24:00
inetnum: 22.214.171.124 - 126.96.36.199
descr: Rajabhat Institute Ubonratchathani
changed: firstname.lastname@example.org 20020703
status: ALLOCATED PORTABLE
person: Prayong Thitithananon
address: Rajabhat Institute Ubonratchathani
address: Jangsanit Rd., Ubonratchathani 34000
changed: email@example.com 970218
As somebody else pointed out, the request for a page does pass through a number of machines, and can be "sniffed" while it is on its way. Also, the act of requesting a page from a website MUST reveal your IP address to at least the site - that's how the site knows where to send the page. Most web-page servers keep a log of web-page requests, including date, time, and IP addy of requestor. Just FYI.
Personal firewalls are more important in keeping traffic from going out of your computer than from coming in. When up pops a flashy window telling you Keylogger is trying to make a connection to the Internet, and you don't recognize Keylogger as being an authorized program on your computer, then you have something to worry about.
As for attacks occurring when you're on FR-- that is probably just a coincidence. How much of your time is spent on FR vs other sites when you're connected to the Internet?
Also, a number of these warnings can be attributed to a failed www connection. See "False Positives". On some image-laden threads, your web browser may make dozens of www connections (one for each image on the thread.) Most of those connections go to other machines, some of which may be under stress and failing connections.
And, btw, your IP address will be leaked to other websites if you download images off those websites. It is easy enough for that to happen on FR, all one has to do is visit a thread with an image hosted on another website. Most images aren't downloaded from FR, and anybody can post a link to an image. This is not unique to FR, it is a fact of HTML life. If you are truely concerned, you can surf the Internet with images disabled, but really, there isn't much anybody will do with any random IP address they find downloading an image (especially when thousands of hits are recorded each day.) [BTW--people--don't link in images that are hosted on other people's servers unless you have permission.]
We have no software hosted on our machines (IP range 188.8.131.52-184.108.40.206) that will probe your machine when you contact FR. The absolute most that will probably never happen is an ICMP ping or traceroute from me if I'm tracing a network problem (I would likely pull a random address from FR's server, something I know is alive.) ICMP pings are very similar to sonar pings (measures roundtrip time of the "ping") and traceroute lists the network routers between two locations.
We keep our machines clean, there are no third parties messing around, no trojans on our site. We employ several mechanisms to verify the integrity of the system to ensure nobody is fooling around. We keep the software up-to-date with the latest patches as soon as they are made available. I keep an eye on the security portals that note "zero-day exploits." The number of network services we do run is minimal, there isn't much to exploit.
Man-in-the-middle attacks, where a hacker compromises a machine between you and the server, are incredibly rare and difficult. Almost all machines between you and the server are dedicated routers with little or no services to compromise. These are dedicated pieces of hardware with no other function than to move packets around, compromising one would be a difficult act, and the person that has the resources to do that is probably not going to be scanning personal computers.
Having said that, please do let me know if there is any suspicious activity, something that can be reproduced and that can be attributed to FR or any of my servers. Random occurances are most likely meaningless, either coincidence or noise.