| Author |
Topic: Fire Wall Report |
Bill Rowlett
From:
Russellville, AR, USA
|
Posted 19 Apr 2000 6:10 am |
|
I installed the ZoneAlarm fire wall software. It seems to work fine with Win98. It actually seemed to cure one of my shutdown bugs. The program is very easy to install and configure. However, since I installed it I am getting an average of one to two attempts to enter my computer through high FTP ports a day. Many time I get a hit right after I log on to the ISP. Sometimes I will get three or four attempts in a 4-hour session. I need to learn more about these hacker (NSA/FBI?) tactics and programs. Anyone care to report on what they are seeing.
Bill[This message was edited by Bill Rowlett on 19 April 2000 at 07:11 AM.] |
|
|
|
Rich Paton
From:
Santa Maria, CA.,
|
Posted 19 Apr 2000 8:16 am
|
|
Bill, just because we're paranoid, it doesn't mean someone isn't spying on us! :>)
I don't know if this log file will be of much help in your spy vs. spy attempts...but I think it could be, if you check out the source addresses in it and can find out who's websites they belong to.
I was snooping around in my own system,
which is running in W98SE (Ver.4.10.2222A),
with a dialup modem connection and NetScape
Commuticator V4.7, and found this ZoneAlarm Log File:
C:\Windows\InternetLogs\ZALog.txt
The ZoneAlarm FAQ states that there is no provision for logging "attempts" to penetrate your system, but when I view this file in NotePad, it seems to have logged the source and destination addresses (DNS?) of all port connections made throughout an interet session, and each connection's "transport type" (these entries are all tagged as TCP).
Also logged are numerous launchings of the
"ZoneAlarm Security Utility". It seems to me that if you write down the times when the ZoneAlarm gives you the pop-up alert notification window, you could correlate the time with a logged popup event, and this is true you've got the offending party's address logged here, in the same time frame.
I think this is the same data as you see on the ZoneAlert web page which loads in your browser, if you select the details option when you get the ZA popup. More convenient and storable, however.
BTW, if you are concerned with these kind of issues, take some time to look through all the directories on your hard drive and see what sort of stuff has been installed. I can say this about that: It is quite obvious to me that my W98SE has installed, or has attempted to install a logging utility associated with just about every software application installed on the hard drive.
The application, execution time, and more has been logged in these files.
I don't think Microsoft would need that sort of info to troubleshoot problems with their software, as is the standard explaination thrown out by them & others when queried about such logs. Since when did they start caring if the stuff they sell works or not, once it has been removed from its
"YOU JUST BOUGHT IT, T.S. ON YOU" sealed, disclaimer-emblazoned envelopes?
If all of a sudden they've started to care about it, that would be big news to me!
Let us know what you can or cannot do with this log, Good Luck! |
|
|
|
Bill Rowlett
From:
Russellville, AR, USA
|
Posted 19 Apr 2000 12:04 pm
|
|
Hi Rich,
Thanks for the info. I've been manually logging the DNS numbers that alert, but I don't know how to attempt to trace them yet. Since most DNS numbers are assigned for the session only by the I.S.P. if may be of little use.
I'm just sort of shook up by the frequency that these alerts are happening. You have to wonder about being on a 24 hour cable modem.
It is interesting that the log is there even though the program has the disclamer in the alert message.
Bill |
|
|
|
Bob Martin
From:
Madison Tn
|
Posted 19 Apr 2000 6:25 pm
|
|
Hi guys, I think you will find that most of the warnings that you are getting are about cookies trying to be sent to your computer from the web page you are trying to access. I think you can turn off those warnings in Zone Alarms option settings, of course I could be wrong I am just guessing.
Bob
------------------
biggbob@home.com
http://members.tripod.com/biggbobmartin
|
|
|
|
Rich Paton
From:
Santa Maria, CA.,
|
Posted 19 Apr 2000 6:55 pm
|
|
I'm sure Big Bob is correct. You should have
some cookies on your drive that you can compare DNS numbers (or whatever's in use) to the logged entries to confirm that. ZA can't be blocking all cookie packets, or wouldn't we a bunch of nusance messages from sites attempting to place them? I get a bunch
of them at sites all over the web, If I disable cookies in the browser.
There is a reference to the Traceroute and Whois? utilities, in the ZA help file. There are a lot of internet security websites that must have instruction on using a tracer, and
to address dealing with the dynamic DNS server issue.
The best answer would be an "Internet Aegis" software system, to blast the hackers with photon torpedo packets or something that's equally nasty, in a counterforce weapon...
With selectable, Automatic Fire-On-Warning, or Manual modes, to blow it right in their faces!
I just installed ZA last week and have little experience with any web security software. I hope we will get the most out it through these discussions. |
|
|
|
Bill Rowlett
From:
Russellville, AR, USA
|
Posted 20 Apr 2000 5:41 am
|
|
Thanks Bob,
Actually, I am getting these alerts while on Usenet and sometimes before I have started either the newsreader or browser. I have my IE browser set to accept cookies but review and clean them out periodically. I don't notice an alert when I access sites that I know use cookies. I do not enable Java in the browser.
The only downside to ZoneAlarm that I can see so far is that it seems to take a lot of RAM. I only have 32 Meg and am continually swapping from the disk when ZoneAlarm is active.
Rich,
Thanks for the tracer info. I'll have to read more on this subject. It would be interesting to have two systems running and try to connect with one of the two and see what ZoneAlarm does.
There is only so much time and I know so little. . .
Bill
|
|
|
|
Bob Martin
From:
Madison Tn
|
Posted 20 Apr 2000 2:50 pm
|
|
Hi guys, one more guess. You probably have several programs that access the internet without your knowledge such as your browser, email,possibly ms word and many unknown apps the list could be large. They usually are not malicious and they do have legitimate reasons for connecting to different sites and the warnings that you are getting could be the server trying to respond back to these apps. Again I am just guessing and I hope this helps you at least have some direction to go in.
Bob
------------------
biggbob@home.com
http://members.tripod.com/biggbobmartin
|
|
|
|
Jeff Agnew
From:
Dallas, TX
|
Posted 20 Apr 2000 2:53 pm
|
|
Bill,
Be sure you are using ZA 2.1.10 instead of 2.1.7. It's labeled beta but is vastly more stable, uses fewer system resources, and does include a logging checkbox.
Also, the probes you are seeing are just that; ZA does not log nor respond to cookies, which are simply HTTP requests sent over port 80.
Occasional probes are not a concern unless you have open ports. If you're using Windoze on a cable connection, in particular, there are several glaring security holes you should close. But occasional probes are a fact of life. I've turned off the alarm option on ZA and just check the log occasionally for intruders.
Some of the alarms ZA reports are simple responses to ICMP (ping) requests and may even come from your ISP. These errant probes are part of what's called Internet background radiation. Static, if you will.
A determined probe from a cracker will cause ZA to generate a log of sequential port entry attempts in rapid succession. This is where the log comes in handy. Such a series of probes signifies an intruder knocking on your door, so to speak, and hoping something (program or process) will answer. The trick is not, as you might expect, to not answer. Rather, the trick is to stealth your ports so a scan of your IP number doesn't even reveal your computer's presence.
If you have a cable modem or DSL connection, you will be probed. Crackers use automated programs to scan IP blocks. It just becomes a matter of probability when you'll be seriously probed. Always-on connections (particularly if you have a static IP) are inviting targets.
Another source of ZA alarms is errant programs on your hard drive sending out information of which you're not aware. They may be sending out information to an ad-tracking service or responding to an intruder. Some shareware programs such as CuteFTP, for example, leave stealth mechanisms behind (even after you delete the program) that communicate personal information back to an ad service such as Radiate or Conducent. And it's not just shareware programs. ICQ and AOL Instant Messenger are notoriously vulnerable, or example. And you'd be shocked to see the list of commercial software that does similar tracking.
Concerned? Sorry if I've alarmed you but my purpose is to get you thinking about some vulnerabilities you may have. A broadband connection like a cable modem entails an entirely different set of networking complications that dial-up users never have had to consider. You are now, in essence, part of a giant LAN.
ZA is a great tool, though. I use it on my Windoze boxes and it works well. If you're interested, there's a news group devoted to ZA that can bring you a wealth of information.
I apologize for the length of this response but it's a complex subject. Instead of boring everyone I'll just say that if you have any specific questions I'd be happy to try and answer them.
Regards,
Jeff |
|
|
|
Rich Paton
From:
Santa Maria, CA.,
|
Posted 21 Apr 2000 7:05 pm
|
|
Lots of excellent info showing up here!
After reading the responses I went back to the "Shields Up" page where I first heard about ZoneAlarm and re-tested. This time no intrusions, including ports were allowed.
I hope this means I am "safe" now.
The log file has lots of attempts shown, but I am still not sure what they all represent. |
|
|
|
Rich Paton
From:
Santa Maria, CA.,
|
Posted 21 Apr 2000 7:07 pm
|
|
Ya'll try this webpage...
http://grc.com/su-reading.htm [This message was edited by Rich Paton on 22 April 2000 at 12:35 AM.] |
|
|
|
Jeff Agnew
From:
Dallas, TX
|
Posted 22 Apr 2000 8:21 am
|
|
| Quote: |
| I went back to the "Shields Up" page where I first heard about ZoneAlarm and re-tested. This time no intrusions, including ports were allowed. |
Rich,
Be sure Steve's probe test reports your ports as "Stealth", not "Closed". Having them closed simply tells a cracker your computer exists. Having them stealthed means they don't even know you're there.
To use my earlier analogy, a closed port is like someone knocking on your front door and getting no answer. A stealthed port is like someone not seeing your front door (or house, actually) at all. The second scenario is safer.
Regards,
Jeff |
|
|
|
Rich Paton
From:
Santa Maria, CA.,
|
|
|
|
Jeff Agnew
From:
Dallas, TX
|
Posted 24 Apr 2000 5:10 pm
|
|
| Quote: |
| I guess that means ZA is working as advertised? |
Yep, that sounds great. Now for the bad news: Over the weekend someone discovered a hole in ZA via port 67. According to ZoneLab's president, this was because they had to add a pacth for NT4 compatibility. The good news is that there's already an update that plugs the hole:
Download ZoneAlarm 2.1.18[This message was edited by Jeff Agnew on 24 April 2000 at 06:12 PM.] |
|
|
|
Bill Rowlett
From:
Russellville, AR, USA
|
Posted 25 Apr 2000 10:09 am
|
|
Thanks for all the info Jeff,
Over the weekend I got 17 alerts from two different D.N.S numbers about two minutes apart. This continued until I closed my I.S.P connection and reconnected. I think I will try and trace them.
Bill |
|
|
|
Rich Paton
From:
Santa Maria, CA.,
|
Posted 28 Apr 2000 4:01 pm
|
|
| Thanks for the upgrade info, Jeff! |
|
|
|
