If you use a personal firewall....

[Gawain 0]

...have you noticed an increase in blocked/inbound activity? I use BlackICE and not only has it been blocking all sorts of TCP Probes and SQL probes, and the severity of the events have increased quite a bit.

Anyone....anyone...? Bueller? ...

So I try and I scream and I beg and I sigh
Just to prove I'm alive, and it's alright
'Cause tonight there's a way I'll make light of my treacherous life
Make light!

[wlie 0]

I just unplug it

My other ride is the relative wind.

[juanesky 0]

You will need some time to address the following:

1.-If you use Windows XP, make sure your nic device in the system is not using the built in firewall...

2.- Take the time to set up your fire wall with the websites you are using all the time...

"According to some of the conservatives here, it sounds like it's fine to beat your wide - as long as she had it coming." -Billvon

[oldnewbie 0]

Mine is blocking all kinds of stuff right now!! I keep getting something called a *sub seven trojan horse*. It has blocked a dozen everyday for two weeks. And i don't have a clue what they are, except i know the trojan horse thing is something bad, like a virus or worm!! i'm using norton internet security.

[juanesky 0]

Well, It could be that you would actually need to run a virus scan, for you could have it already in your system....Never open anything without scanning it, it is my best advice, yet this does not mean that will give you security 100% of the time, yet, it really decreases the chances....

On the other hand if you just open all the attachements from friends, familyt, etc, my friend, you prbably need to defrag your hard drive again, format it, and install everything once more time...

"According to some of the conservatives here, it sounds like it's fine to beat your wide - as long as she had it coming." -Billvon

[skymut 0]

Well, I actually use a firewall device, which has no type of logging, I'm afraid. So, not sure what has been trying to get inbound.

Matt
A well-informed person is somebody who has the same views and opinions as yours.

[TitaniumLegs 8]

The SQL probes (port 1434, mostly, right?) are probably caused by a virus on a SQL server somewhere trying to infect you. This virus has been around for a few months, and there is a fix for it. It's not your problem, though, it's the DBAs on the machines sending the stuff.

(>o|-<

If you don't believe me, ask me.

[TitaniumLegs 8]

Quote

Well, I actually use a firewall device, which has no type of logging, I'm afraid. So, not sure what has been trying to get inbound.

Most of them do, actually. You need to configure it through its web GUI to send reports to an email address. You will probably have to have an SMTP and/or POP server (and probably an account) to point it at.

(>o|-<

If you don't believe me, ask me.

[falxori 0]

Quote

*sub seven trojan horse*.

subseven is a known , pretty old trojan.
it allows someone to browse your hard drive, capture screenshots and do funny stuff like openning and closing your CD drive.

a. update and run a AV program
b. run spybot search and destroy
c run lavasoft adaware
d. keep using a firewall
e. stop with the porn sites you sick bastard

O

"Carpe diem, quam minimum credula postero."

[PhillyKev 0]

Quote

June 19, 2003
Security Researchers Uncover Mystery Malware
By Dennis Fisher

Security experts finally have a handle on mystery malware that was generating loads of suspicious IP traffic over the last few weeks.
Researchers at Internet Security Systems Inc. say the culprit, which was first thought to be a new breed of Trojan, is actually a distributed network mapping tool that also acts as a listening agent. Dubbed Stumbler, the agent is not considered malicious right now because it contains no payload, but it has the potential to generate enough IP traffic to hamper network performance.

What has experts most concerned is the ease with which Stumber could be reprogrammed to make it more damaging.


"We're really more interested in the next version because it could easily become a worm," said Dan Ingevaldson, team lead on ISS' X-Force research and development team in Atlanta, which tracked down the Stumbler agent. "You should defnitely remove it if you find it. And you should be concerned about how it got there because someone had to put it there intentionally.

"It's not very advanced," Ingevaldson added. "The complexity and the elegance of the network is what makes it good."

ISS officials said it's impossible to say how many machines have been infected with Stumbler, though the amount of traffic being generated by the agent, which scans random IP address and looks for other versions itself, indicates at least several hundred infections.

The agent captured by ISS is in Linux binary, but researchers say it could easily be ported to other platforms and likely will be.

News of the code capture comes as a relief to investigators from several agencies, including the FBI and the Department of Homeland Security, which were also tracking the rogue IP activity.

Stumbler first appeared around May 16 and began randomly scanning Internet-connected machines. The scanning was slow at first but began to pick up speed in recent days as more machines have become infected. ISS researchers were seeing nearly 3,000 scans an hour earlier this week across the entire address space that the company monitors.

Stumbler scans random ports on random machines, each time sending an initial SYN packet. One of the few identifiable characteristics of the program is a window size of 55808 on each of the packets it transmits. It also spoofs the originating IP address on all of the packets, making them look as if they're coming from machines in unallocated name space. The window size led some to speculate that the malware was related to the Randex IRC bot, but experts now say the TCP window size is coincidental.

ISS said it was alerted to the existence of the mystery agent by an employee at a defense contractor and later notified both the FBI and the CERT Coordination Center.

http://www.eweek.com/article2/0,3959,1132253,00.asp