I recent;y put up a firewall and have taken up the hobbie of reporting scanners to there isp's (just for fun) I recently got this e-mail apologizing.....does this make any sence? (it's beyond me)

Hello,

Sorry about the port scanning on the SMTP port, My cable modem was
given a new IP when I rebooted my Linux box from work and I was trying
to find it so I could update my DNS server to point to my web site. I
had to drive home any ways, too many people running servers. I was not
attempting any sort of malicious act. Sorry for the inconvenience.

Regards,

steve

It should be noted that two What's Up scans where made 10 hours apart from his IP.

Hehehee....You have to give that person an
A for inventiveness....must have sat up all night trying to figure out how not to get
bounced off their cable connection...if it looks like it...and smells like it...there's a good chance that it is...
/forum/wink.gif

I think the huge majority of these things
are done by people who are not malicious.

Some people probably don't know what there doing, some don't realize they are effecting others, and of course the stupid kids that play around.

You only have to watch out for the ones that you can't trace! If I thought that someone was targeting my specific computer, and not the whole net, I would not do anything back to that IP address. (don't try to echo storm a hacker or something stupid like that).

I also think most ISP's do there best and take this matter very seriously. They probably give someone the benefit of the doubt the first time, but hopefully take care of it after a few complaints about the same person.

Well I would have no idea how to "get back" at anyone, nor would I want to....but it ticks me off. In the last 90 hours I've logged 24 attacks (on my computer). 4 in the last 12 hours from one person (well, one isp, four different ip's). And all this has totally drained my trust in my fellow humans.

You think that's bad, I have log 37 attempts, in 48 hours.

Ouch. But these creep, they can't do anything right? Right? Everything's nice and safe right? All my port are stealth...I'm safe right? Please say right. /forum/frown.gif

uh, right. (if that makes you feel better.) /forum/smile.gif

But there's no way this guy would know to send you an e-mail unless he was given a warning by his ISP. And they probably gave him the warning because you reported him. So I'd suggest that you CONTINUE to report him (and others) because it appears to be working.

For those of you who are concerned about unauthorized access, there's another tool I discovered to prevent it.

It's called PortBlocker and can be picked up @ http://www.analogx.com. It has standard port blockings, PLUS you can add your own, like Ports 135 and 139 (UDP and RPC).

The whole premise of the firewall is to protect your system from remote access, like putting locks on the doors (ports). What your firewall is reporting are "knocks on the doors", and not opening these doors is the purpose of the firewall.

Before my firewall (BlackICE Defender) I used NukeNabber, which covers the default ports and allows you to assign other TCP, UDP and ICMP.

Groo, I'll have to look at that one.

Ok, so I'm protected...rock'n. Ha, still...everytime I see that BID icon flash red in the systray, I feel dirty an violated. Alas, what a world...

Wonder how many other folks have received that SAME letter of apology?

[This message has been edited by reddog4629 (edited 12-02-1999).]

In fact the e-mail was from him directly. Guess I have another e-mail to write to that ISP. I don't have any friends here like that, however if I really wanted to persue this BID (firewall) keeps evidence logs. Off to write an angry e-mail.

[This message has been edited by seti (edited 12-02-1999).]

Seti

You complain about a possible hacker and that Isp gives that person your E-mail
address? That is absolutly wrong!!!

Be carefull with the detailed evidence log
that Black-Ice can record. It records everything including any passwords that you
type or send. There website gives more info on this. I think it would be O.K. unless you check your mail or log on to a forum like this, or cruise nasty sites LOL.

The problem with the evidence log is that I
can't find anything that will allow me to view or read it yet. (something Free)
I downloaded 2 programs that supposededly,
kind-of work but havent tried either yet.
(I will fri or sat)

Dave http://www.sysopt.com/forum/smile.gif

Well there's two different types of logs BID records....the "evidence log" and the "packet log". The packet log is the one that records all the traffic, and by default is turned off. They recomend turning it on if your a getting a lot of attacks by the same person.

I did send an e-mail to that ISP (telus) expressing my shock. I imagen they simply forwarded the complaint to the person...and he got it that way. What's more...I havn't even heard from telus themselfs. It makes you wonder how serious ISP's take this. Though I suppose they might get a lot of that.

AND THE PLOT THICKENS http://www.sysopt.com/forum/smile.gif Just got this gem. Perhaps I am in error?

Hello,

I guess that my 1st e-mail back to you was misunderstood. You have e-mailed the
helpdesk@telusvelocity.net. I am the webadmin for this domain. I am also in direct contact with
the helpdesk all the time as they are only about 20 feet way from me. I do sometimes check this
mailbox if need be and reply to customer questions. I am not a customer. I am an administrator, so
your e-mail message will and has been kept secure from the general public. The type of message
that you sent was sent to the incorrect account and then forwarded to me the correct mailbox (as
per your words "Hi, I'm not really sure if this is the right place to write or what.") All future
messages should be directed to me webmaster@telusvelocity.net. a.k.a. Stephen Borsellino. I assure
you that the port scan was only in desperation of finding my machine on shaws network after
rebooting the machine (I hate that DHCP server). The type of scan that was performed should have
been (http on port 80) and (smtp) as this is all I configured ipswitches ping pro to scan (If it
scanned more that that it did not tell me that it was doing it) My machine is averaging about 34
port scans a day and I just drop route on them. Makes for less paranoia and might be a good idea if
you are worried about hackers. I hope that this resolves the mystery of how I got this message.
Please also note that webmaster@telusvelocity.net, and stephen.borsellino@telus.com both drop to
the same mail box. I will respond to any messages that you send. I hope that this clears up some
confusion. If you would like to talk to me, you can contact me by calling 1-888-832-8222 and
asking to speak to the webmaster (Steve) They will transfer you to my phone. If I am not around
you can leave me a message and I will call you back a.s.a.p. I am normally around till about
6:00pm Monday to Friday.

Sincerely,

Stephen Borsellino
TELUS Multimedia Webmaster / Applications Developer

How interesting...web admin for a phone company with a cable modem...there's an irony here that escapes me....maybe you/I were
hasty....heheh...being a Canuck Telus is obviously an Alberta phone Co...did you call
him?
http://www.sysopt.com/forum/wink.gif

The file 'attack-list.csv' is opened in Excel and can be read. It is also a log.

Thanks to the questions on this thread, I am also in the process of downloading NetXRay to (hopefully) read those *.enc files.

NetXray is a popular product to read tracefiles, like those generated for evidence by BlackICE. A demo version of this product can be obtained at: http://www.networkice.com/advice/support/kb/q000057/default.htm

Seti, I await the next addition to your saga http://www.sysopt.com/forum/wink.gif


[This message has been edited by socalgal (edited 12-02-1999).]

Seti
Just a thought here.

Do you have any friends in your area using the same ISP and Black-Ice?

Maybe if you both were to report these people it would make a better case to the
hackers ISP.

I'm no real expert, but the ones that concern
me are:

Back orifice scans
Net BIOS port probes
TCP port scans
Socks port probe
Net Bus probe

I hope that the E-mail you recieved was forwarded from "steves" ISP, I would hate to think that they gave him your E-mail address.

Keep it up /forum/smile.gif
Dave

Seti
That guy sounds like a politician!
Can't figure out what he's trying to say http://www.sysopt.com/forum/smile.gif

Socalgal
let us know about reading the .enc files
I tried the program I downloaded,
(B-I Reader BinText.zip) and either it didn't work very well, or the .enc files are full of mostly numbers with not much info
that would do me any good.

Seti,
Let us know how it goes with this guy,
maybe his boss can speak english. LOL
http://www.sysopt.com/forum/smile.gif
Dave

Well, I think that I'm at the end of the road on this one. I mean, I think I belive him. He's either telling the truth or putting himself in a very dangerous position. He told me to call and ask for the webmaster.... And no harm was done. Ha, I guess I'm getting immune to the constant attacks. Ha, and I can imagen the convo if I called him...."um, what was that? what's that?...the what" Haha, so on to the next creep. I generaly just report the ones that have there name (or parents name) as the node or group. And if the trend continues another fish will swim into the net in the next few hours. Now if only the ISP's responded to my e-mails. (I'm about 3 for 9) http://www.sysopt.com/forum/smile.gif

Sidenote...anyone have insominia out there? I've been up for 48hours staight and I'm wired. Ha, an that's even coffee free (yuck). Guess the Cinnimon Toast Cruch has a lot of sugar in it or something. http://www.sysopt.com/forum/wink.gif

After installing NetXRay, I had some problems with Netscape and 'resource' error prompts (with no details). Since NX hooks up to my NIC adapter, I removed it from my system/registry until I can study this program in more depth.

Seti, I couldn't do it without coffee. http://www.sysopt.com/forum/smile.gif You have noticed, as I have for awhile now, that to respond to every ISP from whom the attempted intrusions come, would be a full-time project. http://www.sysopt.com/forum/wink.gif

I got BlackIce Defender 1.8.6.8.When I go to http://grc.com/x/ne.htm?rh0diylu=j4y350w3 it says my port 139
is still open! I'm on RR cable. Any suggestions?

Have you thouroghly examined the instructions for unbinding the protocols on that website? It appears that you need to do that and install NetBeui through the Network properties dialogue.
I was quite surprised how complex this procedure was just to disable a simple little port, and it took me a couple of shots to get it right (after completly disabling ALL protocols... that was funny!)

U-96

I read through all that and was scared away. I guess I'll print it all out and try to do it. Will let you know-thanks http://www.sysopt.com/forum/smile.gif

Also, if you're not running a home network, you can go to C:\Windows\System and rename 'vnbt.386' to 'vnbt.closed'. This will close port 139. Setting up a network will recreate 'vnbt.386'.

I just installed BlackIce to use on my cable modem. I've had 20+ "hits" in 1 day! Going to "unbind" a lot of stuff to improve my security. Go HERE (http://grc.com/su-bondage.htm) for details on how to
improve it.

Renaming vnbt.386 to vnbt.closed didn't close my port 139. http://www.sysopt.com/forum/frown.gif

reddog - do you have a network set up? It won't work on a network - the network will recreate vnbt.386 and will open port 139 again.

I found the problem. http://www.sysopt.com/forum/smile.gif I went all the way back to the test site's home page and started from scratch. Must have had an old cookie or something. It reported that ALL my ports are now in STEALTH status! I only have BlackIce set for "cautious" protection. Go HERE (http://grc.com/default.htm) to test your security. And yes socalgal I am on a cable modem.

seti, and other security enthusiasts

I just found a review, thought you might be interested in reading it.
http://www.nwfusion.com/reviews/1004rev.html

But for shops that don't have, and can't afford, resident security experts, we recommend Network ICE's BlackICE and ICEcap. They're as close to a security consultant in a box as we've seen.

reddog - glad you solved the problem! http://www.sysopt.com/forum/smile.gif