I just got probed by a UDP trojan horse probe! What do I do I got the person IP address 24.112.16.114 thanks to black ice. I am glad I took every ones addvide and got it. Now what do I do????? Also their DNS is cr398072-b.on.wave.home.com . Should I send this info to my isp? They are @home.com I guess this person is also on @home because of the DNS.

This is a fairly common hit you will get (I get alot of the UDP Trojan Horse probes.) It's pretty exciting (scary?) at first, but you'll get used to it. http://www.sysopt.com/forum/wink.gif

If you want to report the attempt to the "hacker's" ISP, follow these instructions. http://www.networkice.com/Advice/Support/KB/q000016/default.htm

When I started submitting, I just sent in the 'attack-list.csv'
(This file lists the time and date of the attack, and contains parameters about the attack.}

You may want to also read:
http://www.networkice.com/Advice/Support/KB/q000040/default.htm

Actually it's a good idea to take the time to read thru the KB - there's alot of info there. http://www.sysopt.com/forum/wink.gif

Also, you can download the BlackICE Defender user manual from
http://www.networkice.com/support/docs.htm

dang! keyboard http://www.sysopt.com/forum/wink.gif



[This message has been edited by socalgal (edited 12-15-1999).]

Thanks socalgal. I went to their site just clicked on the advice link in Black Ice. I am going to report this person. And I will read the Kb. Your right it is scary. I will also download the manual.
Thanks again

Tattle on his ****!!!!!! http://www.sysopt.com/forum/smile.gif @home has a special e-mail address for reporting breaches in there acceptable use pollicy. I found mine, at my @home provider's (shaw@home) website (www). As for weather it does any good...I really don't know. I have reprted twice to @home, and realized they have an automated reply to these e-mails. So, what really happens is unknown to me. I imagen they work on some sort of x amount of strikes and then they start investigating thing. So my advice would be to report repeat scanners. My first few days with BlackICE were like watching Saveing Private Ryan, just jaw dropped disbelife. Wondering what was going on before I put the firewall up. I only get a few hits a day now...it's weird.

Socalgal: Do I need the 'Black Ice'. If I do I'll get it. I connect thru Bellsouth.net, does this kind of connection, since it goes thru a sever not direct hook up shield you from the hackers, etc...? I keep our virus protection up to date and try to avoid sites I feel might be 'contagiuos' Thanks
Felix Avidad and Bon Ani

The pickel

What kind of connection is it? Do you have a dynamic or static IP address? If you have the former...then just makeing sure all your ports are closed should safice. But if you have the latter, a firewall is peace of mind.

To be sure BID is doing its job, go to ShieldsUp http://www.grc.com/x/ne.htm?bh0bkyd2 Once there, request that the site "Test My Shields" and "Probe My Ports".

You could also request a scan by Secure-Me.net at http://www.secure-me.net/r3/dsl/secureme_go

pickel - Go to the same sites linked above and check out your system. If you have a DSL/cable connection w/static IP, you'll want a firewall, whether it's BID or another. I have DSL on a dynamic IP and even so I find myself more protected using BID.

Another good read is http://www.networkice.com/Advice/default.htm

The latest release 1.8.6.11 includes the recent filter failure patch.


[This message has been edited by socalgal (edited 12-16-1999).]

Um, what the hell is black ICE?

It's a personal firewall, and one which has gained popularity on this board thanks to the efforts of Steve Gibson at www.grc.com (http://www.grc.com) , whose website probes your PC and lets you, the paranoid user, know how vulnerable you are.
www.networkice.com (http://www.networkice.com) for more info on this product. I think it's $40 for the download, but by all accounts, it's worth it.

Which is why I'm posting.

I'm on a dialup modem connection in the UK, with dynamically assigned IP through my ISP. Is BlackICE going to be of any benefit to me? I'm online for 25+ hours per week, and I'm sure I'd take great satisfaction in sending those logs to other ISPs... http://www.sysopt.com/forum/wink.gif

U-96

I have a copy of SubSeven kicking around somewhere if you want to get your own back on him....control his machine and kill his files http://www.sysopt.com/forum/smile.gif

Not advising you to do that, but the program is here if you want to "experiment"

lol

Hi U-96...I personally feel you could save yourself the $40 if you have a dynamic IP and the usage you describe...a firewall is most useful for an always on..static IP...you are basically a sitting duck in that scenario...there are programs out there like Nukenabber for while you are on-line..or maybe Jammer... look for puppets place
to avoid problems from potentially malicious web sites you may want to use a proxy while on line...this will show an IP different from your own as you surf www.dynamsol.com (http://www.dynamsol.com) http://jammer.comset.net
2c
http://www.sysopt.com/forum/smile.gif
dang brain!




[This message has been edited by smokin1 (edited 12-16-1999).]

Reporting is pretty useless because if there was no damage to your files they'll may give him(her?) a warning, but that's all.
I don't suggest 'getting back on him'. If you want to experiment with 'cracking' try to attack your friend's computer (with his permission of course:~)
Toolwise, I have to say that SubSeven is a pretty useless prog, you are much better of using S.A.T.A.N. (UNIX&LINUX)

I did the scan @ http://www.grc.com/x/ne.htm?bh0bkyd2 and I got the two following messages.

- Your Internet port 139 does not appear to exist!
One or more ports on this system are operating in FULL STEALTH MODE! Standard Internet behavior requires port connection attempts to be answered with a success or refusal response. Therefore, only an attempt to connect to a nonexistent computer results in no response of either kind. But YOUR computer has DELIBERATELY CHOSEN NOT TO RESPOND (that's very cool!) which represents advanced computer and port stealthing capabilities. A machine configured in this fashion is well hardened to Internet NetBIOS attack and intrusion.
- Unable to connect with NetBIOS to your computer.
All attempts to get any information from your computer have FAILED. (This is very uncommon for a Windows networking-based PC.) Relative to vulnerabilities from Windows networking, this computer appears to be VERY SECURE since it is NOT exposing ANY of its internal NetBIOS networking protocol over the Internet.


Not bad a? I guess I don't need BID. If anyone has thoughts / replies to this I would appreciate it if you were to e-mail me with a copy of your post. I'm going to be In New Jersey and Norway until Christmas.

Pat

I have BlackIce and have not been hacked yet but am glad for the piece of mind. I just wonder what BI will do when I do get attacked. Is there some sort of alarm or what? I tried connecting to netice but the server has been down...
dave

BTW- that probe above showed me openings before I got BlackIce and now I am in total stealth mode. and blackIce gave me detailed info on the probe address of the hacker (shields up probe) and stopped the probe in its tracks. I like this program alot!!!

I'm with a dynamic IP, so I'm not so bad. I might have a shot at cracking though http://www.sysopt.com/forum/smile.gif

anyone know of a site offering either shareware or trial versions of decent firewalls?

-m@

Sybergen has a trial version of their product
called Syshield here www.sybergen.com (http://www.sybergen.com)
http://www.sysopt.com/forum/smile.gif

Do not download M$ Windoze 98 updates b/c they will corrupt your BID program and render it useless.
Dave

Dave, that issue is covered in the BI update. If for some reason that doesn't work, you can add the ip 0.0.0.0 into the trusted list to get rid of BI reporting those.

seti is correct, BID has released the 'filter failure' patch and the updated build number is 1.8.6.11.

Yep- I had an evaluation copy that I have been using for the past week and could not get the patch with the key it used. I bought the program, downloaded the patch and all is well. I was hacked 6 times WITH MY DYNAMIC IP address and all. I don't know how effective that reasoning is. I had one false hack, one guy from Europe, a guy from Georgia and several other from other locales that were not false. Very surprising and a bit scary. This seems to be an essential program that few know about.

Well, if you keep in mind that these scanners generaly are scanning a very broad range of IP's....the generally just look for the 10% of windows systems that have port 139 open and easier targets like that. So if you set your bindings right, and close all your ports it's unlikely a scanner will persue getting into your system. But once again...there's the whole peace of mind thing. I've gone from being scared everytime BI flashes too interested to see where the person is from and what he's trying to acomplish. Lately I really havn't had too many attacks at all....maybe all the kids are too busy playing UT or Q3 now-a-days. http://www.sysopt.com/forum/smile.gif

got this in the FAQ's at secure me.net about NukeNabber..... http://www.secure-me.net/r3/dsl/securefaq/1/11
"NukeNabber (A windows anti-hack utility) is almost certainly not enough, indeed I regard it as counterproductive. What NukeNabber does is listen on a set of ports you define, and report on attempted access to them. What it does not do, however, is catch the packets before they are processed by your operating system. It also makes a rather boring PC look suddenly interesting, since common 'hackable'
services suddenly _seem_ to be open on that PC. This is akin to taunting a hacker, and unless you are very sure of your security, is risky, as it is inviting denial of service type attacks from the annoyed bad-guy, attacks that NukeNabber will not deal with well."

That might make NN a good program to use in tandem with BID. Is that a fair assumption?