Remote grab trojan detected...

[jotto]

ok guys, I know Im going a bit off subject now ( so mods feel free to move as required )

How do I get all my ports to show as stealthed? A few are but most are closed.

I am running my pc behind a software internet security package ( Norton ) and have a 4 port router/modem. The router is very basic and dint have much in the way of documentation...trial and error setting it up...Im sure I enabled the routers firewall...

The grc tests all came through as ok but some of the PCflank tests said I was at risk. The PCflank test said about installing outpost pro....

Have I missed something in NIS?

[Rocketmech]

I just ran all the tests on an XP /SP2 pc behind a Linksys router w/ NAT and SPI firewall , and with only XP's Firewall as added protection. Using Mozilla's Firefox as the browser, the system passed all but the browser test because I don't have cookies disabled or tracking deterred. Which is no big deal if your not spastic about your privacy.
NIS behind a NAT router should be very tight . What did you not pass ?

[jotto]

From PCFlank site, QUICK TEST shows:-

Warning!
The test found visible port(s) on your system: 1080, 3128

Warning!
The test found visible ports on your system: 27374, 12345, 1243, 31337, 12348.
The following Trojans use these ports: SubSeven, NetBus, SubSeven, Back Orifice, BioNet
Although these ports are visible, they are not open, so your system is not infected. However, having visible ports on your system means your computer can be "seen" over the Internet. This makes it very easy for skillful intruders to explore your system.

Danger!
While visiting web sites your browser reveals private information about you and your computer. It sends information about previous sites you have visited. It may also save special cookies on your hard drive that have the purpose of directing advertising or finding out your habits while web surfing

STEALTH TEST shows all TCP ping packet ,TCP NULL packet, TCP FIN packet, TCP XMAS packet, UDP packet as being non stealthed...."Non-stealthed" - Means that your system (firewall) responded to the packet we have sent to it. What is more important, is that it also means that your computer is visible to others on the Internet that can be potentially dangerous.

BROWSER TEST, Results of the test:
Cookies check, Your computer may save special cookies on your hard drive that have the purpose of directing advertising or finding out your habits while web surfing. Referrer check, While visiting web sites your browser reveals private information (called 'referrer') about previous sites you have visited.

TROJAN TEST shows all ports as closed but not stealthed.

ADVANCED PORT SCANNER shows first 7 ports as stealthed, next 7 closed.

EXPLOITS TEST, Exploits test, Your system successfully defended itself from this attack! ( HOORAY! )

SO no major gaping holes or ports open. Is it possible to run with all ports stealthed or is that just being too picky. I use AOL and IE as my browsers..I know things like Mozilla's Firefox might help.

[Rocketmech]

Yes , somethings is amiss with NIS then. Since I dont use NIS I can't advise. There's a few experienced Sysopt users that can help. I'll see if I can't solicit they're help. Meantime pick up the manual and read it. Setting it to stealth mode should be relatively easy.

[Rocketmech]

What version of NIS are you using , and is the subscription renewed?

What brand, model and version of router do you have ?

Try resetting NIS to default settings. Also, try running the Security Check to see if it will be helpful.

[dajogejr]

First off....
as RM said. Make sure you're up to date.
Are your services within NIS all turned on?
Have you created any exceptions or rules?

And...have you tried another site, like DSL Reports?

Never heard of PC Flank.

Not saying they're not correct...but, DSL Reports is the benchmark as far as I'm concerned.

Also...when you ran this test...did Symantec give you any warning pop ups?

I'd remove all allowed access from Symantec's NIS, and start over. yes, it's going to be a pain to Re-Train NIS...but, better safe than sorry.

Also...how many PCs/devices hooked to your router?

Sorry...I don't have time to rescan the whole post if this is already answered...

[jotto]

Using NIS 2005 fully up to date behind a SAMR 4114 router. Tried the norton security check and each time it starts the test and after a few mins tells me the site isnt responding ( Norton site tells me this, not the blank white MS IE web site not responding page ) All NIS is set to defaults, only allows are for a few games HL2, BF1942, Trillian, messenger, IE, Outlook, Symantec.....


Dslreports...tests run but then when I hit results button, nothing happens.
No pop ups from NIS warning of any probing...quite worrying...
Not much to remove from allowed list so can do...
From routers internal home page,
BootCode Version: BC_CX82xxx_4.1.0.21
Firmware Version: CX82xxx_4.1.0.21
Customer Software Version: ARTCX-CSC.080304.00FA

My PC, sons PC sometimes and wifes laptop sometimes connected to router.

Have had a quick look at THIS LINK but am a little confused.

[dajogejr]

Anything funny in your host file, per chance?

[jotto]

no, just the initial MS garb and then the only entry of 127.0.0.1 localhost

[dajogejr]

Hmmm...I would check within Symantec's site for help with NIS...

Not sure from there...sorry, Jotto.

[jotto]

I tried disabling/turning off the norton firewall, then installed Kerio (v2.15 I think) and then Outpost Pro....All give same results. Few ports stealthed, remainder closed.

On each occasion, All I allowed was IE and AOL as far as I could see.

Will try the router, resetting to default and starting again....

[Prushka]

I use Sygate, but I would think you'd have applications and a setting choice of allow-ask-block

I have only 'allowed' antivir-guard and IE
most stuff on 'ask'
and several 'blocked'

Did you get any help from the ms services sites
I have a number of disabled, but you'll have to feel it out for yourself

May want to take a screen shot before making any changes or pen and paper...wait I'm getting a cramp all ready

Hope ya find answer

[jkozura]

Is it possible that the open ports that the scans are seeing are on the router? I use a Linux system for NAT routing, firewall, etc., on my home network, and there is a similar system where I work.
When I do a port scan from my home network, the ports that are being scanned are on the single IP address that is exposed to the internet - the Linux system, which is the default gateway for all the other systems. It works the same at my office.
Maybe you should try connecting your computer directly to your broadband connection and re-running a couple of those scans to see if they come up with different results.