Results 1 to 18 of 18
  1.    #1  
    Hi

    I hope somebody can help me with this. I've firewall installed on my PC, (Norton Personal Firewall) and usually when I leave the computer on through the night, in the morning I would get a Security Alert telling me that firewall had blocked a Trojan.

    I've sent a screenshot of the firewall log.

    I've scanned the computer with 2 of the most recently updated popular virus scanners already, but I'm still getting this about few times a week. I suspect some sort of calling card is on my computer, but like i said the Viruscans don't find anything.

    What do you recommend I do to stop this? Or do I have to live with this?

    Thanks you very much.
    Attached Images Attached Images
    I'm just a dreamer..
  2. #2  
    Have you looked into spyware?

    What are you running anyway, dial-up, cable, DSL?

    Do you have a fixed IP address?

    And no you don't have to live with it, you just have to figure out whats up. If there is a program on your computer there are several "spyware spotters" out there. Most that I've seen are free too.

    Try asking over at cybertech.com, I've seen some very tough problems solved over there. They have specific forums for each windows OS and very knowledgable moderators.

    Good luck. Wish I could be more helpful.

    Michael
    "I am a debtor both to Greeks and to Barbarians, both to the wise and to the foolish."
  3.    #3  
    Thanks BobbyMike, I really appreciate it, I'm using ADSL, and I don't think my IP is fixed. I'll check out cybertech.

    I forgot to mention that I did a spyware search as well, nothing.

    To be more detailed, occasionally I got an alert from firewall telling me a program is trying to access the internet. The list of such software include very random apps, among them:

    rnapp.exe (dial up connection, but as I'm using DSL, this isn't even qualified!)
    explorer.exe
    netscape.exe (when I'm not using it, not even in the memory)
    mplayer2.exe (media player)
    nmain.exe (norton file. I won't allow it at all)

    now, why would rnapp.exe or explorer.exe want to access the internet?? I'm doing fine with them NOT accessing the internet. And the scary part is, Netscape also wants a bit of action even if I don't have it open.

    I may have to rebuild my system, but at the moment I just can't afford the downtime. I would have to rely on firewall at the moment.

    ------------------


    Originally posted by BobbyMike
    Have you looked into spyware?
    What are you running anyway, dial-up, cable, DSL?
    Do you have a fixed IP address?
    And no you don't have to live with it, you just have to figure out whats up. If there is a program on your computer there are several "spyware spotters" out there. Most that I've seen are free too.
    Try asking over at cybertech.com, I've seen some very tough problems solved over there. They have specific forums for each windows OS and very knowledgable moderators.
    Good luck. Wish I could be more helpful.
    Michael
    I'm just a dreamer..
  4. #4  
    even if your ISP is not using fixed IP's, for one connection "session" your IP will be "fixed." It's better to disconnect from the 'net when not actually using it, even if you have a high-speed connection and a flat monthly fee. Typically your IP will be different the next time you connect.
    The light at the end of your tunnel has been disconnected due to non-payment. Please remit funds immediately for restoration of hope.
  5.    #5  
    Originally posted by Yorick
    even if your ISP is not using fixed IP's, for one connection "session" your IP will be "fixed." It's better to disconnect from the 'net when not actually using it, even if you have a high-speed connection and a flat monthly fee. Typically your IP will be different the next time you connect.
    I typically do restarts when the computer gets sluggish or I crash it trying to do too many things at once. restarts on average about every 2 days or less..
    I'm just a dreamer..
  6. #6  
    What I've found is that often you will get port scans by someone looking for a trojan horse installed on your computer. For instance if you write a TH called "Fred" that listens to port 7, you will broadcast from your computer to port 7 at random IPs to see if Fred responds. Then you can do your dirty work. However, a firewall will block this and log it as a problem even though there is nothing malicious on your computer, and that even if the signal had gotten through, nothing would have happened because Fred isn't there. At least that's my interpretation.
  7. #7  
    You've got me.... I'll suugest going to that site again. There are a couple of programs that will blab about all programs running on your machine. With the list in hand of said programs, some of the very knowledgable people can help you. The people who volunteer aren't amateurs like me, they're techs that volunteer on their off time. Smart gals and guys.
    "I am a debtor both to Greeks and to Barbarians, both to the wise and to the foolish."
  8. #8  
    I run Norton Personal Firewall as well. The report indicates that someone was probing one of your ports (whichever one that particular Trojan uses) to see if the Trojan was present. It does not mean that the Trojan is present, someone is simply looking to see if it is. If the Trojan were present and you were not running a Firewall, then they could do dastardly deeds to your computer. Basically, you are fine and need to do nothing else. If the probes continually come from the same IP address, Norton's does allow you to block that computer permanently. Looking in the instructions.

    I agree that if you are not using the computer you shouldn't leave it connected to the net, even if you are paying a flat monthly fee and have a firewall. It is sort of like this. If you had a very rare sports car with an alarm system wouldn't it be safer to park it in the garage with the door closed at night than on the street? After all, someone still might steal the car or damage it despite the alarm.

    A good site with info on firewalls and security is here. Go to the ShieldsUp!! section.
    Donate Blood!!!
    Visit here to see how: America's Blood Centers
  9.    #9  
    First of all I'd like to thank Pathdoc, BobbyMike, KRamsauer and Yorick for helping me out.

    Originally posted by Pathdoc
    I run Norton Personal Firewall as well. The report indicates that someone was probing one of your ports (whichever one that particular Trojan uses) to see if the Trojan was present. It does not mean that the Trojan is present, someone is simply looking to see if it is. If the Trojan were present and you were not running a Firewall, then they could do dastardly deeds to your computer. Basically, you are fine and need to do nothing else. If the probes continually come from the same IP address, Norton's does allow you to block that computer permanently. Looking in the instructions.
    And if you look at the log, it's blocked by default, that means that this is already a built-in security to prevent trojan horses, I have no idea what might be probing the port. The log also indicates a certain pattern... note that WinCrash was used multiple times as if repeatedly trying to crash me. It did got to me once, or maybe it was a coincidence, I came back to see a blue screen.

    I was infected by T-Horses once back when i was still using dial-up but I'm not sure if the T-Horse is smart enough to know that I've completely changed ISPs considering that they (apperently) don't exist on my computer. So how can somebody just come up with a random IP address and get it correct multiple times??

    Also, nobody I know of can explain the behaviour of all the other program files that i mention of. I'm guessing It's sort of like some super trojan horse is using these programs to disguise itself to access the internet. I can't block out some of the programs permenantly because that would stop them from working, (i.e, Netscape).

    Originally posted by KRamsauer
    What I've found is that often you will get port scans by someone looking for a trojan horse installed on your computer. For instance if you write a TH called "Fred" that listens to port 7, you will broadcast from your computer to port 7 at random IPs to see if Fred responds. Then you can do your dirty work. However, a firewall will block this and log it as a problem even though there is nothing malicious on your computer, and that even if the signal had gotten through, nothing would have happened because Fred isn't there. At least that's my interpretation.
    Let's hope that is true.

    I'm checking out all your suggested sites now. Thanks again.
    I'm just a dreamer..
  10.    #10  
    Well just tested the Norton Firewall on the LeakTest in the GRC site. ( http://www.grc.com./lt/leaktest.htm )

    IT LEAKS! And it does so almost immedietly.
    I'm just a dreamer..
  11. #11  
    The best firewall is still ZoneAlarm.
  12. #12  
    With regards to your original LOG... notice that what happened was packet was blocked on an incoming TCP connection, also notice that the attempt was blocked.

    So 1 of 2 things here. Either some little script kiddie was scanning a block of computers for a vulnerability (which you DON'T have - obviously the firewall blocked the attempt). Or someone elses computer, unbeknownst to them, has been infected and is automatically looking for others to infect.

    However, as people have already said - your firewall did what it was supposed to do.

    If it makes you feel any better, my webserver usually gets maliciously constructed packets on the order of a few an hour... sometimes a few a minute. However, since I'm not running IIS (a microsoft webserver) they are all simply entries in a log capturing all errors. Basically the same thing as you've got.

    <shameless linux plug> heh... With regards to firewall... got to disagree... ipchains/iptables work JUST fine.. </end shameless linux plug>
    Last edited by dannoz; 01/15/2003 at 01:16 AM.
  13.    #13  
    Originally posted by dannoz
    If it makes you feel any better, my webserver usually gets maliciously constructed packets on the order of a few an hour... sometimes a few a minute. However, since I'm not running IIS (a microsoft webserver) they are all simply entries in a log capturing all errors. Basically the same thing as you've got.
    It DOES make me feel better, thanks.

    But i don't think that explains why some of my apps are behaving weirdly? The list also includes Eudora trying to access the internet even if I don't have it open..


    <shameless linux plug> heh... With regards to firewall... got to disagree... ipchains/iptables work JUST fine.. </end shameless linux plug>
    Eh
    I'm just a dreamer..
  14. #14  
    Originally posted by Digisane
    The list also includes Eudora trying to access the internet even if I don't have it open..
    this is a wild shot in the dark. I think Eudora might be configured to check for messages every so often; it's probably a background task separate from the actual email program. Then it can alert you that you have new mail and you'll go open your email software.
    Again, theory only, because I have a Mac and my email only checks for mail while it's open, and every time I have a Windows-based computer at a job the email soft is always open and the network connection always on, so this has never happened to me. (But they say it happens to lots of guys. )
    The light at the end of your tunnel has been disconnected due to non-payment. Please remit funds immediately for restoration of hope.
  15. #15  
    Originally posted by cywong
    The best firewall is still ZoneAlarm.
    The best firewall is still, and always will be, a separate box.

    Despite what these software vendors claim, as long as you maintain open ports, you're open to attack, and if you need to share resources (like printers), you have to maintain open ports.

    Given that a seperate firewall box can be purchased for as little as $99 now (some of which will include direct cable/DSL hookups and multiple RJ45 connections), there's really no reason today not to have a separate firewall box.
    It's gotta be weather balloons. It's always weather balloons. Big, fiery, exploding weather balloons.
    -- ComaVN (from Slashdot)
  16. #16  
    Based on your attached log, the probe in question is inbound, and it is blocked - so what is the problem?
    It appears that you are just being scanned for that particular trojan, which is not present on your system.
    I leave my PC's up up most of the time, and I see hundreds, if not thousends of scans, it is just a fact of life on the Internet...
    Keep you anti-virus def's up to date, and run tests on your firewall, and that is about all you can do.
  17.    #17  
    Originally posted by larryk
    Based on your attached log, the probe in question is inbound, and it is blocked - so what is the problem?
    It appears that you are just being scanned for that particular trojan, which is not present on your system.
    I leave my PC's up up most of the time, and I see hundreds, if not thousends of scans, it is just a fact of life on the Internet...
    Keep you anti-virus def's up to date, and run tests on your firewall, and that is about all you can do.
    The other 2 things that worry me is the fact that my programs at random behave strangely, wanting to access the internet at random times (read previous posts),


    And Norton firewall has 2 weeks ago stopped asking me whether to allow cookies, even though I have set it this way deliberately (my security setting has been on the highest ever since). I just checked, it still is.

    It used to be that I get lots of prompts asking me whether to allow a cookie or not. Now, even when entering an unknown site which I believe should have some cookies some way or another, it didn't bother to prompt me.

    Either I have already block filtered all the bad cookies in the whole of Internet (impossible) or NPF (Norton Personal Firewall) just got lazy and fell asleep on its job.

    Now it felt like a complete waste of money on NPF. Where do I get Zonealarm.

    I'm sorry for sounding so paranoid but I'm somewhat new to firewall systems. Esp when things don't go as expected (didn't ask what to do with cookies when it should, and Solitaire trying to access the internet)
    I'm just a dreamer..
  18. #18  
    Originally posted by Digisane



    I'm sorry for sounding so paranoid but I'm somewhat new to firewall systems. Esp when things don't go as expected (didn't ask what to do with cookies when it should, and Solitaire trying to access the internet)
    A bit of big picture advice: backup your data and don't worry too much. Take prudent measures (which you've done) but don't let it bug you.

Posting Permissions