You've got a target on your back

by Preston Gralla

As I noted in my last weblog, to use the Internet is to be a potential victim.

But until I installed a logging program called LinkLogger that builds reports from the router logs of my home network, I had no idea of just how constantly we're all under attack.

I've been running the software for just about a week, and the results are startling. One just one PC on my network, there have been an average of about 80 to 90 attempted attacks or probes a day. Here's what else the software shows me:

  • The most common probe is one that looks via port 901 for the NetDevil Trojan on my system, so the prober can try and control my PC.

  • Second most prevalent is a probe of port 4899, looking for remote administration software for controlling my PC.

  • Tied for third place is the infamous myDoom, called by some the fastest-spreading email worm of all time, scanning on port 3127; and the SQL Slammer Worm on port 1434 looking for vulnerable Microsoft SQL Servers or MSDE systems

  • Most of the probes are single attempts, or two or three attempts by the same person. But some people stay around a long time, or make repeated tries, with one person trying 66 times to break in.

I use NAT on my network, the ZoneAlarm firewall, and anti-virus and anti-spyware software, so I haven't been victimized. And most likely most of the probes are done by script kiddies sending out automated probes to many thousands of PCs, and not targeting my system.

Still, it's sobering to see. Intrusion attempts have become the background radiation of the Internet, and so these days, you better wear a lead suit when you log on.

Have you been targeted or broken into? Let me know.


2004-10-07 09:03:04
how do you know you're not compromised?
Even with all those nice defenses in place, Windows users are not safe. The main points of entry for malware are Outlook/Outlook Express and Internet Explorer. I'm curious what sort of monitoring or intrusion detection you might be using.

I appreciate your calling attention to the problem. If I were an ace programmer I would write an app that displays attacks in animated technicolor, with scary sound effects, just to drive the point home. :)

2004-10-07 09:10:19
Monitoring / IDS
At my previous job, we were responsible for rolling out a VPN for our local engineering staff. As a result we becaume very interested in intrusion detection for Windows, and we ended up also rolling out the BlackICE product (I think this is owned by ISS now, but it used to be Network Ice).

Just running the BlackICE agent on a Windows system connected to AT&T cable for 24 hours generated something like 14000 different intrusion attempts. Everything from port scans to SYN attacks to specific scans for remote control software. And this was almost 3 years ago, prior to Slammer and several other nasty worms.

Bottom line is, if you're a Windows user, the net has not been a friendly place for years. Which is not to say there are not exploits for Linux, Mac OS X or BSD. There are lots of them. But the sheer number of Windows systems combined with the ease of exploitation means that the script kiddies don't waste time trying to compromise these systems. Why do something hard when something so easy is available?

2004-10-07 12:28:12
Ok so I infected now what?
I am fairly savy and I usually spend two hours whenever I come across a virgin windows machine trying to lock it down as best I can.
I typically install the windows updates, install zonealarm because it's free, install spybot because it free and good, install antivir guard because it's free.

So I consider myself to be doing most things a user should be expected to do. But when I ran and configured Link Logger I am informed I am doing a large number of bad port scans.

So of course I immediately update all my protection software and scan absolutely everthing hoping to fix it. Everything is fine.

But Link Logger says I am doing the following:
34 Gnutella
3 Blubster
2 Remote Administrator
1 Bagle.V backdoor scan
1 Terminal Server Scan
1 myDoom Backdoor scan
1 soulseek p2p
1 sql server scan
1 kazaa
1 ftp scan

I run azureus and emule, free and open source, on occasion so it's possible that these ports are being confused with other P2P clients but the others are clearly malicious.

What's more likely, this software is reporting inaccurately, or I am really infected and none of the common tools available are able to stop these worms.

Could I have inadvertently allowed my firewall to serve up worms?

Help would be appreciated.

2004-10-07 12:38:39
Ok so I infected now what?
Are those incoming or outgoing? If they're incoming, I don't think you're doing anything wrong --- that's what I mean when I say that constant probes are inevitable on the Internet. If you have ZoneAlarm installed, you'd be notified if there were outgoing traffic of the type you mention, which would be a sign of infection. So when using LinkLogger, make sure to differentiate between incoming and outgoing.
2004-10-08 14:55:45
Ok so I infected now what?
Those are outgoing.

The incoming ones were obvious.

2004-10-08 14:56:56
Ok so I infected now what?
I should mention I uninstalled Outlook and I only use IE if I am forcing an a windows update.