View Full Version : Watch out!! @tech boys will nuke your modem

04-14-00, 09:25 AM
I was fed up with the constant scanning of my ports by the @home tech freaks, so I decided to scan back, then I sat back to watch some TV and my modem lights started blinking wildly (flashing RED too!) and since then my modem is less than half as fast. I thought to complain, but we all know how far I will get with that, so its DSL time for me.

04-14-00, 09:38 AM
From the @home AUP:

"The Services may not be used to breach the security of another user" ... "Use or distribution of tools designed for compromising security, such as password guessing programs, cracking tools, packet sniffers or network probing tools, is prohibited."

MmmHmm...so, you're saying *you* deliberately violated your AUP, and this is somehow @home's fault.

Ooooookay. Let me ask, if you go speeding through stoplights, and dealing crack, is it the police's fault for arresting you too?

I mean, at what point are YOU going to accept responsibility for YOUR actions?

I would suspect that they have put you behind a firewall and are monitoring your traffic in order to protect other customers, and see if there's a case for booting you off @home for running a BO server or other nasties. I'm sure other customers appreciate their doing so in order to keep you from probing their system ports on the @home network.

Enjoy your xDSL. See you in 3 weeks to two months when they finally get it installed.


"Yeah Baby, YEAH!!!"

[This message has been edited by Bouncer (edited 04-14-2000).]

04-14-00, 09:49 AM
The day before this nonsense started, my firewall was constantly going BEEP everytime I did anything, browse the web, check my mail, the firewall said it was the proxy site ICPM nuking me over and over, this never happened before, and all of a sudden I have to listen to this BONG alert over and over again. So I started watching the firewall, and I saw my ports were being scanned, so I scanned back. I fail to see how that is wrong. I have never tried port scanners or any such thing in my life, it is not in my nature, but when my firewall says I'm being attacked by my own ISP, for no reason, what should I do, call tech support? I tried, nobody answers the phone. I dont run an ftp, I dont play net war, why pick on me? There are so many others causing so many problems, why me? Honestly I don't understand.

All I did was scan back, so @home can scan me day after day for no reason, but I get punished for scanning ONCE.

I don't get it.

04-14-00, 10:34 AM
I agree with Nikola, It's way to harsh to cut him off after one scan. That seems to be abit obsessed if you ask me.

[This message has been edited by Zulan (edited 04-14-2000).]

04-14-00, 02:20 PM
You had also better consider the fact you should watch out who you go pissing off... there are some lunatics out there that might spend all of thier time scanning you for the rest of thier lives.


Forums up.

www.SpeedCorp.net (http://www.SpeedCorp.net)

04-14-00, 02:30 PM
Point taken. For me that certainly was a moment of weakness on my part.

04-14-00, 02:51 PM
Lucky they didn't just whack you. Someone's running a probe on this node. Kill node for 5 minutes, kill user until they call tech support.

Figure out who is "scanning" you.

1) is it a another "local" users computer? Could it be unintentional. egdoes you neighbor run pcanywhere, windows, mac, napster

2) is it your isp? or the dhcp server making sure you are alive?

3) is it a misconfiguration on your part? are you routing the entire campus through your computer (don't laugh, it happened).

Can't answer those questions? Don't get mad. Don't get even.

Here's where to look up address blocks. http://www.arin.net/whois/arinwhois.html

Also, don't get ticked until you are sure it is an attempt to break in, and you are sure it's not your computer. I tripped my own damn wall. Windows is nice enough when it see another windows site to probe on it's own.
On port 137, My log has one ISP scan, one unknow probe (which I assume is the same as above in the opposite of above) and one to two per day of my computer doing the request on 137.

04-14-00, 02:58 PM
Another point to consider:
If someone scans your ports for a trojan or simply pings for pcanywhere or just plain is pinging a series of IP's cause they can(kids w/ toys), then you really have nothing to worry about UNLESS you have a trojan installed. If you don't have file & print sharing installed or the Client for MS Networks installed(network neighborhood) then the guys scanning & pinging won't even know you exist! Responding to their probes, one way or the other TELLS them that YOU ARE THERE! You have now made yourself a target!

There are network engineers that can do just about anything w/ the right tools to compromise your system. But those guys don't go around sniffin your box. (no pun intended!) They have good jobs & have some ethics. Besides, they're busy pingin & probin the networks they manage.

I have RR & they periodically run scans for FTP ports, some trojans, etc. And some firewalls will mis-interpret the modem refresh as a port scan by the ISP!

As for the scans, heck, I ignore most of em. Why let em know I'm here & a potential target for a DoS or some other nuke job. They're just LOOKING for something. They can look all they want. When they SEE something then I will worry! And if they FIND something then I'll find out who they are & then get their email & sign em up for free porn subscriptions! Then I'll tell their mommy.

04-14-00, 03:44 PM
Wow, lots of help here, OK so here it is more cleary, from my perspective

Everything was fine, then one day (yesterday) my Firewall went bong (here is the relevant bit) every time I hit a web page or checked my mail or anything. It said the IP in question was ICMP'ing me, no big deal like Bouncer said, but this had never happened before, ever. At first I assumed that my isp had made some sort of change as the IP resolved to a proxy server. But then it kept happening, every single click I made to the net would result in this ICMP (ICPM?) hit, and the firewall went BONG!, so I started watching the FW log, and I noticed that 'hidden' in was what looked like a port scan coming synchronously from a set of other IP's, right in sync with my page hits and other activity, as if to say 'we are scanning your ports, but we're gonna do it right in sync with your actions so you dont notice your modem blinking for no reason'. I could not resolve the port scanners IP's without dropping the firewall, anyways I didnt care. Scan my ports all you want, there is nothing to find, but dont try to hid that fact, just do it, quickly, (I am pretty sure it was a coordinated port scan because several IP's were involved, each one stealthily checking one port, then the next, and so on, it looked automated) but what bothered me was the ICMP hit and the resultant BONG alert, which is fine, I could make a rule to accept it from that proxy ip, but why all of a sudden? and why never before? and why relentlessly? so then I searched for a war tool, and of course easily found some pinger, so I pinged the hell out of those ip's, this seemed to accelerate the port scan, so then I searched for a port scanner, ran it 6 instances parallel, and scanned the hell out of those IP's, all the while my firewall going BONG BONG BONG...

After 10min or so of that, the BONGing stopped cold. I waited a moment and then killed the port scanning, then I started to watch some tv, about 30min later my modem went offline and blinked wildly... i kept watching tv, about 30min after that it did it again (both times acting as if I had unplugged it) red lights and green lights flashing wildly...

So I dont know anything about TCP and even less about attacks ans such, I was being hammered and it 'seemed' to be coming from @home, but I don't know.

There was nothing I did that could have prompted the attack 'if thats what it was' I dont mess with that bologna.

Anyways, thanks all for your thoughts, all is quite again http://www.speedguide.net/ubb/wink.gif

04-14-00, 04:08 PM

I was having the SAME Problem with @Home... So I actually called them, here is the conversation:

"Are you scanning my machine TCP ports?"
"Yes, we do this on all customers"
"Please refrain from this, if you continue to do this I will give you plenty good reasons not to."
"Yes Sir, we will remove you from the list"

There you go, all these people who suck-up to the cable companies saying 'its your fault' are just wussies... you PAY for the service, and therefore you are the MOST important link in the chain.


04-14-00, 04:18 PM
I asked for the same thing, only to have them say "no". I tried 7 times to no evail.


04-14-00, 11:30 PM
(screeching sound)
Wait a second...you're saying you were getting ICMP messages from your proxy server?

Sigh...ICMP is ping.

Do you have your firewall set on paranoid?

What's most likely happening is someone using gamespy or some other ping tool is simply trying to see if you are playing a game online like Half-Life/Quake/Unreal etc.
They are outside the firewall doing a ping sweep, and the firewall simply passes that ping to you. You are gonna hear this all day, everyday, forever, unless you do something about it. It's probably not @home at all.

Does your firewall not have the ability to turn the audio alarm off, or the ability to not alarm on ping messages?

I'm also a little confused here. I'm not being picky, but how did you "scan back" if you've never tried scanners before in your life?

The statements seem contradictory to me, unless what you're saying is that you went out, found some sort of port scanner, used it, and then your cable modem went nuts.

You are still responsible. Period. I'm not even sure @home is doing anything to you at all since from what you've said, you responded to an outside ping source.

Even if they are, you may have an option though. Effectively, you'll need to turn off your modem (unplug it) for about four hours, and then reinitialize. You'll then have to basically NOT scan ANYTHING for about a month. They're probably simply logging you because you set off an intrusion alarm. If there's no repeat of the activity, they'll stop logging in a few days or weeks.

Turning off the modem lets it clear any cache, and hopefully will clear any collision issues that may be occuring because of a sudden routing switch (to put you behind a firewall).

As for @home, I wonder if you'd be as upset, if someone were trying to run a BO scan on your system, and @home swooped down and made the bad man dissapear. I doubt there'd be any complaints about privacy then. It's a relative issue. Users want more security, they give up some privacy. Nature of the beast. It's not personal, you know.


"Yeah Baby, YEAH!!!"

[This message has been edited by Bouncer (edited 04-14-2000).]

04-14-00, 11:42 PM
Yes, exactly, I searched the net (reluctantly for the first time ever) for war tools and found a port scanner, ran it 6 times side by side and scanned the 'attacker' like a mad man (I was mad http://www.speedguide.net/ubb/wink.gif. I knew it was wrong, but as I said earlier, I was 'defending' myself.

Thank-you for your suggestion regarding the modem cache. I hope it works for 'my' Terayon. And I have no intention to do port scanning, of course I have better things to do with all this bandwidth...

And thank-you for your attention, up until this incident, I can honestly say I have NO complaints with @home (im not sure why so many other people complain about their speed ect. my speed has been outstanding without exception, 99% uptime) except for the SPAM problem...

04-16-00, 12:42 AM
That is right Bouncer. I used to run Blackice and also was told by Blackice that
my proxy was trying to get me. Ridiculous.
I had mine set to nervous. It also said that ICQ was trying to get me as well. Stupid.
The only port that is open (unless you are running a server or network) is Netbios port
139. And, your computer cannot be accessed, the only thing that can be gotten is your computer name and ip address. And, they can get that anyway. I got tired of the blue screens of death when I would shut down and the constant warnings that someone was trying to get me. Pcanywhere pings, proxy,
ICQ...etc. Ridiculous.

04-16-00, 01:45 AM
Why is it that people pick one single thing out of a body of text and focus on it, ignoring the actual relevent part???

I said the ICPM pinging NEVER HAD HAPPENED BEFORE, in 6 months, then one day it happens relentlessly.

And now it IS NOT happening at all.

04-16-00, 04:39 AM
Actually I have had a similar experience with @home and continue to do so... Every day actually about 4 times a day or more my black ice and/or jammer goes off saying that, authorize-scan.security.home.com
is doing a TCP port scan. It wouldn't bother me so much but it happens like I said about 4-12 times a day. I have the logs to prove it. A warning to anyone that uses Black Ice though. It is good but it does it's job to good. You will get many false reports it is way to sensitive even to have it set at the lowest trusting setting you will have false reports. Just be knowledgable about the diffrent types of attacks and know what Black Ice and other programs like Jammer do and report back to you. Knowledge is key. But I agree it gets a bit annoying and childish when they Port Scan whether is is TCP, NNTP, or whatever you to death. Granted NNTP is just Network News. Knock it off @home LOL.

Setting in my corner feeling crappy for myself.

04-16-00, 09:36 AM
NIKOLA, I run BlaceICE and have had the same problems. On & off again UDP port probes - somedays I get a few - some days none.

BUT GET THIS....I have DSL with GTE....not cable.

From BlaceICE:

Attack - UDP Port Probe
Intruder - IP:
Severity - 39

I went to home.net; found out it's @home; got pissed at the "bastards" (more because of all neg. press they get here on this board than the probes) and called them in Calif. (I live in DFW, TX) area.

Anyway, I did NOT ask to talk to tech support, I asked for someone in their internet security fraud dept. The @home "bastard" was not one & was quite helpfull. He worked with me, over the phone and assured me it wasn't @home.

Take a look at an eariler post, to you, from VALENTINEDWV concerning www.arin.net (http://www.arin.net) because... the @home guy walked me through what he was doing (my @home security buddy and I- can't call him a bastard anymore- were on the net at the same time) and we wound up at the above site. Found the IP is some outfit in AZ, not @home. They have the above IP which is one of an entire block of IP's registered in their name.

So that's my input. Just some additional info for you. Maybe it's not all what it appears to be...I don't know.

[This message has been edited by chacmool (edited 04-16-2000).]

[This message has been edited by chacmool (edited 04-16-2000).]

[This message has been edited by chacmool (edited 04-16-2000).]

04-16-00, 04:05 PM
I hope that you people are starting to understand that you do not need Blackice!
There are only a select few of you that actually need a port watching/firewall program. I believe that these programs are almost completely useless. The ports that are being probed are NOT opened anyway. All you are doing is stressing yourself out. Do what I did, remove Blackice from your computer! That is the sure fire way of never seeing those irritating flashing red Blackice attack icons in the system tray again! If you want to continue to be obsessive/compulsive about this, then go ahead, feel free to run your port watching/firewall program. But, I for one know that the only port open (unless you are running a server or network at your house with file and print sharing turned on) is port 139. Also, remember that it is to the advantage of software companies to tell you that you are in danger on a cable modem so that they can sell you useless software. I fell for it for 2 months, then I finally got tired of the bsod's and false attacks.

04-16-00, 04:27 PM
Or better yet, use ZoneAlert! which is entirely free and lets you set permission to certain programs like ICQ. That means when someone messages you on ICQ, ZA doesn't freak out and think it's an attacker.

04-16-00, 04:40 PM
Cox@Home around here (Phx area) performs NNTP port probes. I had 2 techs try to tell me that they were necessary to verify connectivity. Bull. They need only run a ping to verify that. Bunch of crap.

04-16-00, 06:00 PM
I take it you are not using BlackIce & are using some other firewall cause I use Black Ice & to my knowledge it doesn't have an audio alert.

There is another possibility here as to what was happening. There may be users on your network, the @home network that is, that have compromised machines. Trojans in em. And some arseholes are using the machines to cover their tracks. They could be scanning from a dialup connection somewhere THROUGH the affected hosts & it will look as though the attacks & probes are coming from the machine w/ the trojan. Your firewall will do it's job & trace back to the point of the LAUNCH of the probe on your computer. An IP from some compromised @home user!

04-16-00, 08:29 PM
First off, to the person who is using "ZoneAlarm", you may want to go to grc.com and grab 'optout'. It will scan your HD for some 'spyware' that was installed when you installed ZA. This spyware collects information on your internet use and such, and sends it back to Aureate so they cn sell it to advertisers. You actions are being recorded...

I use Conseal (I have heard that BlackIce contains several back doors, I cannot verify this) as it allows rule creating on the fly, very nice program. To the person who said a firewall is not needed, that's just silly. If you spend anytime in a 'public' place like the IRC, your IP is available to all, and shoudl you happen to offend someone in that public place, you may get attacked. There are several nasty attacks out there, like simply crashing/rebooting your machine or perhaps worse. I once offended someone by speaking my mind, and I was booted from the channel, when I returned to that channel, I was attacked by 6 different IP's my firewall was able to identify the attack and ask me what to do, I blocked them, and entered the channel, and these guys were grumbling things like, 'damn I wanted him, your lucky boy" and other such fluff. I'll never know what would have happened if I didn't have the firewall, but I do know that without it, those attacks would have made it through to my computer.

You can link to GRC and CONSEAL via the following link:

GRC 'optout' is free, and CONSEAL offers a demo of there amazing firewall.

04-16-00, 11:43 PM
For myself the scans are coming up..
(which an @home Tekkie confirmed is theirs and there main one)the reason he gave me was they do a general scan on there system to make sure nobody is doing anything they shouldn't.. Ok that's fine with me. However they are coming into my home and scanning for something I don't do and they have absolutely no evidence that I am doing any of the things they are scanning for. It's like a cop searching your house with out a warrant. Granted it's electronic but isn't that invasion of privacy or an illegal search since there is no evidence to my partaking in any illegal or unlawful actions. I haven't done anything!! Yet all my personal protection bells and whistles are going off because @home is doing a general sweep..??? Granted they are going off so it means they are being blocked but still..

04-16-00, 11:47 PM
i get those daily pings too and i too run blackice and i too am pissed. mm i wish blackice allowed you to set rules (not just the trust attacker thing) sos icq and irc would work. i have mine on cautious..and i've done three security scans.. all turned out GREAT.. only one port was not in stealth and it was closed. awesome huh?..cept blackice does go off a lot hehe

"If a man could have half his wishes, he would double his troubles."
-Benjamin Franklin

04-17-00, 01:32 AM
For all @home users...if you had read your user agreement form you would've found that by accepting and using the service you were agreeing to let @home use whatever means nessacery to keep the @home system free from attackers and violaters in general of the user agreement. Sorry but you really have no reason to complain as you agreed to let them do it. Also a hint most if not all isp's have that clause in there user agreement as well.

04-17-00, 01:41 AM
Nice site Nikola. Do not take this personal. But, I still disagree with you on the firewall business. I agree with you that they would read and steal your ip. But, they can get that anyway because your ip is out there no matter what. Port 139 will not let anyone access your computer. Now, as far as IRC, I agree that you might be in jeopardy there. That is a Crackz/Warez hackers paradise. However, what are they really going to do? They can't force your computer to open a port. Maybe they could gain access while you are transferring a file? Not sure because I do not hang out there. I also suppose that they could flood your computer with large pings and slow your down. Best advice? Be nice to everyone on IRC.

04-17-00, 03:01 AM
First off, to the person who is using "ZoneAlarm", you may want to go to grc.com and grab 'optout'. It will scan your HD for some 'spyware' that was installed when you installed ZA. This spyware collects information on your internet use and such, and sends it back to Aureate so they cn sell it to advertisers. You actions are being recorded...

ZoneAlarm only allows programs you give permission to access the internet or act as a server. Since I gave Go!zilla permission then yes, I have to have those "spyware" .dll files. It would be the same with any program that installed those .dll files so I don't see where you're trying to go there.

And if you read the optout site clearly, you can see all the hoopla is nothing more than fanatical paranoia. Which, after reading your first post, is what got you into trouble in the first place.


04-17-00, 06:41 AM

Better to be safe, than sorry.

After you read the big disclaimer, you come to the meat of the GRC discussion on the 'spyware' in question...
>>>"The Aureate Network brings an enormous amount of demographic targeting capability to advertisers."

>>>I don't know about you, but I'm really not sure that I want to have anyone's "enormous demographic targeting capability" aimed squarely at me.

>>>Apparently, foreign advertiser servers are sourcing their ads directly to the user's machine through the advertising server that's created by the Aureate DLL's. This is a concern for two reasons: First, suddenly there's a HOLE through our irewalls which anyone can see, and which may have known vulnerabilities. Second, any foreign advertising server contacted is establishing a connection to our machines and, unless we're behind a caching proxy or NAT router, knows our IP.

>>>I have not yet performed close monitoring of Aureate's technology and communications -- including traffic monitoring and sniffing -- but that's next.

>>>More soon.

>>>Steve Gibson,
>>>Gibson Research Corporation
>>>< http://grc.com >

I don't think 'fanatical' is a fair description for any debate which concerns OS invasions of this type.

04-17-00, 08:29 AM
Que pasa?

I run ZoneAlarm (as well as BlackIce) and found no SPY dll's, or whatever, when I ran OptOut.

What's the drill here?

04-18-00, 03:24 AM
"Better to be safe, than sorry."

True but I think there is a point when you're safe and a point when you take unnessisary precautions. I just use my connection to browse the internet and do some occational gaming. I don't work for NASA, CIA, or any other high security agency so I don't see the need to monitor and log every port. All I need is a program that will stealth me(which ZoneAlarm does) and I'm happy.

I lock my door when I go out but I don't rig a shotgun trap and plant roses underneath each window. I do enough to feel safe but not so much that I compromise my own house/system.


04-18-00, 03:31 AM
chacmool, this is good news, perhaps spyware was removed in later Zonealarm version! as with Cuteftp and others...

Dream97, good point, and firewalls do need maintenance.

Zero 2 Dash
04-18-00, 04:39 AM
I also have ZoneAlarm...I just dl it from C/Net last week. I thank you, Nikola, for that information and that site...there is some pretty interesting stuff there. (I think the guy is far from paranoid...he's educated, not paranoid) I downloaded a few things off that site, from OptOut to IP Agent...and both ran with flying colors and no problems or findings with ZoneAlarm.

I also have dl BlackIce Defender and ConSeal PC Firewall, but I currently only have ZoneAlarm installed, because BlackIce gives alerts for nearly anything, and ConSeal is annoying to tell to allow ICQ every time (ZoneAlarm is nice 'cause you can just check off to have it always allow). I also have The Cleaner (Trojan searcher) installed, as well as a small .exe AntiNuker that a friend sent me.

I just wanted to say that in most regards, a firewall is protection that anyone with "always on" access should have. I got ADSL installed through a special with Southwestern Bell and I've been nothing but completely pleased with the service so far. Great deal...$39 per month, free installation + free NIC + free DSL modem...128k up 384k-1.5m down (guaranteed 384k though)...and after getting a registry tweak from SpeedGuide, I now get double what I was (was getting 650k, now I get 1.25 megs/sec EASY...sometimes as high as 2 megs/sec).

Just a couple thoughts. http://www.speedguide.net/ubb/wink.gif

"He is the one."

Come join The Irregulars (http://pub9.ezboard.com/btheirregulars)

04-18-00, 08:01 AM
Nikola, back to your original post.

Do you still think @home is out to get YOU?

I have uninstalled (for a while) BlackIce because of all the above feedback you got, as well as my own doubts (remember, I got suspect pings from @home yet have DSL).

Will stay with ZoneAlarm & Norton Internet Security 2000 (forgot to mention it eariler).

(If we stay on the firewall issue, the moderators will probably move this over to the the Security Forum).

Actually, that's not such a bad idea...wish I had the autorization...I'd copy this to that forum (leave it here as well?)

Got to go feed my Yellow Tang.

04-18-00, 08:16 AM
Great discussion folks, but it's time to go ahead and move it on up to the security forum...(hitches up pants Barney Fife style)


04-21-00, 02:29 PM
Well, this is very good info. I just found this site today.

I would like to mention an ICSA certified Firewall that I have found to be REALLY cool. It's the SonicWall product line. I don't know if any of you have ever heard of it, but it is quite an impressive little box and perfect for cable modem/DSL applications.

It automatically detects and blocks attacks and portscans and sends out an email notification. It uses a web-browser interface for configuration, so it's real easy and no strange software to learn.

In addition, it can perform content filtering, blocking objectionable websites, and also has an optional VPN capability.

The Sonicwall 10 will allow up to 10 computers to have full access to the internet through NAT. There are upgrades that allow more machines to access the net if needed.

The reason I know so much about them is because my company sells them and I'm the engineer who gets calls when there is a problem. The most common problem I have is people just not understanding Network Address Translation.

Anyway, take a look at sonicwall's website at http://www.sonicwall.com/ and judge for your self.

04-23-00, 02:35 PM
I have noticed one interesting thing, over the last month or so. All the UDP Port scans & PcAnywhere scans only happen (to me) during the weekdays and during typical office hours.
I never get any attacks on weekends or non-business hrs. I'm wondering if, alot of these "intrusion alarms" we all get with our firewalls, are faulse...echos...internet clatter....internet noise(maybe Seti@home has found ET)...internet garbage...etc???

[This message has been edited by chacmool (edited 04-24-2000).]

04-27-00, 03:48 AM
Well, people, there is not much I can add to this discussion, except one thing.

I use blackICE, and I usually get 0-5 "attacks" a day. Usually just scans, which I ignore, unless 5 different scans come from one source, then I block the IP for a day, if someone scans for a Trojan, I block them forever.

And the most stupid thing to do is trying to hack/attack/mess with your ISP. Sorry Nikola, but that's just something you DON'T DO! Never hack back, always block, that's the way to be safe. That way they can't see you're actually there, and even if they found out you're actually there, blocking helps soooooo much. Then they can't do anything to you.


"I have lost all my beliefs to a world of hypocrisy"
(Hypocrisy - Paradox)

04-28-00, 05:50 PM
HERE (http://www.intel.com)