Help
When I left for work this am at 6:00 am I zeroed out some 150 plus hits.
When I get home 12 hours later, my ZA says I have had 238 more hits.
I have never been hit like this. Even while working on this little message I have been hit 3 times.
What is going on? Have I got a trojan that is sending out my IP
or what?
any ideas.
Thanks in Advance for any help.
zone alarm alerts
It could be a number of things.
Noevo's suggestion is one major reason you get people contacting your IP. Once you've shared files, your IP will be called to share again. Some people will log your IP, then try to hack you when it's convienient.
Everytime you click a link on a page, you give out your IP.
ICQ, AIM, MSN Messenger etc all give out your IP to anyone you contact.
There are worms lose on the net searching for servers to infect.
There are people scanning IP's at random for security leaks.
etc etc
If ZA blocked them, you're safe.
Noevo's suggestion is one major reason you get people contacting your IP. Once you've shared files, your IP will be called to share again. Some people will log your IP, then try to hack you when it's convienient.
Everytime you click a link on a page, you give out your IP.
ICQ, AIM, MSN Messenger etc all give out your IP to anyone you contact.
There are worms lose on the net searching for servers to infect.
There are people scanning IP's at random for security leaks.
etc etc
If ZA blocked them, you're safe.
Have you had a look in ZA's log file ?
How about a program that sorts the ZA log file?
ZoneLog Analyzer. If you don't have it you can Get it here
Features
Imports the ZoneAlarm log into it's own database for speed of operation.
Colour coded listing to show severity of known attacks.
Get full, clear details about each log entry.
Create reports on specific addresses, ports, time periods, etc.
Resolve host names for all known IP addresses.
Link to WHOIS websites or external applications for more detailed info on a particular address.
Create an email message with details of an attack for reporting attackers to their ISP.
Tag specific addresses as friend or foe.
Threat Analysis - picks out the attacks from the noise.
I think you'll like this I did and used it while I had ZA installed for a year or more.
How about a program that sorts the ZA log file?
ZoneLog Analyzer. If you don't have it you can Get it here
Features
Imports the ZoneAlarm log into it's own database for speed of operation.
Colour coded listing to show severity of known attacks.
Get full, clear details about each log entry.
Create reports on specific addresses, ports, time periods, etc.
Resolve host names for all known IP addresses.
Link to WHOIS websites or external applications for more detailed info on a particular address.
Create an email message with details of an attack for reporting attackers to their ISP.
Tag specific addresses as friend or foe.
Threat Analysis - picks out the attacks from the noise.
I think you'll like this I did and used it while I had ZA installed for a year or more.
Thanks again fellows
I do have adaware and have run it, got rid of some spy ware.
The attacks still continue though.
I will get that program Norm and try to track them. Time with me is a premium.
One other thing I did was d/l anti-trojan 5.5 found no trojans in files but did tell me that I have 14 open ports, 2 of these listed as
follows:
Port 1033 Net Spy
Port 5000 Sockets de troi, Blazer 5
What the Heck is that about, does not say they are trojans nor does the program make it clear how to get rid of them
I do have adaware and have run it, got rid of some spy ware.
The attacks still continue though.
I will get that program Norm and try to track them. Time with me is a premium.
One other thing I did was d/l anti-trojan 5.5 found no trojans in files but did tell me that I have 14 open ports, 2 of these listed as
follows:
Port 1033 Net Spy
Port 5000 Sockets de troi, Blazer 5
What the Heck is that about, does not say they are trojans nor does the program make it clear how to get rid of them
If you had some spyware on there you will continue to recieve hits for quite a while in Zone Alarm. More than likely thats where a lot of them originated. Remember, you will always see hits just from random scans. I would guess over the next couple of weeks (depending on when you pruned the spyware) things will slow down.
Sorry, can't help with the ports question.
Sorry, can't help with the ports question.
NetSpy:
With NetSpy you can see what web sites others are accessing from a PC. NetSpy runs
invisibly so the user surfing the internet has no idea that big brother is watching them!
Parents, use NetSpy to see what web sites your children are visiting and how much time they
are spending on the internet. NetSpy will also record every key that a user types...even
passwords! You can even read their private email messages after they've been deleted! With
the NetSpy Configuration Program (which is password protected) you can set several options
such as:
1) The amount of seconds to wait before NetSpy saves to the log files.
2) Whether or not you want new log files created each time NetSpy loads.
3) Whether or not you want duplicate URLs to appear in the URL log file.
4) The directory location and file name of the log files.
5) Whether or not you want NetSpy to log keystrokes.
6) Whether or not you want NetSpy to capture screens.
NetSpy currently supports the following browsers: Netscape Navigator, Microsoft Internet
Explorer, AOL and Prodigy.
Sockets de troi, Blazer 5 :
Its a backdoor trojan of some sort.
You might want to try Tiny Personal Firewall from tinysoftware.com
I think it works much better than ZA.
With NetSpy you can see what web sites others are accessing from a PC. NetSpy runs
invisibly so the user surfing the internet has no idea that big brother is watching them!
Parents, use NetSpy to see what web sites your children are visiting and how much time they
are spending on the internet. NetSpy will also record every key that a user types...even
passwords! You can even read their private email messages after they've been deleted! With
the NetSpy Configuration Program (which is password protected) you can set several options
such as:
1) The amount of seconds to wait before NetSpy saves to the log files.
2) Whether or not you want new log files created each time NetSpy loads.
3) Whether or not you want duplicate URLs to appear in the URL log file.
4) The directory location and file name of the log files.
5) Whether or not you want NetSpy to log keystrokes.
6) Whether or not you want NetSpy to capture screens.
NetSpy currently supports the following browsers: Netscape Navigator, Microsoft Internet
Explorer, AOL and Prodigy.
Sockets de troi, Blazer 5 :
Its a backdoor trojan of some sort.
You might want to try Tiny Personal Firewall from tinysoftware.com
I think it works much better than ZA.
Here you go:Originally posted by kgsuth
Thanks again fellows
I do have adaware and have run it, got rid of some spy ware.
The attacks still continue though.
I will get that program Norm and try to track them. Time with me is a premium.
One other thing I did was d/l anti-trojan 5.5 found no trojans in files but did tell me that I have 14 open ports, 2 of these listed as
follows:
Port 1033 Net Spy
Port 5000 Sockets de troi, Blazer 5
What the Heck is that about, does not say they are trojans nor does the program make it clear how to get rid of them
here's some info on sockets de troi and how to rid your self of it, for more info go to http://www.thepublicworks.com security section and link to simovits consulting.
Name: Sockets des Troie
Aliases: Sockets23, Lame, BACKDOOR.KAMIKAZE, IRC_TROJAN, TROJ_BACKDOOR,W32/Cheval.gen , Backdoor.Sockets23,
Ports: 1 (UDP), 5000, 5001, 30303, 50505, 60000, 65000
Files: Sdt2.3.zip - 855,872 bytes Sockets23.zip - 849,499 bytes Sockets23.exe - 1,082,880 bytes Genvirus.exe - 779,797 bytes Mschv32.exe - Mgadeskdll.exe - 339,456 bytes Rsrcload.exe - 339,456 bytes Csmctrl32.exe - 339,456 bytes DrvCtrl95.exe - 322,560 bytes Lcv_sys.exe - Discv.dll - Tcv.exe - Dcv.exe - Winstart.bat -
Created: June 1998
Requires:
Actions: Remote Access / ICQ trojan
Sockets des Troie is French for Trojan Sockets and was one of thevery first Remote Access trojans being published.
Versions: 1.0, 1.1, 2.1, 2.2, 2.3, 2.5,
Registers: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\HKEY_CLASSES_ROOT\DirectSocketsDrv\HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunLoad\
AND>>>>>>>>
Troj/Netspy
Type
Trojan
Detection
Detected by Sophos Anti-Virus.
Resident
Yes.
Description
Troj/Netspy allows a remote user to have unauthorised access to a PC. Several versions of this Trojan exist.
The Trojan adds a registry value containing the name of the Trojan file to
HKLM\Software\Microsoft\Windows\CurrentVersion\Run.
This Trojan was first reported in April 1999.
hope this helps,
Croc.
Croc.
Remember: Wherever you go in life, you take yourself with you.It will be long, it will be hard and there will be no withdrawal.
Winston Churchill
Croc, thanks for the information. I will have to digest this!!!!
Tell you what I did do, but I'm not sure if this is the answer.
With Port 5000 - Sockets, etc
I learned how to close the port. And this I did.
But my question is "does this eliminate the problem? or not? Are there files on my machine that should be removed?
I use XP Home version, so when I go looking for some of these places in the registry for the Tree doesn't seem to be the same.
I have not tackled Port 1033, and Netspy.
Thanks for your help. I greatly appreciate it.
Tell you what I did do, but I'm not sure if this is the answer.
With Port 5000 - Sockets, etc
I learned how to close the port. And this I did.
But my question is "does this eliminate the problem? or not? Are there files on my machine that should be removed?
I use XP Home version, so when I go looking for some of these places in the registry for the Tree doesn't seem to be the same.
I have not tackled Port 1033, and Netspy.
Thanks for your help. I greatly appreciate it.
No, it doesn't IMHO.
All closing the port does is stop the outgoing while leaving the TH there to continue trying to get out.
Use a Trojan Scanner such as Trojan Defence Suite 3 from [url]http://[/url] http://www.diamondcs.com.au or BOClean from a link in http://www.jmu.edu/computing/info-secur ... ml#Cleanup
Important.. Read the info thoroughly. In my previous post there is a list of files that are associated with "Sockets de Troi".
Both these should be easily removed with BOClean because both have been around for some time.
How are the eyes? There's a lot of reading in those links but worth the effort for the experience you are getting.
Croc..
All closing the port does is stop the outgoing while leaving the TH there to continue trying to get out.
Use a Trojan Scanner such as Trojan Defence Suite 3 from [url]http://[/url] http://www.diamondcs.com.au or BOClean from a link in http://www.jmu.edu/computing/info-secur ... ml#Cleanup
Important.. Read the info thoroughly. In my previous post there is a list of files that are associated with "Sockets de Troi".
Both these should be easily removed with BOClean because both have been around for some time.
How are the eyes? There's a lot of reading in those links but worth the effort for the experience you are getting.
Croc..
This is how Zone Alarm makes it self seem essential. A firewall only needs to listens to ports and prevent attacks. Not go on and on disable the logs and go here: https://grc.com/x/ne.dll?bh0bkyd2. This will tell you how "safe" you are. I would also recomend sygate 5.0. It's free and work great.
Don't let Zone worry you too much.
Don't let Zone worry you too much.
A lot are scans looking for open ports. Kids looking for fun...to the more sinister side, looking to find credit card numbers ect ect...
Most of mine are Sub seven or kids looking for servers.
Most of mine are Sub seven or kids looking for servers.
The tools of conquest do not necessarily come with bombs and explosions and fallout. There are weapons that are simply thoughts, attitudes, and prejudices to be found only in the minds of men. For the record, prejudices can kill and suspicion can destroy and a thoughtless, frightened search for a scapegoat has a fallout all of its own for the children and the children yet unborn and the pity of it is that these things cannot be confined to the Twilight Zone.
anyway I'm glad I could help. I get so much help here after all