Ive been having a lot of attacks that my sygate firewall has blocked (at least i think it has) but ive been running some online port scan tests and many of the tests said i am not protected well and a hacker could gain access to my pc easy.

Here is one of the tests i done..

http://homepage.ntlworld.com/stephanie.mirza/Ports/portscanlog.htm

I am with NTL Broadband and I am with the 750k package. I have a NTL Home external cable modem 200. My friends who are all in the states and one is from holland all have routers which they say are basically hardware firewalls.

I have some security issues and I need to know do i need a router to fix these issues? Can NTL help me at all?

It won't hurt having a router as a firewall. I've got one for that purpose after my pc was having an allergic reaction last year to any software firewall. :shrug:

Double the protection, if you can afford it.

Suppose though, that it depends on what your issues are.

EDIT: Sorry, :welcome: to the site by the way. :)

As long as you have got sygate set up correctly, then it will be very difficult for anyone or anything to get into your pc without you knowing about it. I have been running sygate for several years now and I always leave it on prompt so I know exactly what is coming in and going out and I have never been hacked. I now have a router, as I share my connection with several computers, and the router runs nat so I don't have to use sygate but I still leave sygate running so I know exactly what is communicating with my internet connection. Spending £30-40 on a router will give you better protection but I can't see the point in spending the money unless you want to also share your connection with other computers.

As long as you have got sygate set up correctly, then it will be very difficult for anyone or anything to get into your pc without you knowing about it. I have been running sygate for several years now and I always leave it on prompt so I know exactly what is coming in and going out and I have never been hacked. I now have a router, as I share my connection with several computers, and the router runs nat so I don't have to use sygate but I still leave sygate running so I know exactly what is communicating with my internet connection. Spending £30-40 on a router will give you better protection but I can't see the point in spending the money unless you want to also share your connection with other computers.
The reason that I got a router was because after I upgraded from windows me to xp, there were problems.

I found out that programs that I had blocked outgoing permissions, in fact were still outgoing. Zonealarm refused to work full stop. So I didn't trust them entirely even when I eventually fixed the problem.

If they're having problems with the firewall, getting a router might be a solution, as if you're paranoid, you may never get the trust back. :)

It's all down to cost.

Deadman_uk, have you tried sygate to see if they can help?

For the last few days i keep getting an alert up from sygate firewall saying something like port scanned or port scan attack found.

take a look at this...

http://homepage.ntlworld.com/stephanie.mirza/attack.JPG

When i run this test http://www.securitymetrics.com/portscan.adp (first test) none of them come up as stealth, all of them are closed, and 4 are open and are at serious risk. All my friends have theres saying stealth. Take a look at mine

http://homepage.ntlworld.com/stephanie.mirza/Ports/portscanlog.htm

Im not loaded with cash, i have no desire to hook up 2 pcs, i just want to be protected. I have Norton Antvirus 2005, sygate firewall, just installed zone alarm which has made no difference what so ever but thats staying on. I also scanned for spyware and got the latest windows updates.

Two firewalls may cause problems.

Try Gibson's (https://www.grc.com/x/ne.dll?bh0bkyd2) site. That also gives advice. :shrug:

The fact that the direction is outgoing looks like it's some sort of spyware or trojan that has hijacked a file and is trying to connect to something. Alot of spyware & trojan programs rename system files and then create their own versions with the same name so it looks like it is a normal windows file that is trying to communicate. Do a search in google with the file name, the ip/host address and port to see if there is any sort of spyware or trojans that do what you pc is doing.

I had a similar problem sometime ago with a friends pc where some spyware had hijacked some system files. I ran a virus checker & spyware checker on the machine and nothing was picked up. To fix the problem I had to boot into safe mode, use the dos attrib command to find the file, remove it and also delete the registry entries. It was a bugger to fix but I cleaned it eventually.

Your problem could be that you are already infected with something. Look at task manager to see what is running, it's usually pretty obvious if anything dodgy is running.

If you're not sure, post a screen print of your task manager so we can see what is running.

for the file sharing test..

Your Internet port 139 does not appear to exist!
One or more ports on this system are operating in FULL STEALTH MODE! Standard Internet behavior requires port connection attempts to be answered with a success or refusal response. Therefore, only an attempt to connect to a nonexistent computer results in no response of either kind. But YOUR computer has DELIBERATELY CHOSEN NOT TO RESPOND (that's very cool!) which represents advanced computer and port stealthing capabilities. A machine configured in this fashion is well hardened to Internet NetBIOS attack and intrusion.
Unable to connect with NetBIOS to your computer.
All attempts to get any information from your computer have FAILED. (This is very uncommon for a Windows networking-based PC.) Relative to vulnerabilities from Windows networking, this computer appears to be VERY SECURE since it is NOT exposing ANY of its internal NetBIOS networking protocol over the Internet.
for the other tests, all passed. It seems zone alarm is doing nothing, so ill take that off

Well one of the application hijacking is for lavasoftusa.com which is the adaware se site :shrug:

Oops, sorry if I'm confusing people.

I know i have nothing bad in task manager but ill show you anyway
http://homepage.ntlworld.com/stephanie.mirza/taskmanager.JPG

how do i know if my system files have been hijacked?

Do a search in google with the file name, the ip/host address and port to see if there is any sort of spyware or trojans that do what you pc is doing.

I traced one ip ( 213.118.92.167 ) and it it said this....
% This is the RIPE Whois query server #2.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/db/copyright.html (http://www.ripe.net/db/copyright.html)

inetnum: 213.118.64.0 - 213.118.159.255
netname: TELENET
descr: Telenet Operaties N.V.
country: BE
admin-c: PS396-RIPE
tech-c: PS396-RIPE
status: ASSIGNED PA
mnt-by: TELENET-DBM
mnt-lower: TELENET-DBM
changed: tech@telenet-ops.be (tech@telenet-ops.be) 20020418
source: RIPE

route: 213.118.0.0/15
descr: TELENET
origin: AS6848
mnt-by: TELENET-OPS-MNT
changed: tech@telenet-ops.be (tech@telenet-ops.be) 20010523
source: RIPE

role: Technical Internet
address: Telenet Operaties N.V.
address: Liersesteenweg 4
address: B-2800 Mechelen
address: Belgium
e-mail: tech@telenet-ops.be (tech@telenet-ops.be)
trouble: IMPORTANT: To report intrusion attempts, hacking,
trouble: IMPORTANT: spamming, or other unaccepted behavior
trouble: IMPORTANT: by a Telenet/Pandora customer, please
trouble: IMPORTANT: send a message to abuse@pandora.be (abuse@pandora.be)
trouble: IMPORTANT: Voor het rapporteren van inbraakpogingen,
trouble: IMPORTANT: hacking, spamming, of ander onaanvaardbaar
trouble: IMPORTANT: gedrag van een Telenet/Pandora klant, gelieve
trouble: IMPORTANT: een bericht te zenden naar abuse@pandora.be (abuse@pandora.be)
admin-c: TI346-ORG
tech-c: TI346-ORG
nic-hdl: PS396-RIPE
mnt-by: TELENET-DBM
changed: tech@telenet-ops.be (tech@telenet-ops.be) 20000630
source: RIPE

There does not appear to be any dodgy running on your system and that trace could be anyone.

What I would do is go into the application list in sygate and either remove all or set the access for every single application to ask. That way it will always pop up when anything is trying to communicate. This way you can see exactly where the program is and what data it is trying to send.

thanks iron, ill do that

Im still failing this test!!!

I still really need help, why am i getting 4 bad things on this test (http://www.securitymetrics.com/portscan.adp) and why are none of them stealth... all my friends have stealth!

http://homepage.ntlworld.com/stepha...portscanlog.htm (http://homepage.ntlworld.com/stephanie.mirza/Ports/portscanlog.htm)

Here are the 4 things that are open

SSH - Secure Shell (SSH) uses encryption to secure information sent over a network. While it typically improves security there are numerous problems with older versions of SSH which may allow brute force attacks.

DNS - Domain Name Services are used to tell other computers what your IP address is. There are several exploits associated with this service.

HTTP - World Wide Web services allow you to publish web pages to the Internet. There are hundreds of severe security vulnerabilities associated with this service. Keep your WWW server software updated.

HTTP Proxy - HTTP Proxy provides a way for a hacker to pretend to be your computer. Others who may have been hacked may see your computer address and want you to justify why you hacked them.

It listed possible fixes and for the SSH port 22, it said update to the latest SSH which i did, i downloaded SSH Secure Shell Client and installed but it still comes up as danger.

For the DNS port 53, it said rt click network icon & select properties\rt click local area network icon & select properties\select TCP for your nic & click properties\click advanced button\click DNS tab\remove check next to Register this connection's address with DNS" - then disable DNS Client Service.

I did that but it still comes up as danager and the port is still open!

any idea how to fix these error things? im really worried, i dont want to get hacked (if i am)

I still really need help, why am i getting 4 bad things on this test (http://www.securitymetrics.com/portscan.adp) and why are none of them stealth... all my friends have stealth!

OK, first, calm down. :)

All web traffic on NTL goes through an NTL proxy server. The securitymetrics.com portscan is incorrectly testing the NTL proxy server, not your PC. Try a different scanner like https://grc.com/x/ne.dll?bh0bkyd2

Now, that being said, I wouldn't worry to much about "stealth" vs. "Closed". In both cases, your computer is not accepting connections on that port and there is nothing anyone can do to your computer if its not listening.

Some people will say "stealth" is better because people won't be able to tell that a PC is even there, but they're wrong. So, don't worry too much about it eaither way.

Im still failing this test!!!

I still really need help, why am i getting 4 bad things on this test (http://www.securitymetrics.com/portscan.adp) and why are none of them stealth... all my friends have stealth!

http://homepage.ntlworld.com/stepha...portscanlog.htm (http://homepage.ntlworld.com/stephanie.mirza/Ports/portscanlog.htm)

Here are the 4 things that are open

SSH - Secure Shell (SSH) uses encryption to secure information sent over a network. While it typically improves security there are numerous problems with older versions of SSH which may allow brute force attacks.

DNS - Domain Name Services are used to tell other computers what your IP address is. There are several exploits associated with this service.

HTTP - World Wide Web services allow you to publish web pages to the Internet. There are hundreds of severe security vulnerabilities associated with this service. Keep your WWW server software updated.

HTTP Proxy - HTTP Proxy provides a way for a hacker to pretend to be your computer. Others who may have been hacked may see your computer address and want you to justify why you hacked them.

It listed possible fixes and for the SSH port 22, it said update to the latest SSH which i did, i downloaded SSH Secure Shell Client and installed but it still comes up as danger.

For the DNS port 53, it said rt click network icon & select properties\rt click local area network icon & select properties\select TCP for your nic & click properties\click advanced button\click DNS tab\remove check next to Register this connection's address with DNS" - then disable DNS Client Service.

I did that but it still comes up as danager and the port is still open!

any idea how to fix these error things? im really worried, i dont want to get hacked (if i am)


I'm sitting behind a router and I have sygate installed, I clicked on the link and I got the same danger status as you did and I don't see being a problem. I don't even have ssh running on my pc!

Go here http://scan.sygate.com/probe.html and scan using the sygate website.

here is the result I got:

This is the public IP address that is visible to the internet.
Note: this may not be your IP address if you are connecting through a router, proxy or firewall.

Trying to gather information from your web browser...

Operating System = Windows NT 5.2
Browser = Microsoft Internet Explorer 6.0

Trying to find out your computer name...

Unable to determine your computer name!

Trying to find out what services you are running...

Unable to detect any running services!


I also clicked the stealth scan and the results showed that all were blocked apart from WEB PROXY but that is my router.

I ran the file sharing test and got 2 - signs on it...

Your Internet port 139 does not appear to exist!
One or more ports on this system are operating in FULL STEALTH MODE! Standard Internet behavior requires port connection attempts to be answered with a success or refusal response. Therefore, only an attempt to connect to a nonexistent computer results in no response of either kind. But YOUR computer has DELIBERATELY CHOSEN NOT TO RESPOND (that's very cool!) which represents advanced computer and port stealthing capabilities. A machine configured in this fashion is well hardened to Internet NetBIOS attack and intrusion.
Unable to connect with NetBIOS to your computer.
All attempts to get any information from your computer have FAILED. (This is very uncommon for a Windows networking-based PC.) Relative to vulnerabilities from Windows networking, this computer appears to be VERY SECURE since it is NOT exposing ANY of its internal NetBIOS networking protocol over the Internet.
On the common ports scan i failed... one port is open
PORT 1025
One or more unspecified Distributed COM (DCOM) services are opened by Windows. The exact port(s) opened can change, since queries to port 135 are used to determine which services are operating where. As is the rule for all exposed Internet services, you should arrange to close this port to external access so that potential current and future security or privacy exploits can not succeed against your system.

For the all service ports test, i failed again... same thing... port 1025 open

Iron i tried the sygate scan, i always pass that but other scans say i fail.

the post i just wrote i had port 1025 open, i just found out how to close it and now i pass the test on all shields up. I blocked port 1025 for incoming traffic.

I still fail the 4 tests on the other site, how do i make all my ports stealth?

Have you tried running Hijackthis, post your results on here and someone will be able to tell you if there is anything on your PC that is attempting unauthorised outgoing activity.


http://www.spychecker.com/program/hijackthis.html

Logfile of HijackThis v1.99.0
Scan saved at 20:59:07, on 31/12/2004
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Messenger Plus! 3\MsgPlus.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Common Files\Symantec Shared\NMain.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Deadman\Desktop\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: CCHelper Class - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Pro\CCHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll
O3 - Toolbar: Pa&nicware Pop-Up Stopper Pro - {B1E741E7-1E77-40D4-9FD8-51949B9CCBD0} - C:\Program Files\Panicware\Pop-Up Stopper Pro\popuppro.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Toolbars\Restrictions present
O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab30149.cab
O23 - Service: Adobe LM Service - Unknown - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ATI Smart - Unknown - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Symantec Event Manager - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\System32\oodag.exe
O23 - Service: Sandra Data Service - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Professional 2005\RpcDataSrv.exe
O23 - Service: Sandra Service - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Professional 2005\RpcSandraSrv.exe
O23 - Service: ScriptBlocking Service - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Sygate Personal Firewall - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: StyleXPService - Unknown - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: SymWMI Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

results from sygate

We have determined that your IP address is xxx.xxx.xxx.xxx
This is the public IP address that is visible to the internet.
Note: this may not be your IP address if you are connecting through a router, proxy or firewall.



Trying to gather information from your web browser...

Operating System = Windows 2000
Browser = Firefox 1.0

Trying to find out your computer name...

Unable to determine your computer name!


Trying to find out what services you are running...

Unable to detect any running services!


Using a router and Zone Alarm, which has yet to fail me on any 'reputable' security checks. I know for a fact that several services are running but are currently operating in stealth mode :)

The grc site as usual shows full stealth mode on a full scan, just what I like to hear

can someone look at my hijack this log please?

Just some things to consider:
1. a router/firewall combo will only stop inbound connections - it won't stop anything on your pc connecting to the internet. ( At home I use NIS and a router combo)
2. Stealth is a whole other argument. The RFC (Request For Comment) dealing with this issue says that ALL network connected devices (your PC), MUST answer to certain calls - such as a ping. Personally I prefer my firewalls to disregard ALL traffic not initiated from within. (That's my personal opinion, and goes against the RFC - as long as I can enable again to troubleshoot then I'm happy).
3. Unless you have a service (such as DNS, HTTP, etc on your box, then even if the port is open - there is nothing to connect to.
4. Some sites that test your connection (sygate?) will say that you should install their software *just in case* - sounds like someone trying to scare people into buying to me - again my personal opinion.

can someone look at my hijack this log please?Here is the response I promised you via PM, thought I would post it in case it may be of some help to others.

From a known hijackthis expert, re your logfile.


the log looks clean except for this :-

If you want to keep MessengerPlus (http://www.msgplus.net/download.php) but didnâ₠¬Ã¢â€žÂ¢t
choose the option to refuse the advertising then please uninstall the copy you have then download
it again and when you get to the Sponsor Agreement select the option which reads,ââ‚Ã⠀šÃ‚¬ÃƒÂ¢Ã¢â‚¬Å¾Ã‚¢I Refuse,
do not install the sponsor programââ‚à ‚¬Ã¢â€žÂ¢.

HTH
Jim.