I feel a little violated...And I liked it

I just got a major scan from 66.186.38.11 didnt shoe up on my router report, does this mean this person made it past the router??

I just happened to do a netstat at the time I was getting scanned

Are you running a firewall too ,

yep it is a NAT firewall

are you running a firewall program ,not just a router

nope router Dlink.......................

you should be running a firewall program also.With a firewall program you can block out IP that scan you and get a log on all scan . It will tell you if they get through.

well the router gives the log and tells me usually when they are scanning i just happened to use netstat at the same time i was looking at the log and the log (even after refresh) didnt show this activity but netstat did, does this mean they got through......does anyone know of a successful hack on a NAT

What did you see in netstat?

this person 66.186.38.11 scanning my ports

OrgName: Cable & Wireless
OrgID: EXCW

NetRange: 66.186.32.0 - 66.186.47.255
CIDR: 66.186.32.0/20
NetName: NY1-5
NetHandle: NET-66-186-32-0-1
Parent: NET-66-0-0-0-0
NetType: Direct Allocation
NameServer: DNS01.EXODUS.NET
NameServer: DNS02.EXODUS.NET
NameServer: DNS03.EXODUS.NET
NameServer: DNS04.EXODUS.NET
Comment: * Rwhois reassignment information for this block is available at:
* rwhois.exodus.net 4321
* For abuse please contact abuse@exodus.net
RegDate:
Updated: 2002-08-21

TechHandle: ZC221-ARIN
TechName: Cable & Wireless
TechPhone: +1-919-465-4023
TechEmail: ip@gnoc.cw.net

OrgAbuseHandle: ABUSE11-ARIN
OrgAbuseName: Abuse
OrgAbusePhone: +1-877-393-7878
OrgAbuseEmail: abuse@exodus.net

OrgNOCHandle: NOC99-ARIN
OrgNOCName: Network Operations Center
OrgNOCPhone: +1-800-977-4662
OrgNOCEmail: trouble@cw.net

OrgTechHandle: EIAA-ARIN
OrgTechName: Exodus IP Address Administration
OrgTechPhone: +1-888-239-6387
OrgTechEmail: ipaddressadmin@exodus.net

OrgTechHandle: GIAA-ARIN
OrgTechName: Global IP Address Administration
OrgTechPhone: +1-919-465-4096
OrgTechEmail: ip@gnoc.cw.net

# ARIN Whois database, last updated 2002-08-26 19:15
# Enter ? for additional hints on searching ARIN's Whois database.

this is what i get from the IP

I get scan about 10 times a day.what kind of a scan was it?Some scan look for particular ports are open for remote access. Attacker attempts to see if this well-known service is available.An intruder is sending a invalid Quake3 packet which may allow a break-in.
There are all kinds of scan you need a firewall program also to be safe

ok I think maybe i am getting off the track here,

1. Since the scan didnt hit the router log did the scan get through

2. Has there been a successful hack of a NAT

3. Everytime i havce someone do a scan on my system they cant find it, is this still true........

1. Since the scan didnt hit the router log did the scan get through ? no way to tell with out a firewall progam to tell you if it did or not.
2. Has there been a successful hack of a NAT ?
yes .A hacker will use a program that will scan 1000's of Ip looking for an open port, if you have one open he can get in
3. Everytime i have someone do a scan on my system they cant find it, is this still true........
Yes what what kind of a scan are they doing are the looking for open port
go to this web page
http://grc.com/default.htm
click on shieldup and do a port scan and test my shield
that will tell you alot

results


Port
Service
Status Security Implications

21
FTP
Stealth! There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

23
Telnet
Stealth! There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

25
SMTP
Stealth! There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

79
Finger
Stealth! There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

110
POP3
Stealth! There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

113
IDENT
Closed Your computer has responded that this port exists but is currently closed to connections.

135
RPC
Stealth! There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

139
Net
BIOS
Stealth! There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

143
IMAP
Stealth! There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

443
HTTPS
Stealth! There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

445
MSFT
DS
Stealth! There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!

5000
UPnP
Stealth! There is NO EVIDENCE WHATSOEVER that a port (or even any computer) exists at this IP address!


Attempting connection to your computer. . .
Shields UP! is now attempting to contact the Hidden Internet Server within your PC. It is likely that no one has told you that your own personal computer may now be functioning as an Internet Server with neither your knowledge nor your permission. And that it may be serving up all or many of your personal files for reading, writing, modification and even deletion by anyone, anywhere, on the Internet!
Your Internet port 139 does not appear to exist!
One or more ports on this system are operating in FULL STEALTH MODE! Standard Internet behavior requires port connection attempts to be answered with a success or refusal response. Therefore, only an attempt to connect to a nonexistent computer results in no response of either kind. But YOUR computer has DELIBERATELY CHOSEN NOT TO RESPOND (that's very cool!) which represents advanced computer and port stealthing capabilities. A machine configured in this fashion is well hardened to Internet NetBIOS attack and intrusion.
Unable to connect with NetBIOS to your computer.
All attempts to get any information from your computer have FAILED. (This is very uncommon for a Windows networking-based PC.) Relative to vulnerabilities from Windows networking, this computer appears to be VERY SECURE since it is NOT exposing ANY of its internal NetBIOS networking protocol over the Internet.

From that I would think your safe

k that is what i thought to but just didnt understand why the other thing happened, guess chock it up to Microsoft

no: you get scan all the time you just don't know it.

I'm still very curious - what exactly did you see in netstat? What options did you run with netstat? What ports were involved?

Nothing is 100% secure, so it is possible to bypass NAT

sorry I really didnt take a snap shot of the netstat

I just ran netstat no other options

If it happens again I will capture it.......

It would be cool to see if someone could hack my system but not sure who i could trust to just get in and not do any damage

Time, Event, Intruder, Count
08/25/2002 08:28:02 AM, UDP port probe, 208.254.16.71, 14
08/25/2002 07:18:51 PM, TCP port probe, 184dyn103.com21.casema.net, 6
08/24/2002 10:43:32 PM, TCP port probe, 18.54.35.65.cfl.rr.com, 1
08/24/2002 10:43:58 PM, TCP port probe, 12-230-189-40.client.attbi.com, 3
08/18/2002 06:09:49 PM, Quake Exploit, 12-222-89-32.client.insightBB.com, 1
08/25/2002 07:47:55 PM, TCP port probe, 12-221-211-41.client.insightBB.com, 3
08/25/2002 07:47:59 PM, UDP port probe, 12-221-211-41.client.insightBB.com, 3
08/16/2002 11:45:04 PM, Quake Exploit, 00508BAE2237, 1
08/17/2002 01:38:19 PM, Quake Exploit, 00508BAE2237, 1

a good fire wall program will tell you alot, this is just one 24 hr time fram

I just want to be sure that someone was able to scan through your NAT device when GRC.COM's scanner could not. Do you remember what the state was reported as in netstat?

From what i have heard, the GRC scanner isnt very good. I have tested it with a win 98 box that was wide open. Shields up still gave my setup up an OK. Try the one over at www.hackerwhacker.com

There are hardening techniques that could pass most scanner tests - as long as you aren't running servers. Things like unbinding tcp/ip from all services...a port probe is a really simple generic procedure. a port is either open or closed.

I come from a unix networking background and was just curious how one might use netstat to determine that they are being probed - my states are LISTENING, TIME_WAIT, ESTABLSHIED, and SYN_SENT. I don't know what the state would be for a port probe from a foreign address....

Originally posted by slacker361
results


Port
Service
Status Security Implications


113
IDENT
Closed Your computer has responded that this port exists but is currently closed to connections.



I don't like that, why? Closed or not, would that prt show at all? Don't seem right.

I have the option in my nexland and sonicwall to expose the ident port (shows closed) or stealth it. If he is scanning the router, netstat shouldn't pick up anything.

I would think that it would show the prob or scan even if it is close or stealth the port just don't respond to the prob . and then show it was prob in you log

Yeah, could be it just seems weird, I just likje the fact that there is no evidence of me at all.:D

ok this time i caught it on tape here is a netstat of it happening


Active Connections

Proto Local Address Foreign Address State
TCP t:2350 63.217.30.71:80 TIME_WAIT
TCP t:2351 63.217.30.71:80 TIME_WAIT
TCP t:2352 63.217.30.71:80 TIME_WAIT
TCP t:2353 63.217.30.71:80 TIME_WAIT
TCP t:2354 63.217.30.71:80 TIME_WAIT
TCP t:2355 63.217.30.71:80 TIME_WAIT
TCP t:2356 63.217.30.71:80 TIME_WAIT
TCP t:2357 63.217.30.71:80 TIME_WAIT
TCP t:2358 63.217.30.71:80 TIME_WAIT
TCP t:2359 63.217.30.71:80 TIME_WAIT
TCP t:2360 63.217.30.71:80 TIME_WAIT


any ideas onthis

That is you connecting to speedguide.net

You more than likely connected to speedguide.net, closed explorer and ran netstat.

Everything looks normal.

The TIME_WAIT state is a state that all the TCP connections enter into when the connection has been closed.

I see, that is why you are a senoir member and im just a newbie, thanks maybe i wont worrie so much aboutthat


You da man

ok this is getting rediculouse i actually had to restart my router for a major udp scan from 64.12.52.241 demand2-sm2-VIP.stream.aol.com

are you running aim from aol

nope i unistalled that long ago

A personal firewall on your PC would not hurt. Http://www.zonelabs.com. I sue it on every computer that I touch.

I have a NAT firewall, from what i understand , they are better than any software firewall, at least that is what I understand

NAt will only inspect inbound packets, not outbound. Therefore, if you have a trojan NAT does ABSOLUTELY nothing for you. The best is to use both. A software firewall (Zonealarm, outpost, tiny - to name a few) will monitor traffic in both directions.

NAT is a means of sharing a single ip address, thus saving the limitted pool of addresses available on the internet. I nice side-effect is that no machine that is NAT'd is truely connected to the internet. I think of firewalls as being slightly more intelligent - able to inspect the nature of the packet and apply rules to it - versus NAT which can only look at source and destination ipaddress@port#.

Get a software firewall, keep your AV software up-to-date, run a trojan scanner every once in a while, and ease up on the caffeine - you'll live a lot longer.

Skye

well I did ease up on the caffine a while ago , what a freaking head ache i had, a trojan scanner , where can i get one of those, av scanns for those? Norton 2001 with the most upto date definitions????

:D

http://www.anti-trojan.net - there are other games in town. You can search google for "anti-trojan software" or the like.

Norton is fine. That's what I use - some prefer mcaffee. The key is to keep it uptodate. I have update set to run 4 times a day. paranoid? maybe. I've also been infected before and am in no hurry to repeat the experience.

I used to run ZoneAlarm behind a linksys NAT router. the SW firewall will affect performance somewhat, but that little pop-up window telling me every time an app tried to connect to the net gave me piece of mind. I now run a "true" hardware firewall - stateful packet inspection - so I dropped zonealarm. As I said, NAT does not provide any outbound protection at all.

yeah i can see that it would provide outbound, and I guess as long as I am up to date with AV defitiions, there still is a chance of a trojan being in here but hmmmmmmmm

yeah i can see that it would provide outbound, and I guess as long as I am up to date with AV defitiions, there still is a chance of a trojan being in here but hmmmmmmmm

no offense at all - but you seem more than a little concerned about your internet connections. I pay close attention to those things as well. I would recommend that you get yourself a sw firewall (all theh ones i mentioned are 100% free). You can read through the logs and find out what all the connections are about.

cheers,

skye