Apparently one of the users of this site discovered that they had been port scanned and it caused them quite a bit of concern. Being a network security person, I thought I would write a few lines to help newbie's understand what's going on and what some of the jargon means.

First let me say that if you're not running a personal firewall, you need to be. No excuses, you're crazy if you don't. Luckily the individual in this case was (they were running Zone Alarm... an excellent FREE personal firewall). If that person had not been been using that FW, many bad things could have happened.

So, let's just talk about port scans for a moment. In and of themselves, they aren't bad things. I use them all the time to check security on our networks and on customers' networks. They're simply a System Administration tool that tells you what ports on a system are open to outside connections and what services are running on those ports. Services could be anything like http (web) or FTP. Many services have standard ports. For example, http usually runs on port 80. Port scanners can take many different forms. Many are built right into the operating systems that you use everyday. In windows, you can see what ports are open on your own system by using the command line utility netstat.exe. There are many tools out there, however, that are designed with malicious intent. One of the great Windows security holes is port 139, the infamous NetBIOS port. If you leave this port open to the internet I can literally have full access to your C drive. That's bad. There are many less obvious security holes in Windows, but I won't go into them now (don't want to give anyone any ideas) ;-)

If you're wondering how vulnerable you are, do a simple test. Go to www.grc.com and do the Shields Up test. Gibson has a ton of Windows security material written for lay people there that will give you a basic understanding of the dangers. Shields Up will also tell you where you may be exposed and how to fix it. If your running a personal FW, do the test anyways to see if you're not covering something you should be.

If your running something like Zone Alarm, it will tell you when an attack has been thwarted and it will give you the IP address of the machine that originated the "attack." The best thing you can do with that info is go to www.samspade.org and do a IP Whois lookup. Its near the bottom of the page, so scroll down (4th from the bottom to be exact). That will do a query against the ARIN (American Registry of Internet Numbers) and give you all kinds of information about who owns the IP and where to complain about abuses. Ultimately it depends on what the networks Acceptable Use Policy says about things like port scans, so you'll have to ask. Port Scanning isn't in itself breaking in... its more like knocking on the door to see if anyone's home. Its what someone does with the info afterwards that can be construed as a crime. The bottom line is cover your butt and run a FW. Also check for adware, spyware, Trojans, etc. It amazes me everyday how many people are trying to get into my systems in many, many ways (with new ways popping up all the time). Just as a personal note... I get port scanned at least once a week. At work we have what security experts call a "honey pot." Its a machine with absolutely no security, but with all kinds of tracking tools. We use it to catch people... bad people. :-)

Hope that little primer helped some. If you have questions, please let me know.

Paul

Oh, as a follow-up to this... the idividual who had been scanned captured two IP addresses. One turned out to be from University of Michigan and the other was a Comcast (cable modem) address. Two very common places that things like this originate from (i.e. schools and cable modems).

paul, do you remember when GRC got hit with that DoS :-x That was crazy!

:eek2:

Yeah, that was really wild huh? He's got a good write-up on that experience somewhere on the site. Just goes to show you that none of us are immune to attacks. :-)

thanx to all those lame ppl who think ther "1337 |-|@><0|2$"


one of my freind was like wow i can hack aim accounts.... i was like why? dood you need to get out more :roll:

Well...it also helped him increase security, and also helped us understand more about how the whole DoS virus system was working...it was a very smart system, indeed. I actually downloaded a few versions, and toyed with them myself...they are easily setup and done...of course I had to manually remove all of them from all the networks I put them on...but it was a nice test...I was able to hold AOL modems offline, and even cable modems offline. I had 3 TC's, 1 OC48, and about 20 cable modems...I held my site offline for 2 hours, before I could get a nice filter on the router/firewall. My site is hosted on an OC48 backbone. So you can imagine, what you can do, with one cable modem...when you 'attack', you didn't do it very often by the way, unless they were all on cable, or OC48's or higher connections, but anyway, when you 'attack', it will eventually make them "die" in a way, until the computer or system is restarted, so you have to watch out...the person that held GRC offline, had THOUSANDS, of victims computers at his fingertips...and used them quite well...he had two seperate systems...if one would die, he'd use the other one until the others restarted. They basically just ping-out and crash I guess you could say. They lose their connection until they can reset, or restart the computer...then they "magically" pop back on the net. I controlled my test version, thru IRC (Internet Relay Chat). So its easy to do, with absolutely no knowledge of DoS, until I experimented, I was able to pin down a site, in a matter of a few hours worth of installing the bug. I had to disable the antivirus to do this might I add...so if you test, make sure you disable, or it won't work. Also make sure you update your virus protection, it helps, trust me. Anyway, one more thing, if you know IRC, then you know that they limit how many connections you can have per IP...well you can clone these bots...atleast 2 times...making it more harmful than orginally though...meaning, 5 bots, would make 10 bots...but I figure that it wouldn't do anymore than it would if it wasn't cloned, you can only send so much information out of a computer...anyway...just thought I'd share that story. :banana:

one of my freind was like wow i can hack aim accounts.... i was like why? dood you need to get out more :roll:

You raise an interesting point here... the difference between a hacker (in the true/original sense of the term) and a menace. Let me make the caveat that I am admittedly an old school geek from way back in the 300 baud modem days. When I was growing up (and definitely under 18) and was hacking, it didn't have the negative connotation it does now. We were interested in how things worked and seeing if something could be done. We weren't out to vandalize, destroy or steal anything. Folks like that exist today, but their benign quests for knowledge are sometimes overshadowed by the ignorant and malicious rompings of idiots with programs they download off the net and no real desire other than to cause problems. Very l33t indeed. ;-) Trust me, I can respect someone who wants to figure out how AIM works and hack it apart to see what can be done with it. What I don't have any respect for is someone with a script they don't understand who thinks its funny to launch DOS attacks. Ok, I'm off my soapbox. :-D

one of my freind was like wow i can hack aim accounts.... i was like why? dood you need to get out more

Your friend, is most indefinently, what me and Paul and Nick would call a "Script Kiddie"...which is someone, that knows nothing, just thinks they are a hacker, by using someone elses exploits, code, and/or programs. :) Its ok...there are more than just him out there doing this...they are following real code, and trying to make it their own and stuff too, that's retarded...most of them end up getting 'menaced' I guess you could say, by people pissed off at them stealing their stuff...

i never said he used a script... so get off the horse. its not a big deal to learn how to do this stuff... its only a few 700 page ftp html books and a few operating system books away... but i do agree that using this knowledge in a malicious manner is bad and lame... that was the point i was getting at... and i also feel the ppl who write scripts like sub7 are just as bad as the 14 year old sitting in his room playing a joke on his freind...


its all relative

No one said he used a script, its just a general term that people use to describe people that download (normally) Win32 apps that are designed to do specific things. For the most part though, most of the compiled Win32 apps find their origins in UNIX scipts and things like that. If you're friend is writing apps like this, then that I can have some respect for. I definitely have respect for the knowlege it takes to write an app like sub7, just not the intent to use it for malicious purposes. We study all those apps, you can learn a lot about security from them. You're right, its not a big deal to learn to maliciously use an app to attack systems... its quite another thing to understand the TCP/IP stack at a level that will allow you to find flaws and write applications or scripts to compromise it. That's part of the evolution process though. Without the blackhats finding the holes and trying exploit them, the whitehats would never know they're there. Its the eternal game of cat and mouse... its fun (in a very geeky sort of way) ;-)

H3R0,

No need for the attitude homie :) All friends here dude. Paul got to the point in the post above at what I meant.

:banana: