Re: Is someone watching my computer?



greyteabox@xxxxxxxxx wrote in news:1168667967.088345.174880@
11g2000cwr.googlegroups.com:

Hello,

I am quite new to firewalls, therefore I am hoping for some general
advice on what I can do to learn about all this.

I am using Windows XP. I have installed Norton Internet Security 2006
and Ad-Aware SE, but still wonder how others can infiltrate my
computer. I assume there are VNC type applications and keyboard
loggers that have ways of getting around both Norton and Ad-Aware.

There are so many ways for your computer to be compromised. The vnc service
and keyloggers don't even make a drop in the bucket. winvnc is a service.
You can monitor that through your services in administrative tools. Set it
to disabled, not manual and definitely not auto. Most readily available vnc
remote viewers use a standard default port setting, 5800 (webGUI) and 5900,
so check for activity on these ports if you are concerned. Keyloggers are a
different animal all together. This is no sure fire way to tell though. If
you are really concerned, I don't know if I would leave my fate in the
hands of anything Symantec.. that is just personal experience. PFW's are
easily circumvented from the inside out, so the application control is
merely there as a "hope you feel better now" function. It does work on a
basic level, but I wouldn't trust it with anything critical. An example of
this would be a trojan that made its rounds a while back (name slips my
mind- sorry) that would rename itself as notepad.exe, wmplayer.exe, or
something like that and rename the original file as <app>.exe.bak in the
hopes of slipping past. Alot don't work, but just as many do I suspect.

Are there ways to detect the use of programs like VNC and key loggers
sending data out by looking at firewall logs? Is Norton a good tool
for doing this with? Other suggestions for analyzing my network
traffic?

Any odd outbound traffic could be an indication of infection of some sort,
but it is hard to tell you exactly what to look for. For the most part, if
the vnc service is being compromised, you will likely know in short order,
or you can monitor its status as mentioned above, or likely see it running
in the process list. VNC attacks are not very common though, as the
attacker has to physically sit there and concentrate on an individual
machine. Keyloggers are harder. There are lots of ways to catch these
unless they are hardware based. Do you have reason to believe that someone
has planted a keylogger, or is it just paranoia from the media frenzy as of
late?


As an experiment I made a copy of winvnc and renamed it as
systemfile.exe. After launching it, Norton came up with the regular
message asking if it was ok to give this application to the Internet.
It certainly didn't say that this looked like WinVNC given a different
name... Couldn't one of these monitor programs be given an official
looking name and launched along with everything else?

In short, yes. Good experiment. You now see that whatever you name it, the
function still stays the same unless you change the extension so winows
does not know what to do with it, although it is just harder to find by
would be bad guys who are expecting the default filename.

Therefore...I have been wondering about reviewing network traffic...Any
advice?

Advice- hmm.. kind of. If you are that worried, then I would suggest
running an actual external firewall with logging functions that is not at
the mercy of the system it resides on. Since Norton is resident on your
system, it also makes sense that it is going to be susceptible to any
compromises or flaws in that system. An external device running under its
own steam would not be influenced by any gremlins that may reside on your
system.
What kind of firewall, or NAT device, or whatever you want to run depends
entirely on your experience and budget. The simple NAT routers include the
SNMP function that, when combined with an SNMP logging agent such as Kiwi
Syslog or wallwatcher can capture a fair amount of traffic stats. You will
see a huge amount of information there though, so don't be alarmed by every
address that does not appear the same as yours. I would watch for a certain
port (or port range) communicating out to a specified address at fairly
regular intervals. Then google the port it is using to see if it comes up
as a fairly commonly used trojan port. Then determine if this is a known
application to you (such as a P2P or whatever) This will give you an idea.
Keep in mind that some legitimate services will use the same ports as
trojans, so you may need to dig deeper.
The best defense that you can apply is to know what you are doing, and what
the consequences are, and if you don't- just ask, like you have done. Run a
good AV app (opinions are as varied as the programs- use your judgement)
and Spyware removal tools. No promises you will catch it all, but do what
you can with what you've got, because it often is more than most do. While
PFW's are at least *some* measure of protection, they are not perfect, as I
am sure nothing really is. They are better than the alternative- being
nothing.
Lastly, if you have reason to wonder if someone has installed a keylogger,
I guess I would ask myself "Did they have reason to?"


Thanks!


Welcome, hope this helps.



--

Back to your bridge Troll! You have no powers here!
.



Relevant Pages

  • Re: PLINK and/or PuTTY -- Logon to Linux with no Privileges
    ... port 443 so it would look like HTTPS to a firewall (is that right ... We've tried just regular VNC, with no luck, then tried it on port 80, ... and would rather me run a tunnel than pay to have anything ...
    (comp.security.ssh)
  • Re: access pc from unix box at office
    ... You need a VNC client at the Solaris box. ... To test the visibility of the VNC port try: ... If the firewall does not pass the VNC connection, ... tauno voipio iki fi ...
    (comp.os.linux.networking)
  • Re: Ping pmj
    ... Such as VNC ... being Viewed/Controlled) But it only needs that one Port Open ... Incoming Connections which they do by "Listening" ... For them to be able to "Listen" on a Port, that means that the Firewall ...
    (uk.people.silversurfers)
  • Re: Apple Remote Desktop - VNC Not Working Well
    ... without disabling the firewall on those two machines, ... machines in every regard. ... This sounds to me like you need to match the port VNC uses on your two ...
    (comp.sys.mac.system)
  • Re: keeping ports open
    ... If a port is open, it means that 1) a software or service is running on your ... and 2) you're not using a firewall or your firewall isn't ... Use firewall software and hardware and antivirus software that is ... Follow the instructions for hardening Windows and IIS at ...
    (microsoft.public.security)