Re: Sokets De Trois v1
From: Bill Sanderson (Bill_Sanderson_at_msn.com.plugh.org)
Date: Thu, 20 May 2004 11:34:24 -0400
There's no such thing as a stupid question, although you may sometimes find
folks in newsgroups who behave that way.
If there were an actual human attacker, stealth mode doesn't really cut much
ice, I suspect. Your IP address is in the headers of smtp email, including
newsgroup messages. You really can't conceal your presence on the Internet,
but you can be sure that your machine listens only on ports that you
control, and you can work at ensuring that the services listening on those
ports are patched and secure.
It sounds like you are doing all the right things. It is definitely
possible to be infected by a worm or virus via a dialup connection--it has
happened to me in the past.
Newsgroups are an incredible resource--and the kind words you write are a
big part of what helps motivate the volunteers who keep them going--thanks!
"Leslie" <leslieunderscorekatz@agddotnswdotgovdotau> wrote in message
>I was right. I did betray my ignorance!
> The sources of the packets are different, according to my firewall event
> I believed that if a port was in stealth mode, an attacker would not even
> aware of your existence. From that, I somehow inferred that nothing would
> sent to you on that port, but merely typing it out makes me think that
> couldn't be right. My next guess, based on what you say, is that the
> of the port's being in stealth mode (as opposed to being merely closed) is
> that the attacker simply won't know why the attack failed. Maybe it's
> because the port of an existing computer is closed or maybe it's because
> there is no such computer at all.
> As to the SANS document, I did read it and the two documents referred to
> it, with partial understanding.
> As to being patched, I am as best I can be, I think. I use a dial-up
> connection and the first thing I do each time I dial up is go to Symantec
> and check for any updates to my antivirus and firewall software. I also
> download immediately any Windows or Office security updates I'm offered.
> I've also got something from Microsoft called the Baseline Security
> and I use that regularly. Still, with all of that, I worry about security,
> which was what made me break into the conversation earlier.
> Although I've been using computers since 1988, I've only really discovered
> newsgroups very recently and I am impressed beyond words at the
> of people in them to try to help others. Many thanks.
> "Bill Sanderson" <Bill_Sanderson@msn.com.plugh.org> wrote in message
>> It does not know you are there--it is picking IP addresses--perhaps
>> Can you see whether the sources of these packets on port 5000 are the
>> or different?
>> The SANS URL I referenced in the last message has links to detailed
>> descriptions of the two worms in question, one from LHURQ, and the other
>> from Symantec. These worms are simply trying, as programmed, to
>> as best they can. They are testing to find folks with that port open,
>> from there, whether they are patched.
>> You've closed the port--so you are safe (from that external attack,
>> even were you unpatched. I hope very much that you are, in fact,
>> as well, though!
>> The language of the alert from the firewall really is misleading. It is
>> rather unlikely that you are being "attacked." These kinds of packets
>> part of background noise--monitored by folks like SANS, but the rest of
>> need not concern ourselves with them--like the sprays of virus-laden
>> that we all just delete by reflex these days.
>> So, in short, it doesn't know you are there. It does know that an IP
>> address that you happen to be using may well exist, and that, much like
>> generating random email addresses (but more efficient!) is what the worm
>> "Leslie" <firstname.lastname@example.org> wrote in message
>> > Thank you for the additional information.
>> > May I betray my ignorance of these matters (including, probably,
>> > correct
>> > terminology)?
>> > 1. I had disabled my UPnP service long before this current rash of
>> > intrusion attempts, which started, I note for what it's worth, just
>> > I installed some update for my Norton Personal Firewall.
>> > 2. When the current rash began, I found a (French language) Web page
>> > the various versions of Socket de Troie and their relevant ports.
>> > 3. I used Shields Up to check all those ports, including 5000. I was
>> > they were all in stealth mode.
>> > 4. How, then, does the program even know I'm there?