Re: Is secedit.exe left by a hacker?

From: Jim Matthews (jim_matt@swbell.net)
Date: 11/02/02 

From: "Jim Matthews" <jim_matt@swbell.net>
Date: Sat, 2 Nov 2002 08:51:27 -0800

The Linksys I am using is a BEFSR11.
The Firmware revision is 1.38.5 from April 12, 2001.

I am also looking into the other programs you mentioned
to scan my computer.

I will post my findings here for anyone who is interested
and following this.

>-----Original Message-----
>
>"Jim Matthews" <jim_matt@swbell.net> wrote in message
>news:0c9601c281d1$737a7b70$39ef2ecf@TKMSFTNGXA08...
>> Recently I noticed a lot of net activity on my LAN from
>> my W2K system. When I looked to see what was going
on, I
>> found a program called secedit.exe running out of
>> WINNT\System32. When I looked further, I saw a file
>> called secedit.sdb. I also found a file called 445.txt
>> which seems to contain a list of IP addresses that were
>> tested on port 445.
>>
>> There are times when I have restarted my computer, I
>> have noticed a command window with a title of secedit.
>>
>> I have a Linksys router that I use as a firewall to my
>> DSL connection so I thought I was pretty safe.
>>
>> Can anyone tell me if this is legitimate or has a
hacker
>> gotten in? Also, is there anything I need to set on
the
>> Linskys that is not a default setting?
>
>You don't mention which Linksys you are using. Some of
them don't do much
>to block outbound traffic, so that if you are infected
by a virus or worm or
>irc worm or trojan, a hacker can remotely control your
computer despite your
>firewall.
>
>You may want to download a free syslog client to capture
the logs from your
>firewall. By default, Linksys logs disappear after
about 10 minutes, which
>isn't very good if you've been hacked.
>
>Secedit.exe is the name of a legitimate Windows file,
but it should not be
>running continuously without your knowledge. 445.txt
sounds very
>suspicious. However, it's much better for you to use
scanning tools to
>investigate the files on your computer - antivirus with
the latest updates
>for the day, a trojan scanner such as
www.pestpatrol.com, vision from
>www.foundstone.com/knowledge, a file change checker such
as the free
>Languard file integrity checker from www.gfi.com [hidden
under the Languard
>"white papers" section], etc. Vision should tell you
what port if any
>secedit is using to communicate on the internet
[something the real secedit
>would never do] and look for other ports being held open
by suspicious
>software.
>
>If you have been hacked, you should consider formatting
and reinstalling
>windows and everything else. The reason for this is
that you will never be
>sure that you've removed all the back doors that the
hacker installed on
>your system without formatting.
>
>Before you format, you may want to do
>some more investigating using the instructions below to
see how this
>happened, to confirm that you really were hacked. Check
your IIS logs first
>[if IIS is running] for lines that contain .EXE or % and
that also have a
>200 or 502 code in the entry.
>
>If you want to secure your system, I would say you
should install all
>service packs
>and patches from www.windowsupdate.com and
>www.microsoft.com/technet/security, configure the system
using the various
>hardening checklists for XP / 2000 and IIS at
>www.microsoft.com/technet/security and www.nsa.gov and
http://rr.sans.org
>etc., enable auditing, use a firewall and consider using
antivirus and a
>file change checker.
>
>More information on how to tell if you've been hacked,
how to secure your
>machine, where to get a firewall and antivirus program
are all below:
>
>==============
>
>How can I tell if I've been hacked?
>
>Keep in mind during the investigation that this might
NOT be a hacker
>intrusion and might instead be regular network activity
or a worm. Books
>such as Incident Response, Hacker's Challenge and/or
Hacking Exposed 3rd
>Edition may offer you more information on how to
investigate intrusions.
>
>You may consider performing the actions below:
>
>1. Unplugging the network cable is one possible way to
try to prevent
>further damage.
>
>2. Use Fport or Vision from www.foundstone.com/knowledge
or pslist / pstools
>from www.sysinternals.com to look at the open ports on
your computer and the
>program or executable using that port. Some firewall
software such as
>www.sygate.com will also tell you this information.
>
>You can also use the NETSTAT -A command that comes with
Windows to look at
>open ports; however, this will not identify which
program is using the port.
>
>If you're unsure about the purpose of a particular port
or program, try
>searching an Internet search engine such as
www.google.com for the name of
>the port or program, or try right-clicking on the file
in question to see
>the properties. Or, you could even try to telnet to that
port e.g. by typing
>TELNET LOCALHOST PORTNUMBER or TELNET COMPUTERNAME
PORTNUMBER [example,
>TELNET LOCALHOST 82 ] and press the Enter key a few
times to see if any
>informative messages appear.
>
>3. Consider using a file change checker, such as the
unsupported free tool
>Languard File Integrity Checker at
www.gfi.com/languard/lantools-fic.htm.
>Recently changed files on your system can sometimes
indicate an intrusion.
>You could also find and list the files on your hard
drives that have been
>modified in the past 3 days by clicking on Start, Search
[or Find], Files or
>Folders, and setting the appropriate date [though note
that this may change
>the "Last Accessed" date stamp on some of these
files]. "The Forensic
>Toolkit" from www.foundstone.com/knowledge includes
command-line tools to
>list files without modifying the date.
>
>4. Inspect the programs that launch when Windows starts
on your computer, by
>using MSCONFIG or Startup Cop. Suspicious programs
starting when Windows
>starts can indicate a successful intrusion. [These can
also indicate less
>serious events such as a virus or worm infection or even
the installation of
>a freeware or ad-ware program such as an MP3 music file-
sharing program.]
>See the section in this FAQ entitled "I think there may
be a suspicious
>program, Trojan, ad-ware, "porn dialer," etc. starting
up on my computer
>when Windows starts" for more information on how to do
this.
>
>5. Check the logs on your computer, especially your
Internet router or
>firewall logs, the IIS web and ftp server logs and
Windows security event
>log. [This is probably the first thing to do if IIS web
services are running
>on the computer.] Some of these logs may not exist if
you have not already
>enabled them.
>
>Many common hacks are first seen in the IIS web server
logs. Any line in
>your web server log that contains % or .EXE and which
also contains a 200 or
>502 error code is cause for further investigation. If
you are familiar with
>DOS commands, you may be able to see exactly what
commands the intruder
>tried to execute. Keep in mind that every web server on
the Internet will
>have suspicious looking entries from worms like Nimda,
though these are not
>necessarily signs of a successful intrusion.
>
>For more information on deciphering web server logs, see
the section in this
>FAQ entitled "I keep seeing strange things in my IIS web
server logs, like
>'NNNNNNNNN' or 'GET /scripts/root.exe' Have I been
hacked?"
>
>6. Consider using a Trojan scanner. Antivirus programs
generally detect some
>but not all of the most common Trojans and hacker tools.
Some people choose
>to use a Trojan scanner in addition to antivirus.
>
>For more information on where and how to locate and use
free and not-free
>Trojan scanner software, see the section in this FAQ
entitled "Which
>antivirus should I choose? Which antivirus is the best?"
>
>7. Consider installing an antivirus program that is
configured to
>automatically download updates daily.
>
>For more information on where and how to locate and use
free and not-free
>antivirus software, see the sections in this FAQ
entitled "Which antivirus
>should I choose? Which antivirus is the best?" and the
section entitled "I
>think I might have a virus / worm / Trojan."
>
>8. Consider running a port scanner [and/or a
vulnerability scanner] to look
>for security flaws and configuration errors on your
computers. For example,
>you might also run a port scanner against your computers
to look for open
>ports. A particular open port might indicate the way a
hack occurred and/or
>might give you a way to identify other infected
computers. Begin with
>Vision, Fport and/or SuperScan from
www.foundstone.com/knowledge, MBSA from
>www.microsoft.com/download and/or Languard Network
Scanner from www.gfi.com
>
>See the section in this FAQ entitled "How can I scan my
computer or firewall
>to look for open ports or confirm that my machine is
secure?" for more
>information.
>
>9. Consider enabling or installing a firewall and/or a
sniffer [either
>software or hardware based] to monitor and look for
unusual network traffic.
>There are a number of free firewalls available on the
Internet which can
>show network transmissions to and from your computer,
such as
>www.sygate.com, or you could use the Network Monitor
which comes with
>Windows 2000 / XP / NT / .NET, or Ethereal at
www.ethereal.com, or Windump
>at http://windump.polito.it
>
>For more information on how and where to locate free and
not-free firewall
>software and hardware, see the section in this FAQ
entitled "Which firewall
>should I choose? Which firewall is the best?"
>
>10. The third party web sites and tools below may also
be helpful:
>
>www.sysinternals.com
>
>For example, some of the helpful free tools on this site
include Filemon,
>Regmon and Process Explorer which all display activity
on your computer you
>might not otherwise be able to see. These tools show
which files, registry
>keys, .DLLs and other objects are currently being
accessed and by which
>process.
>
>Pstools is a group of tools including pslist, which
lists detailed
>information about processes, and psloggedon, which
displays who is logged
>onto your computer currently.
>
>www.foundstone.com/knowledge
>
>In addition to the Vision / Fport tools, one of the free
tools on this site
>is NTLast, a security event log analysis tool that helps
identify who has
>gained access to the system, using the NT security event
logs [assuming
>auditing has previously been turned on].
>
>Also, the Forensic Toolkit is a collection of tools
including:
>* Afind, which lists recently accessed files without
changing the date stamp
>on the file;
>* Hfind, which scans the disk for hidden files;
>* Sfind, which scans the disk for files hidden in data
streams.
>
>www.incident-response.org/IRCR.htm
>
>Incident Response Collection Report (IRCR) is a
collection of forensic tools
>that automates many of the tasks a forensics expert
might perform.
>
>If you have trouble understanding the results of any of
these tools, you can
>post your results along with your question to an
appropriate Usenet
>newsgroup. Note that the Microsoft newsgroups may not be
the place to get
>the best answers to your questions, though you can try
and see what happens.
>
>[Thanks to Susan Bradley, Rob Lee and others]
>
>=====================
>
>How can I harden my computer or server to secure it from
hackers?
>
>A: [Note that if you have already been hacked, this
section will not help
>you re-secure your computer. In this case, you should
first read the section
>in this FAQ entitled "How can I re-secure my computer or
server after being
>hacked?"]
>
>Here is the short answer:
>
>1. Do not put the computer onto the network or the
Internet until after the
>computer has been hardened using the instructions below
[or at least not
>before a firewall and antivirus have been installed].
>2. Use firewall software and hardware and antivirus
software that is
>configured to download updates every day;
>3. Follow the instructions for hardening Windows and IIS
at
>www.microsoft.com/technet/security ;
>4. Install all service packs and security fixes from
Microsoft and otherwise
>for all Microsoft software on your computer [Windows,
IIS, Office, Internet
>Explorer, Windows Media Player, etc.] from
>www.microsoft.com/technet/security ;
>5. [Ongoing] Download MBSA from
www.microsoft.com/download and run it now
>and also at regular intervals to look for
vulnerabilities in your settings,
>new patches that are missing, etc. Also, check your
antivirus to confirm
>that the last successful update was less than 14 days
ago.
>
>These steps will make your computer fairly secure, but
may still leave some
>holes. Keep reading below for additional information you
should be aware of:
>
>A successful hacker, virus or worm intrusion into one of
your computers can
>drain your free disk space, slow down your Internet
connection, compromise
>your credit card numbers, damage your personal
documents, allow intruders to
>access other machines on your network that DO contain
important files,
>and/or leave you legally liable for other government or
business computers
>on the Internet that are hacked by an intruder using
your computer. This is
>why you should consider securing ALL the computer
systems in your home or
>network, even if you think there is nothing important on
the computer or it
>is "just a test computer."
>
>All Windows users should seriously consider all of the
procedures below to
>help prevent intrusions on their computers:
>
>1. Do not put the computer onto the network or the
Internet until after the
>computer has been hardened using the instructions below.
[Un-secured
>computers can be hacked in just 15 minutes or less after
being put onto the
>Internet.] Depending on your environment, it may be
acceptable to put your
>computer on the Internet after installing a firewall and
antivirus software
>with the latest updates.
>
>2. Seriously consider enabling or installing firewall
software and/or
>firewall hardware. There are a number of free firewalls
available, including
>the ICF feature that comes with Windows XP [unless XP is
joined to a Windows
>domain], and/or other third-party firewalls available on
the Internet.
>
>For more information on how and where to locate free and
not-free firewall
>software and hardware, see the section in this FAQ
entitled "Which firewall
>should I choose? Which firewall is the best?"
>
>3. Seriously consider installing an antivirus program
and configure it to
>automatically download updates daily.
>
>For more information on where and how to locate and use
free and not-free
>antivirus software, see the sections in this FAQ
entitled "Which antivirus
>should I choose? Which antivirus is the best?" and the
section entitled "I
>think I might have a virus / worm / Trojan."
>
>4. Follow the instructions for hardening Windows 2000
and also IIS [if IIS
>is installed] at www.microsoft.com/technet/security [For
Windows 2000 / NT,
>hardening IIS usually includes installing IISlockdown
including URLScan. For
>computers with FTP service installed, it usually
includes removing the Posix
>subsystem and removing write permission from the
anonymous user account,
>among other things.]
>
>5. Download and install all the service packs and
security patches from
>www.microsoft.com/technet/security for all the Microsoft
and non-Microsoft
>software installed on your computer, especially
Microsoft Windows, Office,
>Internet Explorer, Outlook Express, Windows Media Player
and IIS [if IIS is
>installed].
>
>Note that Windows 2000, XP, .NET and NT users should
also download patches
>for Indexing Services a.k.a. Index Server. Do not assume
that Index Server
>patches are included with any IIS comprehensive service
pack rollup you may
>already have installed, because they are not.
>
>[If you want a shortcut to do this faster, you could try
this:
>* Download and install the latest Windows service pack
from
>www.microsoft.com/technet/security;
>* Reboot and visit http://windowsupdate.microsoft.com to
receive additional
>patches;
>* Reboot, download and run MBSA [Microsoft Baseline
Security Analyzer] or
>HFNETCHK from www.microsoft.com/download to discover
other missing patches;
>* Manually download from
www.microsoft.com/technet/security and install any
>patches that were found to be missing, as well as
patches for any server
>products that may not be included in Windows Update and
MBSA/HFNETCHK, such
>as possibly SQL Server, ISA Server, etc.
>* NOTE however that Windows Update, MBSA and HFNETCHK do
NOT necessarily
>list all Microsoft patches or search all Microsoft
products, so you could be
>missing some patches if you rely just on these tools.]
>
>6. [ONGOING] Re-run the MBSA tool from
www.microsoft.com/download every 60
>days or sooner to look for missing patches, and confirm
that your antivirus
>program received an update in the past 10 days or less.
>
>
>If you want or need even more security [or are
particularly paranoid or at
>risk], you can consider some of the additional steps
below. Some of the
>tools below may be more security than you need, unless
you are running a
>server such as IIS web or FTP services.
>
>* Download and install MyNetWatchman or Dshield. These
are free programs
>that work with your firewall software or hardware to
automatically report
>hacking attempts to the hacker's ISP. You get to see
information about
>whether that IP address has been used to scan or hack
other computers, or
>whether it might be targeting just your computer. You
also get to see
>whether the ISP has responded or taken action against
the offending user.
>This is highly recommended. You can get this software at
one of the links
>below:
>
>www.mynetwatchman.com
>www.dshield.org
>
>* Sign up for the Microsoft security mailing list at
>www.microsoft.com/technet/security to receive emails
with a link to new
>critical security patches as they are released, and
install them ASAP.
>
>* Use Fport or Vision from www.foundstone.com/knowledge
or pslist / pstools
>from www.sysinternals.com to look at the open ports on
your computer and the
>program or executable using that port. Some firewall
software such as
>www.sygate.com will also tell you this information.
>
>You can also use the NETSTAT -A command that comes with
Windows to look at
>open ports; however, this will not identify which
program is using the port.
>
>[You may want to run a command such as FPORT >>
C:\OPENPORTS.TXT or
>PSLIST >> C:\OPENPORTS.TXT or NETSTAT -A >>
C:\OPENPORTS.TXT
>This command will create a "baseline" text file named
c:\openports.txt that
>can be compared later with the results of the command to
tell you whether
>additional ports are now open, a possible sign of
intrusion.]
>
>* Consider running one or more vulnerability scanners to
look for security
>flaws and configuration errors on your computers.
Vulnerability scanners
>should be run after you have installed and hardened a
new computer or
>server, and also run at regular intervals to confirm
that your computers are
>still secure. You might also run a port scanner against
your computers as
>well to look for open ports.
>
>See the section in this FAQ entitled "How can I scan my
computer or firewall
>to look for open ports or confirm that my machine is
secure?" for more
>information.
>
>* Consider searching for and following additional
checklists for hardening
>Windows 2000 by searching an Internet search engine such
as www.google.com
>for words such as "harden OR hardening windows-2000"
[e.g.
>www.google.com/search?q=harden+OR+hardening+windows-
2000 ]. Several such
>checklists are available at
http://nsa1.www.conxion.com/win2k/download.htm
>a.k.a. http://www.nsa.gov, as well as
www.labmice.net/security,
>http://rr.sans.org, etc.
>
>* Uninstall any unnecessary Windows components [e.g.
click on Start,
>Settings, Control Panel, Add/Remove Programs, Add/Remove
Windows
>Components]. Pay particular attention to Indexing
Service, Internet
>Information Services (IIS), Management and Monitoring
Tools, Message Queuing
>Services, Networking Services, Other Networking File and
Print Services,
>Outlook Express, and Windows Media Player. If you are
not sure whether
>something is unnecessary, try searching www.google.com
or posting a question
>to the appropriate Microsoft security newsgroup.
>
>* Disable any unnecessary Windows services [e.g. click
on Start, Settings,
>Control Panel, Administrative Tools, Services]. If you
are not sure whether
>something is unnecessary, try searching www.google.com
or posting a question
>to the appropriate Microsoft security newsgroup.
>
>* Consider using a Trojan scanner. Antivirus programs
generally detect some
>but not all of the most common Trojans and hacker tools.
Some people choose
>to use a Trojan scanner in addition to antivirus.
>
>For more information on where and how to locate and use
free and not-free
>Trojan scanner software, see the section in this FAQ
entitled "Which
>antivirus should I choose? Which antivirus is the best?"
>
>* Enable logging. Most logging is disabled by default,
and usually this is
>not discovered until after an intrusion, when the logs
are needed.
>
>Enable logging of your IIS web server, FTP server, etc.
For sites with a
>small number of hits, consider changing logs to rotate
monthly instead of
>daily to allow easier searching of logs.
>
>Enable logging on your Internet router, switch or
firewall. [Because these
>devices usually do not have much storage space for
saving logs, doing this
>may involve installing free syslog software onto your
computer to be able to
>capture the logs.]
>
>Enable auditing of security events on your Windows
system, including logon
>successes and/or failures and NTFS auditing of files and
registry keys. For
>more information, see the section in this FAQ
entitled "How can I enable
>auditing / logging on my computer / server?"
>
>Change the Windows event log settings to be appropriate
for your
>environment. Consider increasing the maximum log size to
retain more
>information. Be careful not to log too much, or you
might find that your
>logs contain only a few minutes or hours worth of data.
>
>Check the logs to be sure logs are really being captured.
>
>* Consider using a file change checker, such as the
unsupported free tool
>Languard File Integrity Checker at
www.gfi.com/languard/lantools-fic.htm
>Files changing on your system can sometimes indicate a
hacker intrusion.
>
>* Consider using a Windows event log monitor. Some types
of intrusions leave
>entries in one of the logs on your computer. [On an
especially vulnerable or
>secure system, you should be sure that you've configured
logging to detect
>events such as intrusions.] Some network monitors such
as www.ipsentry.com
>can send a message to your email/screen/pager if a
server or service stops
>responding, an event or error appears in a Windows log,
etc. Windows log
>monitors can be found by searching an Internet search
engine or your
>favorite software web site, or by using the links below:
>
>www.ipsentry.com [around $100 US]
>www.sunbelt-software.com
>www.webattack.com
>www.wilders.org
>www.download.com
>www.tucows.com
>www.google.com/search?q=windows+event+log-monitor
>
>* Consider using EFS file encryption [under Windows
2000 / XP / .NET] or
>third-party utilities to encrypt the files on your
computer may be something
>to consider. Some of these utilities can encrypt your
entire hard drive
>including Windows, whereas other tools just encrypt some
of your data files
>and are not suitable for encrypting or preventing access
to Windows.
>
>Note that using any form of encryption can slow down
your computer's
>performance. Also, you must be extremely careful to back
up and protect your
>encryption key and any passwords. If the encryption keys
are not backed up,
>users can lose their encrypted files forever when
Windows is reinstalled,
>Windows encounters a problem so that Windows no longer
starts up, etc.
>
>For more information on EFS file encryption on Windows
2000 / XP / .NET, see
>the section in this FAQ entitled "I used Windows 2000 /
XP EFS file
>encryption to encrypt some files. Now, I can't read the
files. How can I
>unencrypt them or recover the key?"
>
>Third party encryption software can be found at the
following locations:
>
>www.pgp.com
>www.scramdisk.clara.net
>www.e4m.net
>www.jetico.com ["BestCrypt"]
>www.download.com
>www.tucows.com
>www.google.com
>________________________________________________________
>
>Which antivirus should I choose?
>
>The best way to deal with any virus on any computer or
server is ALWAYS to
>install and use an antivirus program that is updated
with the latest updates
>for that week [or day].
>
>Some antivirus manufacturers may release mini-tools that
will remove a
>particular virus or worm, such as a Nimda virus removal
tool. However, these
>single-virus removal tools generally do nothing to
protect you from becoming
>re-infected when you receive another infected email or
file five minutes
>after you ran the tool. Antivirus software is necessary
to prevent against
>re-infection and damage to your computer files.
>
>Just running an antivirus program is not enough. You
should make sure that
>your antivirus program can be configured to download
updates every day [or
>every week] automatically via the Internet, and open the
program from time
>to time to ensure that it is still receiving updates.
>
>NOTE however that if an antivirus scanner or Trojan
scanner finds a Trojan
>installed and running on your computer, it could be a
sign of a hacker
>intrusion, in which case you will want to consider
taking additional steps
>before removing the Trojan. For more information, see
the section in this
>FAQ entitled "How can I tell if I've been hacked?"
>
>If you have a particular file name and wish to find out
whether or not it is
>a virus [or a worm, a Trojan, a hoax, etc.], you can try
searching an
>Internet search engine such as www.google.com for that
file name. However,
>it is still best to install and use an antivirus
scanner. Looking up a
>particular file name is NOT a reliable way to determine
whether or not the
>file is a virus.
>
>Deleting a file from your system is never the first way
or the best way to
>try to remove a virus from your computer.
>
>Which antivirus software is best for you will vary
depending on your
>computer systems, your security requirements and your
personal preferences.
>
>Antivirus programs may be purchased from Internet web
sites, from your local
>computer store, and even from stores like Target and Wal-
Mart. Antivirus
>software can be found using the links below:
>
>www.symantec.com [Norton Antivirus]
>www.grisoft.com [AVG Antivirus [including a free version]
>www.f-prot.com/products [free DOS version]
>www.f-secure.com [F-Secure]
>www.trendmicro.com [Trend Micro]
>www.wilders.org
>www.download.com
>www.tucows.com
>
>[Most of the antivirus products will also work on
Windows Server products or
>have a version for Windows Server.]
>
>There are also a number of web sites that will scan your
computer for
>viruses for free. However, using these web sites will do
nothing to protect
>you against future re-infection and damage to your
computer files. Some of
>these web sites include:
>
>http://security2.norton.com [Norton free one-time web-
based scanner]
>http://housecall.antivirus.com [Trend Micro free one-
time web-based scanner]
>
>Just running an antivirus program is not enough. You
should make sure that
>your antivirus program can be configured to download
updates every day [or
>every week] automatically via the Internet, and open the
program from time
>to time to ensure that it is still receiving updates.
>
>Antivirus software is like prescription drugs or
psychologists; the first
>one you get might not work right for you. If one
antivirus program fails to
>install or causes your computer to perform slowly, you
could contact the
>manufacturer, or you could uninstall it and try another
antivirus program.
>
>Note that you may need to set your antivirus program to
ignore certain
>folders, such as the folder containing your firewall
software. Failing to do
>so can cause speed problems or false alarms on your
computer.
>
>You generally only want to install and run no more than
one antivirus
>program on your computer at a time. Running two memory-
resident, on-access
>antivirus programs simultaneously can cause false alarms
or cause other
>problems.
>
>If you are running antivirus with the latest updates and
are STILL having
>problems removing the virus, you should:
>
>* Note the name of the virus being reported by your
antivirus program;
>* Visit the web site for your antivirus manufacturer and
click on "Support,"
>so that you can:
>+ Look up the virus name in the virus information
database for info and
>follow any instructions found there;
>+ Search the support web page for your antivirus; and/or
>+ Post a question in the support group for your
antivirus.
>
>For example, if you are using Norton Antivirus, you
should visit the
>following web sites:
>
>www.sarc.com - NAV virus database
>www.sarc.com/techsupp - free NAV support discussion
groups
>
>Be wary of any email ever that:
>
>* Tells you to delete a file from your computer as the
first or only way to
>remove a particular virus;
>* Tells you to forward the email to everyone you know;
>* Tells you that a particular virus cannot be stopped by
antivirus.
>* Tells you that a particular virus has been confirmed
by a large company or
>government entity, such as Microsoft, IBM, the
Department of Defense, etc.
>
>Emails such as the ones described above are usually
hoaxes [even if the
>warning email is from a friend that you trust]. Stop and
confirm or have
>someone confirm the authenticity of any warning email
before forwarding it
>to anyone. You can often confirm or deny the existence
of a particular virus
>by searching for the virus name at an Internet search
engine or virus
>manufacturer's web page, such as:
>
>www.google.com
>www.sarc.com - Norton Antivirus
>www.f-secure.com/virus-info - F-Secure
>
>TROJAN SCANNERS:
>
>It is also a good idea to consider using a Trojan
scanner *in addition to*
>antivirus software. Trojans and hacker tools can cause
many of the same
>symptoms that viruses and worms do, but antivirus
programs generally do not
>detect all of the most common Trojans and hacker tools.
Some Trojan scanners
>can be found by searching an Internet search engine or
your favorite
>software web site, or by using the links below:
>
>www.pestpatrol.com [includes a free mini-scanner]
>www.lockdowncorp.com
>www.wilders.org
>www.download.com
>www.tucows.com
>www.sunbelt-software.com
>www.google.com/search?q=trojan-scanner
>
>When looking for Trojans, you should also consider using
a tool to look for
>open ports, such as Vision or Fport from
www.foundstone.com/knowledge or
>Pstools / Pslist from www.sysinternals.com
>
>For more extensive information about looking for
Trojans, backdoors and
>other hacker tools, see the section in this FAQ
entitled "How can I tell if
>I've been hacked?"
>
>====================
>
>Which firewall should I choose? Which firewall is the
best?
>
>A: The answer to this question varies depending on your
computer systems,
>your security requirements and your personal
preferences. Below are some
>firewalls and other forms of firewall-like packet
filtering:
>
>NO MATTER WHICH FIREWALL YOU CHOOSE...
>No matter which firewall you choose, you should
seriously consider
>downloading and installing MyNetWatchman or Dshield.
These are free programs
>that work with your firewall software or hardware to
automatically report
>hacking attempts to the hacker's ISP. You get to see
information about
>whether that IP address has been used to scan or hack
other computers, or
>whether it might be targeting just your computer. You
also get to see
>whether the ISP has responded or taken action against
the offending user.
>You can get this software at one of the links below:
>
>www.mynetwatchman.com
>www.dshield.org
>
>Also, no matter which firewall you choose, the lists
below of port numbers
>for common software services may be helpful when
configuring your firewall
>or when trying to monitor the firewall logs for signs of
intrusion:
>
>www.iana.org/assignments/port-numbers
>www.iisfaq.com/default.asp?View=P106
>
>
>FIREWALL SOFTWARE:
>www.sygate.com [free for non-commercial use, also works
like a sniffer]
>www.kerio.com [free for non-commercial use]
>www.agnitum.com [free for non-commercial use]
>www.zonealarm.com [free for non-commercial use, also
blocks pop-ups]
>www.iss.net [Black Ice]
>www.symantec.com [Norton]
>www.webattack.com
>www.download.com
>www.tucows.com
>[Windows XP users can also consider using the ICF
firewall that comes with
>XP, more info below]
>
>FIREWALL DEVICES [HOME / SOHO]:
>www.linksys.com [starts around $70 US]
>www.netgear.com [starts around $70 US]
>http://search.ebay.com/search/search.dll?query=firewall
[prices on new and
>used firewalls]
>
>
>
>
>
>
>.
>