Have I been attacked?

[blacksea]

I was looking at my Firewall log of Avast and I noticed a log of just only 2 days. On 21-06 and 22-06. And notice in the attachment that the time of the logs are VERY VERY close. ALL the actions were blocked and in that 2 days definitely more that 700+ attemps. I don't know what it is actually but only those 2 log dates were shown. Normally I prefer to use Comodo Firewall and so I don't run the Avast Firewall, but I think I forgot to stop the procces. But if was looking to the log of the Firewall from Comodo, and it had nothing that day simmilar with the Firewall of Avast. So was it possible that I was attacked? And that Avast noticed it and Comodo not? If so, then I think I'll use Avast Firewall.

 

Note: I removed my ip. I don't think it is safe to just put my ip on internet and also removed the port. Just to be secure. Don't want to do something stupid..

[detailer]

It's just Google-

 

The king of snoops! Just use "ip lookup" for the details.I can't link you because it gives your own IP when you open the page.Then from there,you will find a box to type in the IP in question and get address,owner,domain,etc.Cheers!

[blacksea]

Hi detailer,

 

Thanks, I was a bit scared because I didn't see someting like that on Comodo Firewall.

 

I know that having 2 Firewall is not recommended because it could clash, but if I have Avast Firewall and Comodo Firewall on, nothing happens and my computer runs just smooth like normal. Sometimes I forget to close the Firewall of Avast but nothing happens afterall. Even if it doesn't clash, will it give a better protection? Every Firewall has his own way to protect. Just want advice.

 

Cheers

[detailer]

Well,,,

 

not a "softwall" user myself.My carefully configured hardwall in my router has done an excellent job for me to date.If I did run one,I'd probably go Comodo ,Outpost,or PC Tools.Avast firewall is not the sharpest tool in Alwil's shed,but the AV is top notch.One wall is probably enough.Is Windows firewall enabled as well?

[itsmejjj]

700+ attempts...certainly a attack ! and you have a very good fire wall(s)

 

 

hi black sea yes thy are attacks but more of a scanning ,spider type,looking for open ports.even in the short attachment i can tell you its not Google. based,

its likely a probe,on your system..also the different location,(IP) where thy are coming from.my guess a netted infected system.hackers use (zombie systems) and trying to get your system to join into the netted zombie works..

unknown victims...why do i state this thy attempted to get data port 443,and entry to the modem using port 193.168.--.--udp. but wisely blocked..

and the repetitive attempts one after a other tells me this..

checking the ips you be showed false ip OR, as thy i bet are innocent victims..

plus know nothing about being used..finding a hitter 1 in a billion!and you be lucky!

 

 

safer ??? to use more than 1 fire wall..

,depends upon how you set them,and what you block.

some would say it could help others say no it may conflict

others just depend on there router.or win fire wall ,and are happy..

 

i am guessing and as i suggested its a probe on your system for open holes.

now this is a good move 193.168.1.??? udp blocked..

been saying this a long time stops scanners..

 

 

now as for using the 2 fire walls if there is no conflicts,stay with it if you are happy .i use 3 plus ip blockers.

 

avast fire wall ok i cant tell you much about this but may try it..is it free or a trial based fire wall..?

any how its seems you made a very good move .testing this out..

i tent now to lean to the ip blocking type thy are very ruthless in there blocking. independent of fire walls..and nothing gets past them.

if you set to block ports.thy certainly do it.100%..

itsmejjj

 

detalor i have been reading you do not use any fire wall

what sort of router do u use?

is it fire wall included? (configured hard wall in my router)

[blacksea]

Hi detailer,

 

No Windows firewall is disabled. I think that the Windows Firewall is not very effective to keep hackers away, because it is so old and hackers always find new ways to get trough a firewall.

 

Hi itsmejjj,

 

Thanks for the information. I do was hoping that you would have commented on my threat, because I know that you have lots of knowledge about this! And the Avast firewall is not trail or free, it from the Avast internet security. So you have to buy a lisence.

 

But do you have a tip for me? Something usefull for me to know to be more secure? Thanks in advance!

 

Cheers

Blacksea

[itsmejjj]

dear black sea..

 

 

i have carefully been thinking this over.and its for your consideration..

i feel its most important to add the following to udp exclusively.

be Aware thy may stop certain services you may want to use .

please be aware of this.

 

* Block outbound evil ports. ports -evil ports i conciser as the ports primarily used for worm/virus , and other bad behavior.

as follows--- TCP and UDP ports 53, 135, 136, 137, 138. 139, 445 ,1028.9,10 add ,1900,5000

block ICMP traffic inbound - (ICMP Echo-Replies) ,Echo-Request to be blocked.

* block- DHCP

***** or , Block all other inbound traffic .at UDP.permanently.??? *****

* as shown below..

* ssh (22)

* smtp (25) mail port ,if email is used leave it unblocked.

* ipsec (50, 51, 500)

* dns (53) the most vulnerable..

* http .and your port.lets amuse, port 80. it the default then at udp will be blocked...allow tcp.only..

note if you run into problems ,unblock it ..

* https (443) and this is a must..at udp..

possible ?? i do but you may not want to...

 

* kerberos (88)

* ntp (123)

* imap (143)

* imaps (993)

* ldap (389, 636)

* dhcp (546, 547)

* rtsp (554)

* nntp (563)

* l2tp (1701)

* pptp (1723)

* rdp (3389)

this is a possibility for you to consider...

disable IP-directed broadcasts on , routers or systems.

to keep you system.. healthy. Letting trace route, ping, or any of the other ICMP messages into and through your system, from the Internet is an invitation for, hackers,

singing out here i am!

that could lead to an attack.

 

You can protect your system. from attack by implementing three simple

rules:

 

* block ping—ICMP Echo-Request outbound and Echo-Reply messages inbound.

* block trace route ,never use this.

* block packet- Fragmentation inbound. outbound.

 

 

configuration

 

hacker probing and attacks that are easily blocked. Applying these my rules and blocking other types of ICMP traffic can provide a lot of network security with minimal effort.

possible things to concider..blocking..

UDP -foremost and tpc- lesser..

SWAT, Real Secure port 901 Samba Web Administration Tool. Also port that Real Secure IDS listens on for console communications. IANA registered for SMP NAME RES (Simple Messaging Protocol name resolution?). Also used by a Trojan.

possible Messenger Service or others 1026-1029 this low range in the ephemeral ports is a usual place for services to be communicating, used by MS Messenger 1026 as well.

MS SQL Server 1433, 1434 tcp 1433, 1434 udp * CERT Advisories .*

MS Universal Plug and Play (UPnP) 1900, 5000, 2869? Port 1900 is IANA registered by Microsoft for SSDP (Simple Service Discovery Protocol). Port 5000 is also possible danger... Remote Access Trojan ,port 5000

Remote Desktop Protocol 3389 3389 potential for unauthorized use of a Remote Desktop or Remote Assistance

radmin 4899 4899 remote administration of your computer, essentially remote control. has Vulnerabilities.

DameWare 6129 6129 CERT Vulnerability , Remote Control vulnerable to buffer overflow via specially crafted packets

 

Windows Messenger Po pup Spam on UDP Port 1026

The W32 Blaster Worm . It uses a vulnerability in MS RPC port 135 to compromise a Windows system

 

ok read this carefully and its for your added security at fire wall blocking you may want to add

 

its less extreme than i have it my self.and its classed by me as a milder form

but very effective..

 

PLEASE TAKE NOTE: of this before you or any member starts to monkey around

back up your system first..

 

make sure you copy the back up file to a safe drive

and do not use restore service.MS .but a proper back up program.

if you do not understand .what i post forget its here.

reread all of it several time so you are aware what you block..as it may lead to stopping access to certain services...

and or accessibility to the net..if not properly done.

 

 

advice do 1 port at the time..udp only ..let all,IN and out bound at TCP ports

do this over several days.not all at the one time,this can take weeks to get it correct..and working properly..

thank you for reading this long post..

 

 

 

itsmejjj

[itsmejjj]

TCP/IP Client (Ephemeral) Ports and Client/Server Application Port Use

(Page 1 of 3)

 

The significance of the asymmetry between clients and servers in TCP/IP becomes evident when we examine in detail how port numbers are used. Since clients initiate application data transfers using TCP and UDP, it is they that need to know the port number of the server process. Consequently, it is servers that are required to use universally-known port numbers. Thus, well-known and registered port numbers identify server processes. They are used as the destination port number in requests sent by clients.

read here..http://www.tcpipguide.com/free/t_TCPIPClientEphemeralPortsandClientServerApplicatio.htm

 

http://en.wikipedia.org/wiki/Ephemeral_port

 

refer here fore all ports,.

 

http://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers

very handy --to keep

itsmejjj

[itsmejjj]

i do hope this is not boring ?

as a proper fire wall.or ip blocker will enhance your security.as you want it to be,

every one will differ on opinion as to what is best.and what to allow or block

 

some do not care one way or the other.others leave it to a fire wall default

and happy with that.some want to be made aware of more..

some think thy know it all (and trust this i still learn every day) as there are ways the wrong side of the net prove! by compromising systems.

 

find ways to get in or skim info for evil proposes.and scam,snoop,attack and so on..

all we can do is try where possible to stop this and learn how..pass this what we know,in the hope it will help,even if its a little bit..

 

did not take long -6 seconds.and boom it was on..

attacked with lesser settings.

 

then kicked in my apps and filters,to show a typical hit tried.

and blocked.

i posted a very tiny part but you can see what i am saying..and if you look last capture , its very similar to the first post capture made by black see..

thank you.

itsmejjj

[scrd01]

add to 360

 

as most attacks appear to come from certain ports would it not be a good idea for 360 to add a SUSPECT port facility warning

[itsmejjj]

as most attacks appear to come from certain ports would it not be a good idea for 360 to add a SUSPECT port facility warning

 

perhaps,

as most attacks appear to come from certain ports.yes as thy are need by services

is the reason thy are used.

 

what i suggested.you may not want to block.as some are needed for certain services.that i my self don't want..plus if say viewing a video or flash (youtube)

you cant block certain ports.and so on..and must allow UDP..that i don't allow

100%

 

as all port are and can be seen, suspect ,with all sort of goodies waiting to enter ,or do what ever..

that is why it would be hard for them to be added to 360 and think of the complaining ,why this or that will not run..

 

itsmejjj

[Melvin_Deal]

JJJ's advice is sound but goes too far in assumptions. Depending on many variables it may or may not apply to your situation. JJJ admits that this is not applicable to all and advises only the original poster in this way. JJJ also admits that the configurations of his various machines are not conventional. He also professes to push the limits of hardware and software.

 

I appreciate JJJ.

 

Steps easily made by a master are stumbling blocks to the junior. Carefull, less a stumble and fall.

 

Only an observation... certainly not a truth!!

 

 

 

-Mel