Sign in to follow this  
Guest daves0

To Elrond -------- Urgent!! Pls help.

Recommended Posts

Hi Elrond,after reading your post and having read all this virus attack stuff on flightsimmers I decided to download Outpost like you suggested. I installed it and started to look into it a bit. I am totally naive if it comes to those things. I have Norton Antivrus on my machine just in case and most of the time it is running when I am in the internet.After installing the program I click through the options. When I clicked attack detection a window opened and actually logged an intrusion every 30 seconds showing an IP and a portscan TCP 3021 and 3024. What the heck does this mean?. Am I attacked or is this maybe just something that has to do with online updating programs or something. I ticked block intruder's IP and hope that saves my ##### now.I am very concerned. Can you explain that stuff to me?BTW I am using AOL 7.0.Alex

Share this post


Link to post
Share on other sites
Help AVSIM continue to serve you!
Please donate today!

Hi Alex,Port scans aren't anything to worry about. Basically, someone somewhere is scanning your system to see if any ports are responding - usually looking for Trojans that are activated on your system with specific ports and the like.While port scanning is annoying, it doesn't mean you're under attack. It simply means someone is looking for a system they *can* attack. In an average day (since I'm on cable), I must get port scanned a couple hundred times.The good thing about Outpost and similar Firewalls is: they block any response to those scans. In effect, to the person scanning, it looks like the IP your system is currently assigned isn't actually being used. In other words, it looks like your system is completely turned off. They don't get a response, so they move on. If you weren't running a firewall, they'd get a response from all open ports they scan on your system. While that doesn't mean they'd start attacking any of them, it'd leave the possibility open. With Outpost running, it doesn't (but ports where you are running any servers will respond of course - like web servers, Instant Messengers, etc. This is what allows them to be servers).Basically the only thing you'll ever need to worry about is if Outpost pops up a dialog for some weird executable thats asking to connect to the outside. Be aware, however, Outpost will ask your permission to allow ANY application to contact the outside - such as Internet Explorer, FTP programs, Instant Messengers, etc. All of these are absolutely fine (and you'll have the option to "trust" them - or at least trust a part of them - in the future so Outpost doesn't bother you about them again). Its when weird exe's and the like that you don't recognize ask to call out that you should investigate. Again, this is pretty rare and usually doesn't mean something nefarious, but if you ever get a Trojan - this is what will happen.Likewise, when someone tries to connect to your system on a port that is unusual, you'll get a warning box as well. Like before, most of these occasions are completely normal (such as someone sending you a file through an instant messenger on a high port such as 12555, etc)... Its when it is a strange port and you're not running a server of any kind that you should pay attention.So, in this case, port scanning is nothing to worry about. Most ISP's frown on their users doing this. Now that you have Outpost, and if you're feeling saucy, you can grab their IP and report them to their ISP. Just be aware you'll get mighty tired of doing this after the umpteenth thousandth time... :-)Good luck,Elrondhttp://members.rogers.com/eelvish/Boycott-RIAA.gif]"A musician without the RIAA, is like a fish without a bicycle."[/font://http://members.rogers.com/eelvish/B...cle."[/b][/font

Share this post


Link to post
Share on other sites

One last thing Elrond. Should I run the firewall all the time, or only when I am connected to the internet, and most importantly, what will it do to my FS2002 framerates then?Alex

Share this post


Link to post
Share on other sites

I personally run it all the time... Even when I use dial-up for one reason or another. That way I don't forget to run it - could save that one instance when you just might have needed it.As for resources, it takes very, very little cpu. If you're running WinXP, you can hit CTRL-ALT-DEL and scroll down the list on the Process tab until you find Outpost.exe. As you'll see, it almost always uses 0% CPU cycles. Only when a connection is made or the like will it kick in for a few seconds.No app or game should be robbed of any performance with a firewall installed. Even when using multi-player functions. As usual, however (and my standard disclaimer :-)), Your Milage May Vary.Elrondhttp://members.rogers.com/eelvish/Boycott-RIAA.gif]"A musician without the RIAA, is like a fish without a bicycle."[/font://http://members.rogers.com/eelvish/B...cle."[/b][/font

Share this post


Link to post
Share on other sites

BTW, you should ALWAYS run Outpost in Block Most mode. Right-click on the Outpost icon, select "Policy" then select "Block Most" mode.By default, Outpost uses "Rules mode" so it can learn which of your applications need access to the Internet but the preset.lst file already contains the rules for most applications.If you encounter a specific application that cannot access the Internet, you can always temporarily switch to Rules mode to give the application access.

Share this post


Link to post
Share on other sites

Whatever it means I just had an Rst attack. After that I had to shutdown aol.exe as everything was degrading.This is all a totally new experience for me. Who knows what strange things I sometimes wondered about, do not have a system background.Alex

Share this post


Link to post
Share on other sites

Thx Joseph,also very interesting. At least I know now that the firewall is actually working.Guess I have been way to naive, the like "this will not happen to me I am not at those file sharing or cracking or porn sites".Seems I was wrong.Alex

Share this post


Link to post
Share on other sites

I didn't see the original thread so apologies if this has already been covered but I saw a site recently which gives info on ip addresses. You simply put the ip into their search engine and see what comes up. link to the site is http://www.ripe.net/perl/whois>Hi Elrond, >>after reading your post and having read all this virus >attack stuff on flightsimmers I decided to download Outpost >like you suggested. I installed it and started to look into >it a bit. I am totally naive if it comes to those things. I >have Norton Antivrus on my machine just in case and most of >the time it is running when I am in the internet. >>After installing the program I click through the options. >When I clicked attack detection a window opened and actually >logged an intrusion every 30 seconds showing an IP and a >portscan TCP 3021 and 3024. What the heck does this mean?. >Am I attacked or is this maybe just something that has to do >with online updating programs or something. I ticked block >intruder's IP and hope that saves my ##### now. >>I am very concerned. Can you explain that stuff to me? >>BTW I am using AOL 7.0. >>Alex

Share this post


Link to post
Share on other sites

This site is nothing more than fear mongering, backed by some extremely questionable (read: BS) technology.I can back that statement up offline. This isn't the place for it. There is no peer review of GRC products as any real security admin would take about 10 seconds reading about Steve Gibsons "nanoprobes" and close the site in fits of laughter. On top of that, there is an army of dittoheads on the site that feel attacks on Steve Gibson are because of him, and not the utter baloney he so sensationally posts on his site.For those of you who want real facts about protecting your PC - STAY AWAY FROM GRC.COM. Some of the stuff on there might be true, but then again the National Enquirer is true too, some of the time..Unfortunately I can't think of any good sites for security beginners..Maybe this is why Gibson does so well...maybe have a look at http://online.securityfocus.com for some stuff...even they have been bought by Symantec, so who knows how long we can trust them.. If I find anything better for home users, I will post.Cheers

Share this post


Link to post
Share on other sites

"such as Internet Explorer, FTP programs, Instant Messengers, etc. All of these are absolutely fine"Most of these are absolutely exploitable and NOT fine.If you'd like I can get a list of all the holes in IE, MSN Messenger, various ftp programs, some of which still exist right now.Cheers

Share this post


Link to post
Share on other sites

"Most of these are absolutely exploitable and NOT fine."Lets pick the right topics here. We're talking about programs to let communicate with the outside world here, not the exploits and security flaws they may contain.You are of course right: almost all internet software has security issues - Microsoft internet software more than any. Keeping yourself updated with the latest security fixes is of course par for the course and should be preached far and wide. But none of that has to do with Outpost firewall and the dialog boxes it'll show you as you run it.Take care,Elrondhttp://members.rogers.com/eelvish/Boycott-RIAA.gif]"A musician without the RIAA, is like a fish without a bicycle."[/font://http://members.rogers.com/eelvish/B...cle."[/b][/font

Share this post


Link to post
Share on other sites

I haven't heard of this Outpost program, but I did use a firewall called BlackIce for a while. For some reason, it interfered with my ability to actually establish a dial-up connection on the internet, even if I didn't have it running and excluded it from my startup programs. Once I uninstalled it, things were fine again. Does using Outpost have any such side effects?

Share this post


Link to post
Share on other sites

I agree that Steve is so full of himself its not funny. But, Shields Up is still a good way to verify your firewall is working properly - its nothing more than an average, everyday automated port scanner. I highly recommend it for firewall testing.Another good site for those just getting in the waters is Practically Networking. Some of their guides are indispensable, such as their port listings pages:http://www.practicallynetworked.com/sharin...p_port_list.htmGood to know what apps use what ports when your looking at a firewall port listing.Take care,Elrondhttp://members.rogers.com/eelvish/Boycott-RIAA.gif]"A musician without the RIAA, is like a fish without a bicycle."[/font://http://members.rogers.com/eelvish/B...cle."[/b][/font

Share this post


Link to post
Share on other sites

The only side-effects are if you disallow a specific program from contacting the outside world, but really wanted to grant it permission. Easily fixed, of course, by hitting the configuration and removing that app from the "protected" list (I get this support call quite frequently).Otherwise, there are no problems I've had with Outpost on the hundreds of systems I've installed it on. BlackIce was/is notorious for its poor handling of a variety of systems (I haven't used it in ages however) - sometimes the BlackIce would stop working as well, with nary a dialog to let you know it was down. Not very good to say the least.While I prefer Outpost, both it and ZoneAlarm have proven to be pretty solid and effective (and free).http://www.agnitum.com/products/outpost/index.htmlTake care,Elrondhttp://members.rogers.com/eelvish/Boycott-RIAA.gif]"A musician without the RIAA, is like a fish without a bicycle."[/font://http://members.rogers.com/eelvish/B...cle."[/b][/font

Share this post


Link to post
Share on other sites

Thanks Elrond. If you recommend it, I'm getting it! I don't know anyone else who is so ready to explode with such a galaxy of computer knowledge whilst being so humble about knowing so much :-lol I actually had the BlackIce problem when I put it on Mum's machine as well. So that makes two dial-up machines without firewalls at the moment.

Share this post


Link to post
Share on other sites

Sorry I missed this one Alex...You shouldn't have needed to reboot after that scan. An "Rst attack" is nothing more than another way a person can scan your system - there are more than one ways. It sounds like you had someone doing whats called a SYN scan, or half-open scan. Basically, its an attempted stealthier way to port scan by sending a request to open a port on your system and expecting a reply saying that port is open, then quickly sending a reset packet (RST) requesting to close the port again. Since you are running Outpost, it caught it and told you about it - but did not reply to the scanning software. As such, they basically failed.Stealthy SYN scans are the most common these days. I really can't guess why it would have degraded your connection as it does nothing untoward on your system... The entire process of the scan only takes a few seconds at most then its done. With or without a firewall, you are scanned all the time. Its just that now you have a firewall, your system "sounds" dead to those scans. Next time your system feels like its degrading again, hit CTRL-ALT-DEL and check the Processes tab. If you click the CPU column, you can sort all the processes by the CPU percentage each one is using. You'd then be able to see what program is taking up so many CPU cycles. I highly doubt it would be Outpost.exe however, for more than a few seconds at a time.Sorry I couldn't be of more help, but I truly don't think you have anything to worry about in this instance.Take care,Elrondhttp://members.rogers.com/eelvish/Boycott-RIAA.gif]"A musician without the RIAA, is like a fish without a bicycle."[/font://http://members.rogers.com/eelvish/B...cle."[/b][/font

Share this post


Link to post
Share on other sites

Ok, thx fr all the support Elrond. Another instance that makes me like this forum.Alex

Share this post


Link to post
Share on other sites

BlackIce Defender should not have any side effects. I am running it for over 4 years now, always on, never had any problems with it. Must have been a wrong setting on your system or in BlackIce somewhere ;-) :-outta Francois :-wave________________________Francois A. "Navman" DumasAssociate Editor &Forums AdministratorAVSIM Online!email: fdumas@avsim.com________________________

Share this post


Link to post
Share on other sites

I'm sure you're right Francois. Since its been so long since I looked at BlackIce (pre ZoneAlarm intro actually, so more than a few years), I have no doubt they have done some great improvements on its stability. Above I was speaking of my previous experience with it... Back when I was using it, each Windows update broke the firewall and caused all kinds of havoc - patches were released on an almost daily basis. But again, that was quite a while ago.In the end however, its still not a very good firewall unfortunately. First is it doesn't block TCP pings. Because of this, almost all port scans that are worth their salt show your system as available. Its much better if it completely blocks any response at all. Second, and more important, it doesn't block any outgoing communication at all. Any possible spyware - unintended or even "legal" code from the likes of Microsoft, etc - will not be checked. Same goes for any Trojan that might have possibly been installed along with any downloads, emails or the like.Most of the firewalls today fully support blocking both incoming and outgoing attacks - including both Outpost and ZoneAlarm (Norton Internet Security and the more commercial offerings of its ilk do as well). Unfortunately, unless I've missed some security updates concerning BlackIce, it is still missing this very important feature.For most users, it probably wouldn't matter in the long run (besides blocking any built-in spyware that you might not wish - such as Windows Media Player or Real Media's penchant to report every CD and DVD player you play, etc). Trojans and the like are fairly rare unless you are an extremely heavy email users. But its the avoidance of that "one time" where you smack your head and *wish* you had outbound protection that makes the difference for me. Lord knows I've done that enough in my life... :-)I don't mean to discourage you in the least from a tool you feel comfortable with however. I just wanted to point out the possible pitfalls.Take care,Elrondhttp://members.rogers.com/eelvish/Boycott-RIAA.gif]"A musician without the RIAA, is like a fish without a bicycle."[/font://http://members.rogers.com/eelvish/B...cle."[/b][/font

Share this post


Link to post
Share on other sites

You're too nice Jon... :-)I *am* humble about any knowledge I have... Its easy to be humble in this business as there is *always* someone right around the corner to be humbled by - someone who simply blows my socks of with his/her detailed knowledge of something or another that I wish I knew more about...! Ahhh, but we must keep trying.But thanks for the compliment Jon,Elrondhttp://members.rogers.com/eelvish/Boycott-RIAA.gif]"A musician without the RIAA, is like a fish without a bicycle."[/font://http://members.rogers.com/eelvish/B...cle."[/b][/font

Share this post


Link to post
Share on other sites

I know and appreciate your concerns, Elron. Actually, we had this discussion a while ago and after that I installed Outpost.... then mys system crashed (yes again, I am notorious for achieving that in a regularly fashion ), I lost Oupost and just re-installed my 'known' software. As soon as I find a few minutes laying around on the floor I will make the effort and find and install Oupost again. My floor is currently littered with other things.... most of them having something to do with flight simming..... :-) :-outta Francois :-wave________________________Francois A. "Navman" DumasAssociate Editor &Forums AdministratorAVSIM Online!email: fdumas@avsim.com________________________

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this