Who's trying to break into my computer and why...??

[leoblob]

I'm running WIN2K SP3 on the IBM PC300GL in my signature. A couple weeks ago, I made this my "main computer," and at that time, I installed Zone Alarm. I use IE6 and my computer gets internet access via dial-up. It is not networked to any other computer. Everything works fine.

My question is, I'm amazed at the number of alerts I get from Zone Alarm, telling me that someone is trying to "get into" my computer... over 800 attempts in less than a month... what are the reasons why so many people are trying to get in? And what type of people are doing it? I can see their IP addresses, but of course, this tells me nothing. (I've since turned off the alert notifications since there are so many.)

I'm not interested in "going after" anyone, I'm just curious and amazed why there's so many attempts to get into my little, stand-alone computer... ???

[Michael1980]

I don't think it is anything serious. Just normal internet stuff, probably from scripts/ads.

[carbon_unit]

Those are just port probes. They are going on all the time but you just didn't know it until ZA told you about it.
They mostly come from infected computers trying to infect other easy targets.

[leoblob]

Wow, incredible there's that much traffic on the internet that's just noise/garbage (and that's not even including the spam).

[egibbs]

During worm storms I have seen several hundred hits an HOUR in my firewall logs.

As was said, 99.9999999% of them are just infected machines automatically scanning for other machines to infect.

Which is why an unpatched, un-firewalled machine put on the internet is first infected within minutes, or sometimes seconds. And after a day or so it will have upwards of 50 different pieces of malware installed.

The internet is not a data superhighway. It's a sewer pipe.

Ed Gibbs

[doppelfish]

The internet is not a data superhighway. It's a sewer pipe.

Well said. And its contents are produced in much the same way.
I've been seeing portscans hitting my box after no more than 2 minutes after going online with it. I have my network stack tuned to 'play dead' on the common portscan traffic, thus making it pretty pointless to portscan my box, but I was seeing that traffic coming in over a long time. Either the crackers are pretty brain-dead, or it's actually an automated scan from infected boxen elsewhere (as already pointed out above). Biggest problem for me is that traffic keeps my modem awake.
If you can extract the source IP address from the traffic, some fun can be had using the IpLocator.

cheers,
-- fish

[egibbs]

You can also try connecting to the box using http, ftp, telnet, etc. Http usually brings up the default IIS "Insert your web page here" page, meaning the owner is running an internet server they know nothing about.

If you get in with telnet or ftp you can leave a file on their desktop telling them they are owned, and what to do about it. But that gets pretty boring after the first couple hundred, and even if you leave detailed instructions most of the time they are too clueless to follow them.

The solution is simple - ISPs should have a responsibility to shut off access for any box running a port scan, unless there is a [censored] good reason for it. Then they should contact the owner, tell them what the problem is, and work with them to clean the box and patch/firewall it. But that would cost a ton of money.

Ed Gibbs

[leoblob]

Wow! Very sad/interesting.

Question: Prior to installing WIN2K with Zone Alarm, I had been running WIN98SE (via dial-up) without Zone Alarm, for years, but never got any malware (I have Ad Aware free to check with). Was I just lucky, or is there something about WIN98SE that makes it less of a target??

[carbon_unit]

Win 98 is somewhat less of a target than win XP. Only because there is less of it out there on the internet.

[Toe]

The business I work at, we try very hard to prevent Spyware and the like getting in. But no matter what we do, some machine gets infected about once or twice a week. It's a pain in my [censored].


-Toe

[Kenn]

The business I work at, we try very hard to prevent Spyware and the like getting in. But no matter what we do, some machine gets infected about once or twice a week. It's a pain in my [censored].


-Toe

It's hard to prevent any when you have users who like to click "OK"

[BigWarpGuy]

Would one be safer if ones computer did not run Windows (any version)? I use eComStation on my desktop computer.



http://www.ecomstation.com

[egibbs]

Regarding the questions about Win98, ECS, etc.

The real key is not the OS, but what services you are running and whether you have all the patches installed.

If you are not running any services, or if whaterver services you are running are not vulnerable to attack, then you really don't even need a firewall. The problem is many people have no idea that they are running a web server (installed by default in Win 2003 server), UP&P server, mail server, FTP server, etc., because many of these are installed by default or turned on by other software. And many, many people still don't install patches in a timely manner.

Win 98 installs many fewer services by default than XP, 2003, etc., and it's less of a target because the user base is smaller. If you have a fully patched Win 98 you should be safe, as you would be with a fully patched XP - providing of course that you don't do anything stupid like clicking ok to install spyware, opening a virus, etc.

As far as ECS, I know next to nothing about it. It's a very small target - not many malware writers are going to waste time writing code to attack ECS. But that doesn't mean it isn't vulnerable if someone wants to break into your machine - that depends on what you are offering to the outside world as far as services, and whether they are patched and secured. If you have an anonymous FTP server running under ECS, your front door is wide open to anyone who walks by, just as it would be if you offered the same service under Windows.

Ed Gibbs

[leoblob]

The real key is not the OS, but what services you are running and whether you have all the patches installed.

If you are not running any services, or if whaterver services you are running are not vulnerable to attack, then you really don't even need a firewall. The problem is many people have no idea that they are running a web server (installed by default in Win 2003 server), UP&P server, mail server, FTP server, etc., because many of these are installed by default or turned on by other software. And many, many people still don't install patches in a timely manner.

Win 98 installs many fewer services by default than XP, 2003, etc., and it's less of a target because the user base is smaller. If you have a fully patched Win 98 you should be safe, as you would be with a fully patched XP - providing of course that you don't do anything stupid like clicking ok to install spyware, opening a virus, etc.

Ed Gibbs

Thank you! I believe this fits my situation. I have another machine with WIN98SE and Zone Alarm, and only about 4 of my programs have attempted internet access. My WIN2K machine, however, has 17 programs/processes listed as attempting access (in the Zone Alarm list of programs). Frankly, I don't know what most of these do, and I'm hoping to find a book, a web site, etc. where I can learn about them. After being stuck in the WIN9x world for so long, I know I have a lot to learn.

Fortunately, Zone Alarm says that it's very unlikely any programs need to act as a server, so I've blocked every program and process from becoming a server.

And, I've been quite negligent in getting the security patches. I never thought about it too much, since I never had a problem with my WIN98SE machines (at least none I'm aware of). The world sure has changed