h2g2 The Hitchhiker's Guide to the Galaxy: Earth Edition

I have Jammer installed, and i seem to be under constant attack from 'TCP port scanning'

I mean, after being on-line for an hour or so, I could have 30+ separate attack attempts- is this normal?

Secondly, does 'informing provider' as Jammer allows via an automated email do any good? or could it maybe draw attention to me.?

Here is a copy of the kind of text I see every day. I've just been ignoring it because as far as i can tell jammer is blocking the attacks- my computer is fine, i think

What, if anything, should i be doing?



Jammer: your cyber fortress.
Copyright (C) 1998-2001 Agnitum Ltd. All rights reserved.

Starting network monitoring

-------------------------------------------------------------------------
Type of attack: Possible TCP port scanning
Time: Fri Mar 25 19:54:20 2005 [Local GMT bias +0:00]
Source IP: 172.212.118.188 (ACD476BC.ipt.aol.com)
Source Port: 2214
Local Port: 2238

-------------------------------------------------------------------------
Type of attack: Possible TCP port scanning
Time: Fri Mar 25 19:54:57 2005 [Local GMT bias +0:00]
Source IP: 172.212.118.188 (ACD476BC.ipt.aol.com)
Source Port: 2331
Local Port: 2238

-------------------------------------------------------------------------
Type of attack: Possible TCP port scanning
Time: Fri Mar 25 19:55:02 2005 [Local GMT bias +0:00]
Source IP: 172.212.118.188 (ACD476BC.ipt.aol.com)
Source Port: 2331
Local Port: 2238

-------------------------------------------------------------------------
Type of attack: Possible TCP port scanning
Time: Fri Mar 25 19:55:03 2005 [Local GMT bias +0:00]
Source IP: 172.212.118.188 (ACD476BC.ipt.aol.com)
Source Port: 2331
Local Port: 2238

-------------------------------------------------------------------------
Type of attack: Possible TCP port scanning
Time: Fri Mar 25 19:55:13 2005 [Local GMT bias +0:00]
Source IP: 202.68.133.176
Source Port: 3252
Local Port: 2238

-------------------------------------------------------------------------
Type of attack: Possible TCP port scanning
Time: Fri Mar 25 19:55:14 2005 [Local GMT bias +0:00]
Source IP: 202.68.133.176 (*202.68.133.176)
Source Port: 3252
Local Port: 2238

-------------------------------------------------------------------------
Type of attack: Possible TCP port scanning
Time: Fri Mar 25 19:55:16 2005 [Local GMT bias +0:00]
Source IP: 202.68.133.176
Source Port: 3252
Local Port: 2238

-------------------------------------------------------------------------
Type of attack: Possible TCP port scanning
Time: Fri Mar 25 19:55:52 2005 [Local GMT bias +0:00]
Source IP: 172.212.118.188 (ACD476BC.ipt.aol.com)
Source Port: 2495
Local Port: 2238

-------------------------------------------------------------------------
Type of attack: Possible TCP port scanning
Time: Fri Mar 25 19:55:56 2005 [Local GMT bias +0:00]
Source IP: 172.212.118.188 (ACD476BC.ipt.aol.com)
Source Port: 2495
Local Port: 2238

-------------------------------------------------------------------------
Type of attack: Possible TCP port scanning
Time: Fri Mar 25 19:55:59 2005 [Local GMT bias +0:00]
Source IP: 172.212.118.188 (ACD476BC.ipt.aol.com)
Source Port: 2495
Local Port: 2238

-------------------------------------------------------------------------
Type of attack: Possible TCP port scanning
Time: Fri Mar 25 19:56:13 2005 [Local GMT bias +0:00]
Source IP: 202.68.133.176 (*202.68.133.176)
Source Port: 3297
Local Port: 2238

-------------------------------------------------------------------------
Type of attack: Possible TCP port scanning
Time: Fri Mar 25 19:56:15 2005 [Local GMT bias +0:00]
Source IP: 202.68.133.176 (*202.68.133.176)
Source Port: 3297
Local Port: 2238

-------------------------------------------------------------------------
Type of attack: Possible TCP port scanning
Time: Fri Mar 25 19:56:15 2005 [Local GMT bias +0:00]
Source IP: 202.68.133.176 (*202.68.133.176)
Source Port: 3297
Local Port: 2238

-------------------------------------------------------------------------
Type of attack: Possible TCP port scanning
Time: Fri Mar 25 19:57:49 2005 [Local GMT bias +0:00]
Source IP: 172.212.118.188 (ACD476BC.ipt.aol.com)
Source Port: 2807
Local Port: 2238

-------------------------------------------------------------------------
Type of attack: Possible TCP port scanning
Time: Fri Mar 25 19:57:49 2005 [Local GMT bias +0:00]
Source IP: 172.212.118.188 (ACD476BC.ipt.aol.com)
Source Port: 2807
Local Port: 2238

-------------------------------------------------------------------------
Type of attack: Possible TCP port scanning
Time: Fri Mar 25 19:57:50 2005 [Local GMT bias +0:00]
Source IP: 172.212.118.188 (ACD476BC.ipt.aol.com)
Source Port: 2807
Local Port: 2238

-------------------------------------------------------------------------
Type of attack: Possible TCP port scanning
Time: Fri Mar 25 19:58:55 2005 [Local GMT bias +0:00]
Source IP: 202.68.133.176 (*202.68.133.176)
Source Port: 3394
Local Port: 2238

-------------------------------------------------------------------------
Type of attack: Possible TCP port scanning
Time: Fri Mar 25 19:58:58 2005 [Local GMT bias +0:00]
Source IP: 202.68.133.176 (*202.68.133.176)
Source Port: 3394
Local Port: 2238

-------------------------------------------------------------------------
Type of attack: Possible TCP port scanning
Time: Fri Mar 25 19:59:01 2005 [Local GMT bias +0:00]
Source IP: 202.68.133.176 (*202.68.133.176)
Source Port: 3394
Local Port: 2238

-------------------------------------------------------------------------
Type of attack: Possible TCP port scanning
Time: Fri Mar 25 19:59:18 2005 [Local GMT bias +0:00]
Source IP: 172.212.118.188 (ACD476BC.ipt.aol.com)
Source Port: 3015
Local Port: 2238

-------------------------------------------------------------------------
Type of attack: Possible TCP port scanning
Time: Fri Mar 25 19:59:19 2005 [Local GMT bias +0:00]
Source IP: 172.212.118.188 (ACD476BC.ipt.aol.com)
Source Port: 3015
Local Port: 2238

-------------------------------------------------------------------------
Type of attack: Possible TCP port scanning
Time: Fri Mar 25 19:59:21 2005 [Local GMT bias +0:00]
Source IP: 172.212.118.188 (ACD476BC.ipt.aol.com)
Source Port: 3015
Local Port: 2238

-------------------------------------------------------------------------
Type of attack: Possible TCP port scanning
Time: Fri Mar 25 19:59:54 2005 [Local GMT bias +0:00]
Source IP: 172.200.79.235 (ACC84FEB.ipt.aol.com)
Source Port: 3476
Local Port: 2238

-------------------------------------------------------------------------
Type of attack: Possible TCP port scanning
Time: Fri Mar 25 19:59:54 2005 [Local GMT bias +0:00]
Source IP: 172.200.79.235 (ACC84FEB.ipt.aol.com)
Source Port: 3476
Local Port: 2238

-------------------------------------------------------------------------
Type of attack: Possible TCP port scanning
Time: Fri Mar 25 19:59:55 2005 [Local GMT bias +0:00]
Source IP: 172.200.79.235 (ACC84FEB.ipt.aol.com)
Source Port: 3476
Local Port: 2238

-------------------------------------------------------------------------
Type of attack: Possible TCP port scanning
Time: Fri Mar 25 20:00:20 2005 [Local GMT bias +0:00]
Source IP: 172.212.118.188 (ACD476BC.ipt.aol.com)
Source Port: 3184
Local Port: 2238

-------------------------------------------------------------------------
Type of attack: Possible TCP port scanning
Time: Fri Mar 25 20:00:21 2005 [Local GMT bias +0:00]
Source IP: 172.212.118.188 (ACD476BC.ipt.aol.com)
Source Port: 3184
Local Port: 2238

-------------------------------------------------------------------------
Type of attack: Possible TCP port scanning
Time: Fri Mar 25 20:00:22 2005 [Local GMT bias +0:00]
Source IP: 172.212.118.188 (ACD476BC.ipt.aol.com)
Source Port: 3184
Local Port: 2238

-------------------------------------------------------------------------
Type of attack: Possible TCP port scanning
Time: Fri Mar 25 20:01:14 2005 [Local GMT bias +0:00]
Source IP: 172.200.79.235 (ACC84FEB.ipt.aol.com)
Source Port: 3553
Local Port: 2238

-------------------------------------------------------------------------
Type of attack: Possible TCP port scanning
Time: Fri Mar 25 20:01:15 2005 [Local GMT bias +0:00]
Source IP: 172.200.79.235 (ACC84FEB.ipt.aol.com)
Source Port: 3553
Local Port: 2238

-------------------------------------------------------------------------
Type of attack: Possible TCP port scanning
Time: Fri Mar 25 20:01:15 2005 [Local GMT bias +0:00]
Source IP: 172.200.79.235 (ACC84FEB.ipt.aol.com)
Source Port: 3553
Local Port: 2238

-------------------------------------------------------------------------
Type of attack: Possible TCP port scanning
Time: Fri Mar 25 20:01:32 2005 [Local GMT bias +0:00]
Source IP: 172.212.118.188 (ACD476BC.ipt.aol.com)
Source Port: 3376
Local Port: 2238

-------------------------------------------------------------------------
Type of attack: Possible TCP port scanning
Time: Fri Mar 25 20:01:33 2005 [Local GMT bias +0:00]
Source IP: 172.212.118.188 (ACD476BC.ipt.aol.com)
Source Port: 3376
Local Port: 2238

-------------------------------------------------------------------------
Type of attack: Possible TCP port scanning
Time: Fri Mar 25 20:01:33 2005 [Local GMT bias +0:00]
Source IP: 172.212.118.188 (ACD476BC.ipt.aol.com)
Source Port: 3376
Local Port: 2238

-------------------------------------------------------------------------
Type of attack: Possible TCP port scanning
Time: Fri Mar 25 20:02:19 2005 [Local GMT bias +0:00]
Source IP: 172.212.118.188 (ACD476BC.ipt.aol.com)
Source Port: 3530
Local Port: 2238

-------------------------------------------------------------------------
Type of attack: Possible TCP port scanning
Time: Fri Mar 25 20:02:21 2005 [Local GMT bias +0:00]
Source IP: 172.212.118.188 (ACD476BC.ipt.aol.com)
Source Port: 3530
Local Port: 2238

-------------------------------------------------------------------------
Type of attack: Possible TCP port scanning
Time: Fri Mar 25 20:02:23 2005 [Local GMT bias +0:00]
Source IP: 172.212.118.188 (ACD476BC.ipt.aol.com)
Source Port: 3530
Local Port: 2238

-------------------------------------------------------------------------
Type of attack: Possible TCP port scanning
Time: Fri Mar 25 20:02:29 2005 [Local GMT bias +0:00]
Source IP: 202.68.133.176 (*202.68.133.176)
Source Port: 3483
Local Port: 2238


-------------------------------------------------------------------------
Type of attack: Possible TCP port scanning
Time: Fri Mar 25 23:35:55 2005 [Local GMT bias +0:00]
Source IP: 24.126.47.161 (c-24-126-47-161.hsd1.ca.comcast.net)
Source Port: 4719
Local Port: 2238

-------------------------------------------------------------------------
Type of attack: Possible TCP port scanning
Time: Fri Mar 25 23:41:13 2005 [Local GMT bias +0:00]
Source IP: 211.167.7.134 (TIANJIAO135)
Source Port: 6000
Local Port: 512



etc, etc, It's not always that port number by the way- it can be all sorts..This is a *very* short example by the way- i only pasted a tiny fraction of the full report, and that's from being online for a few hours

a) Yes, portscanning is very common. Particularly if you are on a broadband connection. But also on dial up. It's just that the broadband netblocks of IP addresses are more likely to be in use so they are scanned more.
b) there is also a lot of internet background noise, which is stuff that floats around in cyberspace and may mistakenly try to get to your computer, just lost bits and pieces so to speak, and that can look like it.

If you really want to check up on these things try a site like www.samspade.org which allows you to put IPs and wurls in and gives you info back on them.

For example, the last one in your list is from a Chinese ISP:

inetnum: 211.167.0.0 - 211.167.31.255
netname: GDGX
country: CN
descr: Guang Dong GuoXun Internet Information Industry Development co Ltd.
admin-c: CW143-AP
tech-c: CW143-AP
status: ALLOCATED PORTABLE
changed: [email protected]

All you do is go to samspade.org, put the IP address in the first exntry box (next to the Do Stuff button) then click the button and it will give you the reverse DNA. This should also include the email contact for the ISP for anyone misusing their service. Can't guaruntee that they'll do anythingthough.

Oh, and the second to last one on yours is ComCast, who are US, so no, not just one source.

You'll find incidences of thi go up on public holidays, weekends and US school holidays (other countries holidays too, just there's more people in the US!).

Thanks

So It's OK for me to do nothing- I can safely ignore it and let it work away in the background? I usually run through the list just to check there isn't any other type of attack but in the year or so i've had jammer it's only ever been TCP port scanning.

What do all these 'attacks' normally do to the computer when not blocked by a firewall?

Yeah I wouyldn't worry, your firewall should say 'blocked' or something similar. If it detected it it should be OK, its the ones it doesn;t detect you wanna worry about!

Go to www.grc.com and take the Shields Up test if you are sure you want to check further. It does get a bit involved.

That will tell you how good your firewall is, and you can take tests for common windows security problems, like file sharing.

Basically, without a firewall setup correctly, your computer will listen and respond to data on certain ports.For example, if you have your C: drive set to shared all then it can be viewedf on a network port. And other stuff. What the scanners do is just trawl the web poking for certain ports on all addresses. Those ports give the person/program access to the computer in question. Through that various things can be introduced or run off the back of your computer.


A recent trojan attack, although not sure how it is delivered, allows the person the other end to view and control any web cam you may have attached and turned on. They can;t do that if the port doesn't respond.

There are two different refusals, one is a signal back saying refused, but then they know your computer is there. And there are ways round these things if they it is there. They other way is no responce, a kind of lie low and hide approach.

Well, I went to the site, and yes it is rather involved, but I think I understand most of what's being said.

on the whole my firewall did OK, but it failed a few tests and passed with merit some others. All my ports were closed, but not many are operating in 'stealth', so as I understand it, casual scanning of my computer won't result in any hits, but it's presence is not hidden, so if someone wnated to, they could easily open a port and attack.

OK, so the site gave me some hints on what to do, but there's just one problem- I can't seem to find a way in to Jammer to change any settings! The 'options' tab is very limited indeed, only changing things like whether or not Jammer starts on pC start-up or not.

I remember when i was installing it, i had lots of options- can i not change anything now? If not, i think i'll change firewall..

>> so if someone wnated to, they could easily open a port and attack. <<

No, ports can only be opened from the inside. The fact that your computer responded to a port scan indicates that there is a computer at that IP address. Anyone withing to hack into you computer can then scan all ports, all 65,000 of them in the hope of finding one open. If they do, then could then possibly download a Trojan which will then open up other ports from the inside. However, a good firewall will prevent the downloading of Trojans. Having your ports "stealthed" eliminates this possibility.

This is where Peer to Peer file sharing systems fall down as they need to have so many ports open in order for them to work that they are a hackers paradise.

well, I don't know Jammer at all.
I use, and an increasing number of others do too, the Zone Alarm firefall. Gives full stealth mode anbd it is free.

www.zonelabs.com

click on download and buy, click the ZoneAlarm tab and click free download. Once downloaded, disconnect from the net, disable/uninstall your Jammer firewall and then unzip and run install on ZoneAlarm.

Whilst you are at it, do you run anti-spyware software as well?

Yeah, i have Norton and I run ad-aware and spybot(which probably do the same as each other). I check for updates and do scans at least once a week like a good little boy!
Now, running scans on my ancient machine is no mean feat- a full Norton scan takes over 2.5 hours and it slows down the computer too much for me to do anything else (computer based that is) whilst I wait.

Hmm will think about following your advice, though I tend to believe in the 'if it aint broke...' adage, in so much as I haven't been attacked so far, so might leave Jammer for now.

Thanks very much for all your advice so far- it's quite an interesting topic in a kind of way..

Scratch that- just downloaded it.. Will let you know how it goes..

I use Zone Alarm firewall, which seems to be quite effective. Just installed Windows SP2, which is also supposed to help against internet intruders. I also run Spybot and Ad-aware once a week. And have just started with Norton antivirus, replacing my old antivirus thingy.

Sheesh! What a load of sh*t to have to worry about!


az

Reeeeesult!! I'm a Zonealarm convert

After installing, i re-ran the security test thing and this time I got a perfect score, with all my ports shown to be in stealth mode

Naughty Jammer for not hiding my ports (well it was free, but then again so is this version of zonealert)

Oh, and I especially like the in/out traffic indicator in the taskbar, and the fact that I no longer have Jammer's winking eye in the corner..

Cheers

Glad it has all worked for you. I also have Ad Aware and SbyBot installed. The thing about spyware software is it is constantly evolving and each of the anti-spyware proggies out there covers up to about 95% of the stuff. None of them catch everything. So running 2 is a good idea and I have found that these two seem to cover everything. Every now and then I try one of the free web based scanners or download a different one and run it. If it finds nothing then I delete it and continue with what I have.

Only comment on anti virus software, I use the AVG one , from Grisoft, which is free and has regular updates. Appears to catch everything, not that I have had a virus in a long while (probably get one now!).

Yes, we do have to put up with a lot of cr*p. And it is all down to shoddy legislation and a lack of enthusiasm for catching spammers and other freeloaders.

ZoneAlarm also auto-notifies for updates if you set it up.

All consulting services at usual fee, coffee and beer

>> And it is all down to shoddy legislation and a lack of enthusiasm for catching spammers and other freeloaders. <<

Unfortunately this is true. Under UK and European Law, any unsolicited e-mail is considered Spam with penalties for offenders. In the US, unsolicited e-mail is allowed providing certain rules are observed. Like a cancel option and a valid return address.

The problem is telling if it is a compliant E-mail or a spammer pretending to be compliant. Very few users have the technical knowledge to be able to determine which is pure spam and which is complying with US Spam laws.

If you get it wrong and break the golden rule and reply, you could end up on some spammers e-mail list as a confirmed address. If you don't reply, you just end up getting more spam. Not a very good situation.

Then there is e-mail originating from Eastern European and third world countries where there are no anti Spam laws at all. So until the UN get involved, Spam is here to stay.

Donald

..OK, you've twisted my arm- next time you're in the area

Well Zonealarm did find 4 ad/mal ware products when I ran its free scan.. you know the one that gleefully says "we've found trouble" and then when you click 'remove' It even more gleefully says "sorry you have to buy our spyware program to remove infestations'

Well, I'm a cynic and the locations stated for whereabouts of said spyware don't look like anything on my computer- more like XP type programs- I have '98...plus the scan took about 4 nanoseconds,which is impossible on this machine, and my noisy drive didn't do very much during 'scan', so I suspect trickery.

Good products I'm sure, just annoyed at the emotional blackmail tactics.

Well, I dunno, but I run ZoneAlarm's freeware regularly on this computer (Win ME) and it *says* it's deleted all malware. Though it reappears with an alarming regaularity...is it really deleting it? Anyway, first time I ran it the performance substantially improved. I never get prompted to buy stuff from them to remove anything. Mostly the problems are registry entries.

RF

If you're worried about firewall vulnerabilities etc, then I suggest you pay a visit to Gibson Research Corporation - http://www.grc.com/default.htm

This chap has created a very thorough test suite called "Shields Up!" which will test your system. It's free, unbiased and doesn't ask you to buy anything from him, or register your details etc

there's only 16 posts here, how did you manage to not read the backlog? (c.f. post 4)


I dunno, internet users today

Well, also running Spybot and Ad-aware (both free) I find they tend to pick up different things.

Also, the new Norton anti-virus seems to work much better than my old Panda one did. It's also nice that it scans all email (ingoing and outgoing) as a precaution. That way I don't have to worry about accidently passing on a virus to someone via an email.


az

Yeah, i noticed that whenever opera connects to my mail servers AVG kicks in and does a virus scan of the email before it is downloaded, which is pretty good.
Does take a while longer though.