My system performance (CPU Usage History) started jumping between 20 to
90 percent for know reason at all, I didn't load anything, just started happening. It sounds like my fan starts and stops all of the time which is wierd since I don't have anything running.
I loaded Mcafee, Spybot, ZoneAlarm and it is still doing it. Mcafee's personal firewall plus said the ports taht are getting hit are: Port
41192, ICMP, Port 40591, Port 34932. It also gave me the source IP's of the offenders that are doing it. My question is, is there any way to completely secure all vulnerabilities (locking down everything) and nailing the guys who are doing it?
Also, is there any advice to see what these guys touched or snagged off of my system?
Thanks, Jason. It's a nice tool. Any suggestions on what is the best protection from locking down every port etc. on a XP system? I just got Mcaffee and liked some of the tracking features that Norton didn't have.
I appreciate you taking the time to explain that, it is extremely helpful since I'm definitely a novice at this. My company sells to resellers, to all of you out there, thank god you're there beating the direct channel :)
It depends on what you mean by locking down every port. To see how you look to the rest of the world you can use these
formatting link
of them may attempt to sell you products but there is no need to purchase anything. To see what your own computer is connecting to it may be useful to try this
formatting link
I suspect that you have a dsl modem connected directly to your PC, which may be ok, but it is preferable to use an external firewall which is separate from your PC. A separate firewall cannot be easily compromised by software on your PC.
I generally don't recommend personal firewall software for various reasons but there is no reason why you shouldn't use it if you understand exactly what it does and how to configure it. It looks to me like you are having difficulty making sense of what your firewall software is telling you and it's very likely that the firewall software wants to look useful so you'll think you got value for money.
Use an external piece of hardware, even if it's just a NAT router. Make sure you understand exactly what is in your PC and don't install anything you don't trust. Then there should be no need for personal firewall software.
Is it correct, you are actually using _two_ firewalls? McAfee and ZoneAlarm? No wonder your CPU load goes up when someone just sends you a simple ping.
Check your system with an updated virus scanner. Best would be doing this when you boot from a current rescue disk. The rescue disk is hopefully clean and only this way you can reliably detect something that may go missing if it is running at the same time with the virus scanner during normal times. Use other Spyware, Adware, etc. Tools to scan the system. Again if possible, from a system booted from the rescue disk. (O.K. that's maybe a little tricky if you were not prepared for that).
My guess would be from what you say you have, that you are not infected. If a scanner finds something you have to deal with the infection. But as you are running so many security tools on your system, I would say the only reasonable thing would be to completely setup your system from scratch again. Because you don't have some simple stupid malware running on your system but something that is clever enough to hide well in the system. You can thus never really know what has been done to the system and thus it is better to get the Windows CD and format the hard drive...
If you have no infection then all what is happening is that someone attacks your IP address and then your PFW gets so busy with all the logging and monitoring things it does that your CPU load jumps up. This is inevitable with a PFW because they just terribly slow down the system, in particular if something happens.
The problem is, however, nothing unusual is really happening. What the "offender" is doing anyone can do on the internet: try to send a packet to your IP address. There is no way to avoid that. If someone sends millions of packets this is a Denial of Service (DoS) attack. Again, there is nothing you can do against that either. If someone sends that many packets and your ISP and the other ones upstream forward the packets, well, nothing you can do about it on your computer side. If it is a massive attack over a longer time (many hours) you can only call your ISP to tell him that you are under fire. But if it is a good ISP he already knows it. The ISP can block the traffic upstream. Once it is on your cable to your computer, well, the line is clogged either way.
The reason why I am writing this: this is no "vulnerabilit"y. That is life. If you have a phone line and someone calls you constantly, well, there is little you can do about it except calling the phone company and ask them to block calls from whoever calls you all the time.
Second thing: use the command prompt and run "netstat -a". It shows you all active network connections and services listening to interface (that is open endpoints). Maybe "netstat -a -n" is better for you, because it does not show the symbolic names for the ports. Look out for lines with the above mentioned port numbers. My guess is you won't find any. No service is actually listening to these ports.
So here comes the irony of this "attack": suppose you would not have any firewall running on your system. The connection attempts to the above ports would just end nowhere. Nothing would happen. Your TCP/IP stack on your computer would just responds that nothing is listening on that ports. Very quickly and extremely efficient.
Your problems start because you have the PFWs running on your system which thinks it has to warn you of something where you are actually not vulnerable. It tells you it blocked an attack against port 41192 while in fact it was not an attack but just an attempt send something to that port (which anyone can do) although there is nothing listening to that port. (Kind of like your ABS brakes in your car would tell you each time you use the brakes on your car that it just prevented an accident although it is just standard normal activity.) So the only vulnerability in a sense on your system is due to the existing of your PFWs.
As you were asking to Jasons response what tools there are to close down all ports on your computer. The simple answer: use XP SP2s firewall. Run it without exceptions. This blocks all open ports. It does not close them. A firewall cannot do that. If you want to actually close all the ports (i.e. there is nothing listening on those ports) you could start reading
formatting link
It describes how to shutdown most services on your Windows computer that you usually don't need. You can configure your Windows computer in a way that for a simple, non-networked machine directly connected to the internet actually nothing is listening on the internet connection. Once you are there, you would not even need a firewall anymore because there is nothing left to block for the firewall because noone is listening anyway.
If you really want the PFW under all circumstances, just install one. If you have currently two installed I would highly recommend to deinstall one (or better deinstall both in the reverse order how you installed them in the first place and then do a fresh install of one only). A PFW deeply impacts your windows installation. You never know how many problems two fighting PFWs may cause. Configure your PFW so that all useless messages are never logged and you will never be notified of those. Turn off "blocking of unused ports". Unused ports are not vulnerable. The IP stack is very efficient to answer to those port requests if it is allowed to...
In particular, turn off those "stealth" features which are totally useless. You don't need something stealthed (which does not exist) all you need is all open ports to be blocked. That closes all the doors to your system. The stealth features usually have the opposite effect: the require the PFW to suppress the normal response to the packet you received on a closed port. So the overhead to not send the response is higher than just sending back "noone's there". And your computer is not stealth i.e. invisible anyway: stealth mode is kind of like a big black hole. Things that go there just disappear and nothing's ever coming back. Obviously there is a simple test to see whether something is there: just send something there. If nothing is coming back and just disappears the black whole is actually there. So it is easy to see that you are there, anyway. If your computer was really not there, then the up-stream router of your ISP would report a "host unreachable" back to the sender. That is the sign that actually nothing is there. But your computer cannot do that. So stealth consumes CPU power but does not really make a difference.
Again, the only purpose of your PFW for in-coming traffic is to block traffic to open ports (those in "netstat -a" with state "LISTENING" and those with "UDP" protocol). Behind open ports some service is listening which could be vulnerable. (Those vulnerablities you can fight by regular updates for your system with current windows updates etc.) Only these 20 or so ports are relevant. All those 65000 other ports are just dead anyway. No need to protect those.
Look for "security scan" web services which offer to scan your system and report back and ports that is still open to the internet. Make sure that you turn off (at least temporarily) the "port scan prevention" feature of your PFW before you do the scan. Most PFWs block any in-coming traffic from a specific IP address for some time if they recognize a port scan pattern. This feature turned on while you are doing a security scan, i.e. an intended port scan, is obviously counterproductive: the PFW would recognize the pattern after let's say the first 10 scanned ports and would then block the sender IP address completely for all traffic. So if there is an open port on your computer at port 135 you will never now because the scan gets blocked only because of the IP address after ports 1-10 scanned.
This is pretty much all you can do... (maybe I missed a point or so, but I better stop here...)
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.