Dlink.com.sg intrusion with worm??

Dear All,

It sound stranged. This website from a well know network company attemped
to intrude into my system. I have been accessing this website serveral
time in the pass few months. Every time ended with abandoning due to
slow in response.

However today I got a shock from Norton anti virus popup. As shown below.

Details: Attempted Intrusion "NMap Xmas Scan" against your machine was
detected and blocked.
Intruder: www.dlink.com.sg(203.126.164.142)(21).
Risk Level: Medium.
Protocol: TCP.
Attacked IP: ACE(192.168.100.100).
Attacked Port: 1149.


Well may be you can trace it.

Regards
Luther

Re: Dlink.com.sg intrusion with worm??

Post removed (X-No-Archive: yes)

Re: Dlink.com.sg intrusion with worm??

Luther wrote:
> Dear All,
>
> It sound stranged. This website from a well know network company attemped
> to intrude into my system. I have been accessing this website serveral
> time in the pass few months. Every time ended with abandoning due to
> slow in response.

are you sure that was the same website ?

> However today I got a shock from Norton anti virus popup. As shown below.
>
> Details: Attempted Intrusion "NMap Xmas Scan" against your machine was
> detected and blocked.
> Intruder: www.dlink.com.sg(203.126.164.142)(21).
the website, dns, and reverse lookup seem legit,

> Risk Level: Medium.
> Protocol: TCP.
> Attacked IP: ACE(192.168.100.100).
> Attacked Port: 1149.

either someone of their employees scans you or someone is spoofing their adress and scans you.
the scan you shouldnt worry about.

what you should worry about: that there is no firewall _infront_of_ your pc,

if an intruder gets as far as your norton antivirus, that means you are basically exposing your computer to the whole
big world.i am sure NA can be knocked out.

at _least_ turn on your XP firewall...

>
> Well may be you can trace it.
>
> Regards
> Luther
>

Re: Dlink.com.sg intrusion with worm??

Post removed (X-No-Archive: yes)

Re: Dlink.com.sg intrusion with worm??

Sebastian Gottschalk wrote:
> mak wrote:
>
>> what you should worry about: that there is no firewall _infront_of_ your pc,
>
> Why? It's a home computer, it doesn't need any firewall or host-based
> packet filter.

are you being cynical?

Re: Dlink.com.sg intrusion with worm??

Post removed (X-No-Archive: yes)

Re: Dlink.com.sg intrusion with worm??

mak writes:

>Sebastian Gottschalk wrote:
>> mak wrote:
>>
>>> what you should worry about: that there is no firewall _infront_of_ your pc,
>>
>> Why? It's a home computer, it doesn't need any firewall or host-based
>> packet filter.

What I cannot figure out is how an external IP can attack a 192.168.x.x
number. The latter is unroutable and there is no way it could get from any
external site to that computer. Ie, this attack MUST be internal.

Re: Dlink.com.sg intrusion with worm??

On Tue, 10 Oct 2006, in the Usenet newsgroup comp.security.misc, in article
, mak wrote:

>Sebastian Gottschalk wrote:
>
>> mak wrote:
>>
>>> what you should worry about: that there is no firewall _infront_of_
>>> your pc,
>>
>> Why? It's a home computer, it doesn't need any firewall or host-based
>> packet filter.
>
>are you being cynical?

[compton ~]$ netstat -tuan
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 192.168.14.12:3228 198.18.97.142:119 ESTABLISHED
[compton ~]$

The _only_ thing "open" on this system is a connection to the news server.
As there is nothing else open, there is nothing to exploit - thus there is
no absolute _need_ for a firewall. ("netstat" is a UNIX command - windoze
has a similar command, but uses different syntax. Try "netstat /ano" for
the XP imitation.)

Most people "need" a firewall because they have no idea what their computer
is running - and by default windoze comes with a lot of stuff enabled because
microsoft thinks it may be useful to a few, and that no one knows or wants to
know how to enable it. Thus, it's available to be exploited by default. If
people learned how to disable the garbage, there wouldn't be a need for a
personal firewall, anti-virus, anti-spyware, and the rest of that mess.
Contrary to what you may believe, there isn't a "Mal-ware Fairy" that comes
around and installs bad stuff on your computer. It gets installed by the user
who has no idea what they are doing.

Old guy

Re: Dlink.com.sg intrusion with worm??

On 10 Oct 2006, in the Usenet newsgroup comp.security.misc, in article
, Unruh wrote:

>What I cannot figure out is how an external IP can attack a 192.168.x.x
>number.

Not familiar with attacks FROM port 21? The bad guys do it all the time.

] Intruder: www.dlink.com.sg(203.126.164.142)(21).

] Attacked IP: ACE(192.168.100.100).
] Attacked Port: 1149.

>The latter is unroutable and there is no way it could get from any
>external site to that computer. Ie, this attack MUST be internal.

No port forwarding?

Old guy

Re: Dlink.com.sg intrusion with worm??

Post removed (X-No-Archive: yes)

Re: Dlink.com.sg intrusion with worm??

> Most people "need" a firewall because they have no idea what their computer
> is running - and by default windoze comes with a lot of stuff enabled because
> microsoft thinks it may be useful to a few, and that no one knows or wants to
> know how to enable it. Thus, it's available to be exploited by default. If
> people learned how to disable the garbage, there wouldn't be a need for a
> personal firewall, anti-virus, anti-spyware, and the rest of that mess.
> Contrary to what you may believe, there isn't a "Mal-ware Fairy" that comes
> around and installs bad stuff on your computer. It gets installed by the user
> who has no idea what they are doing.
>
> Old guy

I am all with you,
but until people learn how to use their pc, I suggest to give them advice they can easily follow.
Not everybody is interested in hardening their system and learning about exploits or tcp/ip.

what's the other option?
they get taken over, they spam and spread viruses and are used for illegal filesharing - probably w/out them even knowing.
and the experts can point fingers and say: why don't you use linux/unix/whatever and why didn't you protect
your system ?

and - no offense to Luther- when someone states

> This website from a well know network company attemped
> to intrude into my system.
....
> However today I got a shock from Norton anti virus popup.


,I think they are not very familiar with anything related to comp security.


M

Re: Dlink.com.sg intrusion with worm??

Post removed (X-No-Archive: yes)

Re: Dlink.com.sg intrusion with worm??

Dear All,

Thank you for all the comments and helps!

I thought I could get some geeks to show how to counter this intrusion.

Anyway just to point out some of the missing notes.

1. Firewall - 192.168.x.x (some got it, a private network behind a
rounter with NAT, DHCP).

2. XP-sp2 autoupdate and firewall is on.

3. ZoneAlarm-Pro3 also have problem with this site, a month back my
W98se PC with IE6, crash (BSoD) after 15 minutes browsing some of the
catalog.

4. Once I had BitDefender7 installed on the XP on top of NAV, the
Website cause the PC to standstill. As BitDefender is all in one
(Fireware, antispams, antivirus) it slowed the system too much and was
removed.

5. During that time I am the only user on my LAN? All the PC's are in
view of each other.

Questions
1. Packet filtering why and how? How much technical detail you have to
know?

2. www.dlink.com.sg will response from relatively fast to very slow as
you request more pages (3~5). It required you to enable script for both
the global and local site. Did it use some script code to attack port 21
and 1149? You should try it if you think you are better then them.

3. Someone may want to suggest that disable all unused ports. But then
some of the port may use from time to time eg ftp, smtp, NNTP, POP etc.
So what would you suggest? Will it mean that I have to enable it
everytime when use?

Thanks in Advance!
Luther

Re: Dlink.com.sg intrusion with worm??

On Wed, 11 Oct 2006, in the Usenet newsgroup comp.security.misc, in article
, mak wrote:

>I am all with you,
>but until people learn how to use their pc, I suggest to give them advice
>they can easily follow.

Excuse me - IBM introduced the PC to the world August 12, 1981. If you are
a Mac phreak, the Apple I was introduced in 1976 (the Apple ][ came out a
year later). Exactly how long do you think it's going to take for people
to "learn how to use" their PC? The skill level has actually gone down
several orders of magnitude since 1982, because software developers have
made their software "easier" to use. This "ease of use" also makes the
software "easier to abuse" as more dangerous features are enabled by
default on the remote chance that _someone_ might find a feature useful.

I mentioned the 'netstat /ano' command for XP. Do you even know how to
run that command - never mind know what it's telling you?

>Not everybody is interested in hardening their system and learning about
>exploits or tcp/ip.

Then they shouldn't be using a network enabled PC. Contrary to the dreams
of microsoft, every one in the entire world does not need a server - web,
mail, file, or anything else.

>what's the other option?

What's the alternative when a driver insists on driving while intoxicated?

>they get taken over, they spam and spread viruses and are used for illegal
> filesharing - probably w/out them even knowing.

Personally, I realize that judicial punishment would be useless - you'd
run out of jail space in a heartbeat. I'd prefer that computers taken
over by mal-ware be confiscated and destroyed at the previous owners
expense. After some idiots lost their systems for the fifth time at
US$500-2000 a pop, they _might_ decide to learn, or to no longer use a
computer. Either decision would make me happy.

>and the experts can point fingers and say: why don't you use
>linux/unix/whatever and why didn't you protect your system ?

Trust me on this - using *nix as stupidly as using windoze has similar
results. The reason UNIX or Linux (or *BSD) has less exploits is that
it is harder to use - every service is NOT automatically enabled. You
have enable things individually, and it's not as simple as clicking on
a single icon. You to think - what a strange concept.

>and - no offense to Luther- when someone states

[...]

>,I think they are not very familiar with anything related to comp security.

Notice how users would rather buy a program/application to disable some
windoze "feature" rather than spend a few minutes to find out how you can
disable it _in_ windoze for free. It says a lot about the quality of the
software from microsoft when there is this huge and profitably after-market
in anti-malware. Microsoft doesn't care - the fools continue to buy (soon
they will only rent) the bad software, so why should they change.

Old guy

Re: Dlink.com.sg intrusion with worm??

Post removed (X-No-Archive: yes)

Re: Dlink.com.sg intrusion with worm??

On 12 Oct 2006, in the Usenet newsgroup comp.security.misc, in article
<452d164f$1@news.starhub.net.sg>, Luther wrote:

>I thought I could get some geeks to show how to counter this intrusion.

It's highly unlikely to be an intrusion. You are using a piece of easily
confused or badly misconfigured software.

>Questions
>1. Packet filtering why and how? How much technical detail you have to
>know?

Concepts - addresses, protocols, port numbers and how they all tie together.
A couple of RFCs that might help:

1118 Hitchhikers guide to the Internet. E. Krol. September 1989.
(Format: TXT=62757 bytes) (Status: INFORMATIONAL)

1180 TCP/IP tutorial. T.J. Socolofsky, C.J. Kale. January 1991.
(Format: TXT=65494 bytes) (Status: INFORMATIONAL)

Use any search engine and look for RFC1118 and RFC1180.

>2. www.dlink.com.sg will response from relatively fast to very slow as
>you request more pages (3~5). It required you to enable script for both
>the global and local site. Did it use some script code to attack port 21
>and 1149?

[compton ~]$ grep 21 /etc/services
ftp 21/tcp # File Transfer [Control]
[compton ~]$

0959 File Transfer Protocol. J. Postel, J. Reynolds. October 1985.
(Format: TXT=147316 bytes) (Obsoletes RFC0765) (Updated by RFC2228,
RFC2640, RFC2773) (Also STD0009) (Status: STANDARD)

1635 How to Use Anonymous FTP. P. Deutsch, A. Emtage, A. Marine. May
1994. (Format: TXT=27258 bytes) (Also FYI0024) (Status:
INFORMATIONAL)

A couple more RFCs for you to look at. It might be a surprise to you, but
there is more than the World Wide Web on the Internet. That RFC0959 pre-dates
hypertext and the web by five years, and the origins of FTP go back to April
1971 - a bit before Bill Gates heard about computers. Port 1149 on your
system was one end of a conversation with port 21 on their end - you were
trying to download something.

>You should try it if you think you are better then them.

Why? I have no need to download anything from DLink, never mind their
Singapore office.

>3. Someone may want to suggest that disable all unused ports. But then
>some of the port may use from time to time eg ftp, smtp, NNTP, POP etc.

Are you running a _server_ on each one of those ports? I very much doubt it
seeing as how you don't recognize an FTP transfer. Big clue: people connect
to those ports to find a server. If you aren't serving, you DON'T want the
ports open. Period.

>So what would you suggest? Will it mean that I have to enable it
>everytime when use?

No, you are a _client_ not a server. Your end of the connections is those
high port numbers above 1025 (such as the 1149 you thought was being
"attacked"). Your system picks the next available port number to CALL OUT.
But because there is no server listening on those ports, no one can CALL IN.
Notice the difference in the words "out" and "in".

Old guy

Re: Dlink.com.sg intrusion with worm??

Luther wrote:
> It sound stranged. This website from a well know network company attemped
> to intrude into my system.

No.

You're just using b0rken "security software", which fools you with
senseless messages.

> Well may be you can trace it.

Done.

Yours,
VB.
--
Viel schlimmer als die Implementation von PHP ist jedoch das Design.

Rudolf Polzer in de.comp.security.misc

Re: Dlink.com.sg intrusion with worm??

mak wrote:
> > Why? It's a home computer, it doesn't need any firewall or host-based
> > packet filter.
> are you being cynical?

No. He's right here.

But most people don't know how to configure their computer, that it's
not in danger any more, and Microsoft often makes it very hard to do so.

So with Windows XP SP2, there is a packet filter at last fortunately,
the Windows-Firewall.

For Windows 9x, you don't need one, because configuration is easy. For
Windows 2000 and Windows XP before SP2, there is http://www.dingens.org.

For people, who like a sensible configuration, there is
http://ntsvcfg.de.

Yours,
VB.
--
Viel schlimmer als die Implementation von PHP ist jedoch das Design.

Rudolf Polzer in de.comp.security.misc

Re: Dlink.com.sg intrusion with worm??

Sebastian Gottschalk wrote:
> OK then, if you don't have any clue about TCP/IP, why are you running a
> host-based packet filter?

I'm very happy about the Windows-Firewall as default, because this is
the second best option Microsoft could have chosen. It's idiotic, that
Windows also with XP SP2 starts unneccessary network services as
default, but it's good to know, that they're filtered away immediately
again.

It's idiotic, but second best.

Yours,
VB.
--
Viel schlimmer als die Implementation von PHP ist jedoch das Design.

Rudolf Polzer in de.comp.security.misc

Re: Dlink.com.sg intrusion with worm??

Moe Trin wrote:
> >Not everybody is interested in hardening their system and learning about
> >exploits or tcp/ip.
> Then they shouldn't be using a network enabled PC.

I disagree.

Microsoft, Apple and all the others must deliver a default
configuration, which is not offering network services - which _is_
hardened already.

Yours,
VB.
--
Viel schlimmer als die Implementation von PHP ist jedoch das Design.

Rudolf Polzer in de.comp.security.misc

Re: Dlink.com.sg intrusion with worm??

Post removed (X-No-Archive: yes)