• All Community
    • All Community
    • Forums
    • Ideas
    • Blogs
Advanced

Not what you are looking for? Ask the experts!

This forum thread needs a solution.
Kudos0

NIS 2010 Intrusion Attempts!!!

I installed NIS 2010 about 2 months ago, and everything was great up until about a week ago.  All of a sudden I started getting a lot of intrusions attempts, MS RPCSS Attacks 2 and 3, all of which are considered to be "High Severity".  Norton says that it is blocking these attempts and no action is necessary.  However I am concerned as to what would happen if one of these attempts were to make it through.  I don't know what to do to stop this from happening anymore.  I have run scans constantly, both online and off.  I even ran a scan in "Safe Mode", and Norton doesn't find anything but some tracking cookies that are easily removed.  When I chatted with the tech support, all that was said was everything is fine but if you want we can scan your computer for $140!!! 

I am completely out of ideas, can someone please help me with this?!?!?!?

Replies

Kudos0

Re: NIS 2010 Intrusion Attempts!!!

I installed NIS 2010 about 2 months ago, and everything was great up until about a week ago.  All of a sudden I started getting a lot of intrusions attempts, MS RPCSS Attacks 2 and 3, all of which are considered to be "High Severity".  Norton says that it is blocking these attempts and no action is necessary.  However I am concerned as to what would happen if one of these attempts were to make it through.  I don't know what to do to stop this from happening anymore.  I have run scans constantly, both online and off.  I even ran a scan in "Safe Mode", and Norton doesn't find anything but some tracking cookies that are easily removed.  When I chatted with the tech support, all that was said was everything is fine but if you want we can scan your computer for $140!!! 

I am completely out of ideas, can someone please help me with this?!?!?!?

Kudos0

Re: NIS 2010 Intrusion Attempts!!!

Hi lotsip81,

 

I don't think you need to be worried over this. This is a normal behaviour and many other users have reported this. As long as Norton program is blocking it, you are safe. Please go through the information provided in the following thread:

http://community.norton.com/norton/board/message?board.id=nis_feedback&message.id=76970

 

Yogesh

Kudos0

Re: NIS 2010 Intrusion Attempts!!!

Thank you for posting that link.  I did notice that one of the people involved in that thread had stated that they were able to block the offending IP addresses, how is this done?  Or is it possible to make my IP so that they can't see it?  I am assuming (which might be wrong) that this is being done by my IP address.  Also, if it matters I am using Vista Home Premium....

Thanks for the quick response.....

Kudos0

Re: NIS 2010 Intrusion Attempts!!!

Hi lotsip81,

I have checked the Microsoft Security Bulletin for this vulnerability and it appears that Vista is not affected, and most other recent versions have been patched.  The attack signature that Norton uses helps to protect affected computers that have not installed the security updates that Microsoft issues each month.  The "attack" you are seeing is probably part of the normal background radiation of the internet.    

Message Edited by SendOfJive on 12-31-2009 05:19 PMMessage Edited by SendOfJive on 12-31-2009 05:31 PMMessage Edited by SendOfJive on 12-31-2009 05:33 PM
Kudos0

Re: NIS 2010 Intrusion Attempts!!!

Do you have any ideas on why this would have just started happening all of a sudden?  I have never experienced anything like this and is probably why I was so concerned about it.  I am not a computer guru, so can you explain what "  part of the normal background radiation of the internet" means?

Thank You 

Kudos0

Re: NIS 2010 Intrusion Attempts!!!

Hi lotsip81,

I am assuming these attacks are random and that they are not associated with any particular website you are visiting.  The internet is filled with pings and portscans.  This is why a firewall is indispensable.  The barrage of packets searching for open ports is constant and is known as the Internet Background Radiation.  No doubt your IP address is included in the block of addresses that is presently being scanned by whatever it is that is attempting to exploit the MS RPCSS vulnerability.  It will probably stop as suddenly as it started. 

If you are seeing these attacks when you visit a certain site, then there is something that has been placed on the site that is attempting to install malware via the vulnerability.     

Kudos0

Re: NIS 2010 Intrusion Attempts!!!

lotsip81,

Unless you have dedicated IP from your internet provider, your IP address is changed every now and then, and you could have picked up one that was being attacked.  If it was me, I would contact my internet service, and ask them how to cause an IP address switch on your connection.  Then the problem will probably move to somebody else, or maybe they can park it for a while, etc.  Good luck.

By the way, with dialup, you get a new IP address each time you dial in.  If you can dial in, you could see if that runs without the problem, but high speed connections that you have not purchased dedicated IP for, tend to only switch from time to time, and I think most attacks are by IP address.  Hope this makes sense.

P.S. As I understand it, Your provider could change your IP address at any time, such as a maintenance window, or other change, and you might keep it for weeks, etc.

I found the post below.  Try calling your provider, and monitor your IP by going to a command prompt (not run, since you won't see the results), and using the ipconfig command.  Good luck!  Let us know,

Hello,

There's no way to effectively change it from a command prompt. You could use the ipconfig release and renew commands, but chances are you're just going to get your old IP address back, especially if you are behind a router or static IP.


Hope this will help you.

Message Edited by jbwnor on 01-01-2010 04:56 PM
Kudos0

Re: NIS 2010 Intrusion Attempts!!!

Hi

If you have DSL service, all you have to do to get a new IP address is to turn off and on your modem/router.

Success always occurs in private and failure in full view. Windows 10 Pro 64 bit Norton Core Security Plus 22.17.3.50 Core Firmware 282 I E 11 Chrome latest version.
Kudos0

Re: NIS 2010 Intrusion Attempts!!!

I do have a DSL line and when I contacted my internet service provider, they said the same thing as you, if you want a new IP address, turn off the modem for a while and when you reconnect, you will have a new IP address.  I have done that, to no avail.  When I told them about the intrusion attempts, all they said was there was nothing they could do about it.  

All the attempts that I have gotten in so far always seem to come from different IP addresses.  Some of them are from different countries all over the world.  I am at a loss over this whole deal.  Right now I am hooking on to a neighbors internet (wireless) and I am going to see what happens now.  With MY internet, the attacks varied, it might be once every 30 minutes, or it might be 2 1/2 hours between attempts. What are your thoughts if I don't get any attempts using this other internet.  And obviously I cant just use their internet forever.

Thoughts??? 

Kudos2 Stats

Re: NIS 2010 Intrusion Attempts!!!

It sounds like random internet noise to me. My firewall logs are, and have always been, filled with scans and attacks. As long as they are being blocked, don't worry about it. It's really not much you can do. They aren't targeted at you specifically, but are either random scans or targeted at IP ranges. Sometimes its more, sometimes less.

One thing you can do is get a basic router with NAT/SPI filtering. This will stop all this from reaching your computer.

Kudos0

Re: NIS 2010 Intrusion Attempts!!!

Hi lots

Are you connected to a router also? If you are, then turn off your modem/router, turn off the router and turn off your computer. That should clean out your IP. Turn on your modem/router, set up your router and turn on your computer. You should have a new IP then. They are probably just port scans looking for an opening. All the computers on the same block of ip's try to communicate with each other. I think DSL seems to work like that.

Success always occurs in private and failure in full view. Windows 10 Pro 64 bit Norton Core Security Plus 22.17.3.50 Core Firmware 282 I E 11 Chrome latest version.
Kudos0

Re: NIS 2010 Intrusion Attempts!!!

Actually I am not connected to a router.  My computer is plugged straight into the modem, do you suggest against this?  Is it better to have a router behind the modem as an extra wall of protection?  Is that also why, when hooked to my neighbors "wireless router connection" I don't get any interference, because it probably has the NAT/SPI filtering?  

I just checked my security history and nothing has made it through...I mean NOTHING AT ALL!!!  This is after being connected to the wireless connection for about 1 1/2 hours.  By the way, both of us get our internet from the same provider...

Sorry I am kind of new to some of these things so please bear with me....

Thank you all again 

Kudos2 Stats

Re: NIS 2010 Intrusion Attempts!!!

Hi lotsip81,

You are 100% correct that you will not see any any of these scans on your PC when you are behind a router, so piggybacking on your neighbor's connection will not be indicative of anything.  And yes, if you want to keep these portscans from even reaching your computer, investing in an inexpensive router is the way to go.  Routers use Network Address Translation which matches up incoming packets to whatever computer on the local area network (your network behind the router) requested them.  A consequence of this is that traffic that was not requested is dropped by the router and never gets through, so portscans are stopped cold and your computer is not visible to the internet.  A router is indeed a very good extra wall of protection.

Kudos0

Re: NIS 2010 Intrusion Attempts!!!

So can you tell me what is the difference between "NAT" and "SPI" is one of them better than the other?  Can you get both of them on the same router?  Also do I have to set up the settings on the router or do the come with parameters already installed?  

I know nothing about these so any help would be appreciated.  Please remember...I am new so I need simple language to start.

Thank you again 

Kudos0

Re: NIS 2010 Intrusion Attempts!!!

Hi

Since you are using DSL, your modem may already be a modem/router depending on who your ISP is. I know that my modem is a modem/router, but it is just for my 1 computer. A router will have to be set up for your computer and so your computer can get thru the router. Your ISP may have certain routers that they may recommend and also help you set it up to use with their service. Some routers come with 2 firewalls in them, one is the NAT.

Success always occurs in private and failure in full view. Windows 10 Pro 64 bit Norton Core Security Plus 22.17.3.50 Core Firmware 282 I E 11 Chrome latest version.
Kudos2 Stats

Re: NIS 2010 Intrusion Attempts!!!

Here's a basic explanation of NAT and SPI from Netgear, one of the bigger manufacturers of consumer routers:

http://kb.netgear.com/app/answers/detail/a_id/1091

The later models at least come with both NAT and SPI firewall pre-configured to stealth all ports and block all unsolicited traffic. I have had 0 (zero!) "intrusion attempts" reach my computer since putting a router between my internet connection and my computer. Everything is stopped and filtered by the dedicated router firewall. And even if something would get past (which hasn't happen to me, and my internet usage is very heavy, including p2p with hundreds of connections all the time), NIS would block it. 

Kudos2 Stats

Re: NIS 2010 Intrusion Attempts!!!

All popular home routers use NAT.  SPI (Stateful Packet Inspection) is an additional feature where the router makes sure that incoming packets were not only requested, but also that they are the type of packets that would be expected for each request.  Many home routers now offer SPI.  You can check the specs for any router you are considering buying by visiting the manufacturer's web site.

An out of the box router's default settings are sometimes configured for the users convenience rather than for security.  Therefore, some tweaking is usually recommended.  You always want to change the router's login user name and password from the defaults because the defaults are well known.  You'll want to disable Universal Plug n Play in the router as well.  If you only have one PC and connect to the router via Ethernet cable rather than wirelessly, there is little else you need to do aside from turning off the router's wireless function.  With Wi-fi there are many security precautions you would need to take, but there is much information on the internet about this and a little research will clarify things for you.  GetNetWise offers some good tips and tutorials to get you started on securing a wireless network. 

Kudos1 Stats

Re: NIS 2010 Intrusion Attempts!!!

I just wanted to tell all of you a big "Thank You".  I now have installed the router, and all is back to normal.  No more intrusion attempts an I feel like my computer and internet connection now has more security.  I do appreciate all of your responses towards helping me figure out what the issues were.  

Once again thank all of you for your time and quick responses

lotsip81 

Kudos2 Stats

Re: NIS 2010 Intrusion Attempts!!!

Great to hear that you have found a solution (and a good one - you really are more secure behind a router with a hardware firewall).

Any software firewall can crash (no matter how well-written), and if you don't have a hardware firewall ifthat happens (chances are it never will, but IF), you're wide open. If you have a hardware firewall, nothing will happen (beyond the annoyance factor of dealing with the crashed software). A hardware firewall can crash too, if the hardware breaks, but then you'll probably be REALLY secure, since you most likely will be disconnected from the Internet :D

Just make sure you change the router password and disable remote access to it. Instructions should be available from the vendor or in a manual. Or just ask for help if you need it (if you haven't done these things already of course).

Kudos0

Re: NIS 2010 Intrusion Attempts!!!

Hi lotsip

If you consider your thread as being solved, would you please mark the post by clicking on the green button that gave you the solution. This way everyone will know your thread has been solved and also will be able to get to the solution quickly. Many times people who are searching the forum want to be able to find a solution quickly. Thanks and thanks for coming back to let us know how you made out.

Success always occurs in private and failure in full view. Windows 10 Pro 64 bit Norton Core Security Plus 22.17.3.50 Core Firmware 282 I E 11 Chrome latest version.

This thread is closed from further comment. Please visit the forum to start a new thread.