I'm still getting hit with these things --  (17) today (as of 4:30 pm MST, U.S. -- every time I check, I have more].

(10) yesterday.

(6) Monday.  [That was 1 Feb, 2010 -- when my NIS 2009 (prior build 16.7...) "Intrusion Protection," etc, etc, was completely disabled, by something/someone].

Typical messages in NIS 2009 (now, latest build, 16.8.0.41) History log:

 - "Unused port blocking has blocked communications. Inbound TCP connection."

 - "Rule 'Default Block EPMAP' blocked [IP address]. Inbound TCP connection."

 - "Rule 'Default Block Microsoft Windows 2000 SMB' [IP address]. Inbound TCP connection."

IP's of "blocks" are from all over the World -- including a good number from the U.S.

Yeah, I know... it's all OK, if they're all getting blocked.

But... this just ain't right.  Something strange going on.  *Never* had these before this last Monday.

And, no one else, except me and "Calls" are getting hit with these things??

http://community.norton.com/t5/Norton-Internet-Security-Norton/Attacks-on-port-64643/td-p/200631)

Makes me quite uneasy -- and suspicious.  Is it just a matter of time, before they find some "security hole" in NIS -- say, between LU "Pulse Updates" (or 2d, 3d, etc, parts of a patch) that haven't quite gotten to me yet??

Robby

robby--

no need to be paranoid. ;]

i would be worried if the attacks were not blocked.

so, i'm curious, are you running any p2p or bittorrent programs? how about any type of prgrams that are trying to make connections?

these are all inbound, so its simply connections trying to be made to your computer. it's a nasty world out there, thats why you need protection! ;]

---

whiplash wrote:

robby--

 

no need to be paranoid. ;]

 

i would be worried if the attacks were not blocked.

 

so, i'm curious, are you running any p2p or bittorrent programs? how about any type of prgrams that are trying to make connections?

 

these are all inbound, so its simply connections trying to be made to your computer. it's a nasty world out there, thats why you need protection! ;]

---

Tks for prompt reply, whiplash.

No, I'm not a very sophisticated user, at all.  Don't even know what p2p is ("point to point"?).  As for bittorrent -- that's just not my style;  [I'm a "legal" person.]  Nothing in the way of "making connections."  No networks.  Just one simple, 6-year old Toshiba laptop computer, running Win XP SP3, NIS 2009 and GHOST 14.

And, as far as these TCP's being blocked -- well, you read my concerns, above.

Something got through to me, this last Monday, and knocked out all my protection.  What did that??  Dunno.  Maybe Those TCP "attacks" got through, when I was still on the prior NIS 2009 build?  And, maybe it could hapen again?  If they keep trying, they'll likely find another way --something that NIS/LU hasn't "thought of" yet.

I've had a real "history" of bad things happening to my computer, over the last 3-years, or so -- supposedly protected by NIS.  Things that have cost me a *great* deal of very valuable time -- and a good bit of money -- to be fixed.  I don't do anything "special" that might warrant such events -- no porn, no forbidden downloads, etc -- I stay right in the main stream of things.  Sometimes watch some TV shows, on-line, when I can't/haven't taped them on my aging VCR.

Like you say, "It's a nasty world out there."  In fact, if you read the news (NYT, et al), you would be clearly aware that there is a *huge* "Cyber-War" going on -- "out there."  And, "The Protectors" are *not* winning.

No one I know of -- that's in my "class" of users (low level) -- *ever* has anything remotely happen, like has happened to me, over the last several years.

So, not completely unreasonable (nor paranoid) to be a little concerned about why I (alone??) am being targeted by all these TCP attacks.

Would greatly appreciate any additional thoughts you (and others) might have on this -- esp, how can I stop these inbound TCP things.

   Robby

Robby:

Have you phoned your ISP to find out what is happening at their end?  Are you behind a router, or an ADSL box?

---

delphinium wrote:

Robby:

 

Have you phoned your ISP to find out what is happening at their end?  Are you behind a router, or an ADSL box?

---

Hi delphinium,

No, I haven't called my ISP (Earthlink).  That's maybe a good idea.

No "router." (You mean, like in, "wireless"?  My Toshiba laptop has this wireless capability, but I've never used it.  Like I've said, I'm a very simple user.)

Don't even know what an "ADSL box" is.  Is that the same as a DSL "modem"?  If so, yes, I use a DSL modem.  Slow-ish, 1.5 Mbps.

[BTW, I'm now up to 23-hits on these TCP things, just today.]

Appreciate the help.

Robby

robby-

p2p is peer to peer. and you don't need to be doing illegal things to be running bittorrent. i download lots of legal videos and huge files from bittorrent that are okay. even some bands let you download music legally.

how about chat programs? i remember when i used to use ICQ a long long time ago (when people used ICQ LOLOLOL!!!!) that it would make a direct connection to everyone I was talking to. some chat programs still do that I think.

i know there is a cyber war going on, and the protectors (especially nortons) are winning, you just have to be protected! it doesn't look like you're getting hit with anything, and nortons is protecting you, you just need to be smart when using the internet, and have up to date virus protections and all your windows updates. theres more than that, but thats a good start.

I think that delphininm is right that it might be a router or something else that is doing this. but that wouldn't explain the other countries. are you suring the internet or doing ANYTHING that is internet related while this happens? if it only happens when you do internet things, just do one thing as a time and see if you can figure out why and when it happens. if you're not doing anything and it happens, you should contact yoru isp.

router = thing that sends internet to more than one computer in your house.

adsl = your modem where the internets send their tubes to your computer. ;]

i would totally ask your isp people

---

whiplash wrote:

robby-

 

 -p2p is peer to peer. and you don't need to be doing illegal things to be running bittorrent. i download lots of legal videos and huge files from bittorrent that are okay. even some bands let you download music legally.

 

************

Apologies on that.  My only reference point on Bittorrent was illegally downloading movies, etc, that someone told me about.

 ***********

 

 -how about chat programs? i remember when i used to use ICQ a long long time ago (when people used ICQ LOLOLOL!!!!) that it would make a direct connection to everyone I was talking to. some chat programs still do that I think.

 

**********

Never used a chat program in my life.  Hardly know what it is

**********

 

 -i know there is a cyber war going on, and the protectors (especially nortons) are winning,

 

*********

Recent quote from a NYT article:

 

“Sensitive information is stolen daily from both government and private-sector networks, undermining confidence in our information systems, and in the very information these systems were intended to convey...”

 

      http://www.nytimes.com/2010/02/03/us/politics/03intel.html

 

This is just the latest.  Many others that imply we (the "Good Guys/Protectors") are not doing so well."  YMMV. <g>

*********

 

 -you just have to be protected! it doesn't look like you're getting hit with anything, and nortons is protecting you

 

********

Was hit Monday.  Just the latest in a series of these things happening -- many times -- over the last several years, while "Norton is protecting me."

*******

 

 -you just need to be smart when using the internet, and have up to date virus protections and all your windows updates. theres more than that, but thats a good start.

 

********

I'm a tad "uniformed" on all the intricacies of Web use -- though I've been doing it a while (probably 12-years or so, as a "low-level" user).  But, I'm not dumb, by any means.  I take a *lot* of precautions, and maintain all my "defense" systems (if you will) -- esp in light of all the virus/trojan, etc, problems I've had.  Still get clobbered.

********

 

 -I think that delphininm is right that it might be a router or something else that is doing this. but that wouldn't explain the other countries. are you suring the internet or doing ANYTHING that is internet related while this happens? if it only happens when you do internet things, just do one thing as a time and see if you can figure out why and when it happens. if you're not doing anything and it happens, you should contact yoru isp.

 

*********

Most of the time this is happening is when I'm on these Boards, typing in responses, queries, etc.  I'm monitoring the NCAA basketball scores, sometimes.  Check the NWS for weather, etc.  Working my e-mail (Thunderbird).  Just regular stuff.

 

Contacting the ISP guys, though, might be a real winner.  Maybe they can block these things, somehow.  But, these hackers change IP's all the time.  Going all over the World.  One of most recent was Lima, Peru.  So, it's not just all China, etc.

********

 

---

Do appreciate all your thoughts, though, whiplash.

Robby

---

whiplash wrote:

router = thing that sends internet to more than one computer in your house.

 

adsl = your modem where the internets send their tubes to your computer. ;]

 

i would totally ask your isp people

---

I'm the *only* computer (and person) here.  So, no routers needed.

Yes, I do have a DSL modem, that connects to the Web.

Agree, I'll call Earthlink manana.

Robby

Hi Robby,

You are getting "hit" with the normal things that all computers connected to the internet are exposed to continually.  It is called Background Radiation and consists of worms and portscans that constantly seek out vulnerable computers to attack,  These portscans are automated to probe huge blocks of IP addresses at a time, so you are not being individually targeted, and the frequency of these attacks will vary over time.  But they are always there.  You indeed are protected by the Norton Firewall.  In fact, the existence of all this malicious internet traffic is the very reason that we use firewalls.  There is no way to stop the portscans but a firewall will reliably block them and that is all you can do.

A software firewall like Norton's blocks traffic at the PC and is a perfectly satisfactory solution.  If the Norton log entries are overly unnerving, as an additional layer of protection you might want to invest $50 or so in a router (even if you only have one computer). The NAT function in home routers will block unsolicited traffic from the internet before it can reach your PC.  Think of a software firewall as blocking entry at your front door and a router as blocking entry at the gate out in front of your house. 

---

SendOfJive wrote:

Hi Robby,

 

You are getting "hit" with the normal things that all computers connected to the internet are exposed to continually.  It is called Background Radiation and consists of worms and portscans that constantly seek out vulnerable computers to attack,  These portscans are automated to probe huge blocks of IP addresses at a time, so you are not being individually targeted, and the frequency of these attacks will vary over time.  But they are always there.  You indeed are protected by the Norton Firewall.  In fact, the existence of all this malicious internet traffic is the very reason that we use firewalls.  There is no way to stop the portscans but a firewall will reliably block them and that is all you can do.

 

A software firewall like Norton's blocks traffic at the PC and is a perfectly satisfactory solution.  If the Norton log entries are overly unnerving, as an additional layer of protection you might want to invest $50 or so in a router (even if you only have one computer). The NAT function in home routers will block unsolicited traffic from the internet before it can reach your PC.  Think of a software firewall as blocking entry at your front door and a router as blocking entry at the gate out in front of your house. 

---

Hi SendOfJive,

Great reply.  Tks.  (And, like your avatar. <G>)

My only real comments are:  Why the sudden increase in these "hits"?  And, again... why (mostly) "just me"?

To my knowledge, I've never had these kind of "probes," before this last Monday episode -- where all my NIS protection was gone (*everything* was "disabled").  I track the NIS History logs quite closely, every session I'm on-line -- since I've had so many other "problems," over the last several years.  No TCP hits at all.

OK, so these things can vary over time.  I can understand that.  But... why doesn't anyone else on these Boards report having similar problems?  (Except "Calls" -- and they ain't talkin'.)  Maybe it's just a "limited audience" that's reading my posts, here -- and they don't happen to be targeted, huh.  Still...

I like your router suggestion (and great explanation analogy).  $50 for piece of mind.  I can "buy" that.

But, do believe I'll contact Earthlink (my ISP).  If nothing else but to "vent" a little about all this.  Maybe (just maybe) there is something they can do on their end.  We'll see.

Really appreciate your input.

Kindest Regards,

Robby

---

Robby wrote:

But... why doesn't anyone else on these Boards report having similar problems?

---

Oh, believe me...they do.  If you do a forum search for "portscans" or "intrusion attempts" you'll see that this topic arises quite frequently.  And often the OP reports, as you did, that these sorts of log entries are new. There are a number of reasons why you might suddenly start seeing increased activity but why there are no past logged entries of a similar nature, I cannot say. 

Even though a software firewall is extremely effective, a router does offer an added layer of protection which can be reassuring to many users.  It effectively hides your PC from the internet and drops any unsolicited traffic rather than passing it through to your network.  For many people, it is a device worth having.

---

SendOfJive wrote:

 

---

Robby wrote:

But... why doesn't anyone else on these Boards report having similar problems?

---

Oh, believe me...they do.  If you do a forum search for "portscans" or "intrusion attempts" you'll see that this topic arises quite frequently.  And often the OP reports, as you did, that these sorts of log entries are new. There are a number of reasons why you might suddenly start seeing increased activity but why there are no past logged entries of a similar nature, I cannot say. 

Even though a software firewall is extremely effective, a router does offer an added layer of protection which can be reassuring to many users.  It effectively hides your PC from the internet and drops any unsolicited traffic rather than passing it through to your network.  For many people, it is a device worth having.

 

 

Well, it's reassuring to know I'm not just a "voice in the wilderness" about these inbound TCP connections.  Yet, I do wonder why, all of a sudden, such traffic is being directed my way.  I'm such an innocuous Web user -- why would someone target me?

Maybe it's just a random selection process, by these hackers.  But... like I said, I've had *so* many seemingly "random" things happen over the last 3-years, that I, indeed, am getting perhaps a bit paranoid.

I do like the router idea.  But, I'm very uninformed about these things.  Can you give me a recommendation on a manufacturer for such a device -- say for around $50?

Again, appreciate the help.

Robby

If your modem isn't too old, chances are high it has a built-in router :). Check if it does, saves you 50 dollars

Robby- I feel your pain brother. As many here can attest, I get caught up in being uber worried about all this stuff.

 I had posted  wondering if there was some more global event going on involving the port blocking. But I was just curious. If it is blocking, that is what you want. In fact sometimes I get concerned if I don't see any at all

you use DSL right? If you logg off the internet for a few hours, when you log back on do you have a different IP address from your ISP?

My will give me a new IP address even if I'm logged off the net for 10 minurtes or more.

Reese from Symantec explained to me that perhaps the previous owner of the IP address newly assigned to you, had been file sharing with some of the IP address that are trying to contact you

so some may be "borrowed" and some may just be all the crap that is out there

I have to say as worried as I am, and I'm still using NAV2008, I really never had anything happen. Koobface virus tried to get us when my wife was on facebook and Norton, even the older version, stopped it. I recently had Trojan.Pidief>g blocked too. Both of those were stopped at point of contact. Had one file from I think playfirst games or pop cap games that was quarantined and that was most likely a false positive.

I know it's creepy to have IP addresses unwanted and tapping at your door. But if they are blocked all is good.

robby, try this. Logg off the internet and wait an hour or so. then after you log back on, see if your ISP assigned you a different IP address. I have a different IP address and have had very little unused ports being attempted to connect on

---

Calls wrote:

Robby- I feel your pain brother. As many here can attest, I get caught up in being uber worried about all this stuff.  I had posted  wondering if there was some more global event going on involving the port blocking. But I was just curious. If it is blocking, that is what you want. In fact sometimes I get concerned if I don't see any at all

 

you use DSL right? If you logg off the internet for a few hours, when you log back on do you have a different IP address from your ISP?

 

My will give me a new IP address even if I'm logged off the net for 10 minurtes or more.

Reese from Symantec explained to me that perhaps the previous owner of the IP address newly assigned to you, had been file sharing with some of the IP address that are trying to contact you

 

so some may be "borrowed" and some may just be all the crap that is out there

I have to say as worried as I am, and I'm still using NAV2008, I really never had anything happen. Koobface virus tried to get us when my wife was on facebook and Norton, even the older version, stopped it. I recently had Trojan.Pidief>g blocked too. Both of those were stopped at point of contact. Had one file from I think playfirst games or pop cap games that was quarantined and that was most likely a false positive.

I know it's creepy to have IP addresses unwanted and tapping at your door. But if they are blocked all is good.

 

Later, Calls wrote:

 

robby, try this. Logg off the internet and wait an hour or so. then after you log back on, see if your ISP assigned you a different IP address. I have a different IP address and have had very little unused ports being attempted to connect on

---

 Hi Calls.

Tks for the input.

Calls, I think you might be right.  This morning when I started-up, my IP was slightly different (I think).  Put me in Albuquerque, NM (USA).  Yesterday, it put me in Los Lunas, NM (an Albuquerque suburb).

So, I'll have to try and experiment with this -- and, see how long I have to stay off, for the IP to change.

One of the precautions I take, when I'm not using the Web (even for a little while), is to unplug/disconnet my DSL cable, directly from my computer port.  The modem stays on, but the DSL signal goes away.  Then, when I want to use the Web again -- I just re-connect the DSL cable, and, after about 5-seconds, the DSL signal comes back.  I assume this "cable disconnect" would be the same as "logging off" the Internet, huh?

I like Reese's explanation.  But... this has been happening to me (these continual TCP attacks) for 5-straight days, now.  If my IP changes when I log off (disconnect the DSL cable) -- well, I've done a *lot* of that -- and I'm still getting TCP hits, even with (presumably) a different IP each time I log back on -- then Reese's idea may not apply for me (if I understand this correctly).

And, I agree it is (somewhat) consoling to see the TCP's being blocked.   My NIS 2009 was clobbered (completely disabled), Monday, Feb. 1 -- and, I think it is significant that I didn't get any blocks for the days before this date (presumably when the hacker got through).  In fact, I have *never* gotten any such blocks before, AFAIK.

Then they started -- after Norton released the lastest build on NIS 2009, that I was able to download.. This apparently started blocking these TCP attacks.  [But... when will they (these TCP attacks) find another weakness in NIS, that LU/patches haven't yet fixed?  Clobbered again.]

You mentioned that you really hadn't had anything "bad" penetrate your system, and clobber your computer (yet  <g>).  Wish I could say that.  I've been *really* hit -- hard -- several times over the last 3-years, or so -- all while having the latest Norton protection, updates, "best practices," etc.

I'm a very careful person (maybe too much so, say my girlfriends, etc) -- aero-space engineer, international economist, JD, etc. -- perhaps a bit on the "compulsive" side.  But, even with all my "care," I'm still getting hit.  One event was so bad, I had to take my computer in for an expert to recover.  Quite costly and time consuming.  Other problems have eventually been resolved by Norrton -- but THE TIME!  Un-godly.  I just can't afford to keep doing this.

My "paranoid side" thinks that I'm being "targeted" by someone -- for some unknown reason(s).  Perhaps this thinking is being overly influenced by the very substantial "damage" I have sustained from these attacks.  When you get realy "hurt," you tend to go a tad over-reactive "nuts," I guess.  "Self-defensive mechanism," and all that.

But, we all know there's a huge "Cyber-War" raging "out there" -- re, for one, the recent attacks on Google (from China? or somewhere, with "disguised" IP's?) -- and, also, all the great deal of budget money and attention that Bush and Obama have focused on Cyber-Warfare, in the last 10-years, or so, to try and counter these threats.

And, it  doesn't seem completely implausible that at least some of these "attack/security-penetration secrets," developed by our CIA/NSA/Pentagon, etc -- and all their counterparts in China, Russia, et al --  may have "filtered" down into the hands of even "civilians" -- to use for whatever purposes they want.  This could *vastly* increase the number of "super-virulent" hackers on the World scene.

Here's a link to a recent article from the NYT that describes a hacker in China.  He has an engineering degree, but prefers to try and increase his wealth by doing computer hacking.  I'll bet a "dollar to a donut" that he has some "inside" help and information from someone in the Chinese government security functions (or somewhere) , that allows him to do this "successfully."

http://www.nytimes.com/2010/02/02/business/global/02hacker.html

These following quotes (from the above article) were particularly interesting to me (esp for my "paranoid" side):

..."One Chinese hacker, who broke into a United States government site, later lectured on hacking at a leading university,.....and [had formerly] worked for China’s security ministry."

..."computer security specialists say there are so-called "patriotic hackers" who focus their attacks on political targets."

Hmmmm.  Watch what you say -- esp on the Web.

Welcome to our World.

Appreciate your thoughts.

Robby

 

---

Corman wrote:

If your modem isn't too old, chances are high it has a built-in router :). Check if it does, saves you 50 dollars

---

Hi Corman,

I'm always willing to save a little money. <g>

You have any idea if my (2) current modems [described below] are router capable?  [Doesn't appear to say so in the (sparse) info packet Earthlink sent me, along with the modems -- or, at least it's not clear to me that it does.]

Both modems are LAN cable-connected units.  [I don't use "wireless," though my 2004 Toshiba laptop has such capabilities (but, latest protocol's?).]

The newest modem I have is the one Earthlink sent me, as a replacement for my old modem, about 3-years ago, when I was having connection problems.

[But, I'm currently not using that one.  The problem wasn't in the modem -- so, I'm still using the older one they set me up with about 6-years ago ("If it ain't broke, don't 'fix' it").]

The newer one is an "ADSL2+ Modem."

On the unit itself, it has "marked lights" for:  Power, Ethernet, DSL, Internet -- and (2) unmarked "lights" on each end of this string of marked lights.

Older one (I'm using now) is also an "ADSL Modem."

Unit lights are PWR; SYS; [ and under a "LAN" marking] 10M, 100M ; DSL; ACT -- that's all.

What do you think?

Robby

Definitely check in with your ISP.  My router was provided free of charge as part of the service.  It may also make it easier to set up if there is an agreement between providers of service and hardware, as well as being cost effective.

---

delphinium wrote:

Definitely check in with your ISP.  My router was provided free of charge as part of the service.  It may also make it easier to set up if there is an agreement between providers of service and hardware, as well as being cost effective.

---

HI delphinium,

I did try and contact Earthlink, yesterday -- concerning your suggestion about seeing what they could do, from their end, on blocking these TCP attacks -- and, hopefully, maybe they'd suggest something along the lines of a "Firewall' router, like you indicated, above.

Took quite a few hours of my time -- on hold, talking to E. Indians (good faith effort, knowledgable people), trying to e-mail Corporate, sending them "details" like NIS History Logs (.txt and .mcf), getting these bounced, etc, etc.

Don't hold out much hope of their getting back to me.  In law, we talk of the "Corporate Veil" (liability protection for the people of a corporation) -- but here, it's a "Corporate Wall."  Can't really get through to anyone of *true* responsibility.  Stone-cold, dead wall.

Back when I first started on the Web (1996 or so), my ISP was "Working Assets," the phone company (now Credo).  What a pleasure to be able to just pick up the phone and talk to somebody "in charge."  Then they merged with Earthlink, and it's been "downhill" ever since.  Corporate Wall.

[Truthfully, though, I don't know if *any* big ISP's are any less this way.  My impression is that Earthlink may be one of the better ones.  That's why I've stuck with them all these years.  And, I keep remembering "Working Assets."]

I may try again, next week or so, to contact them specifically about a Firewall router.  We'll see how that goes.

Appreciate all your good input.

Robby