Monitoring Your System for Hackers Using Windows 95/98

Once you've secured your system, you may wish to go a step further and monitor your connection for unauthorized connection attempts. Reports of these attempts can be sent to the attacker's Internet Service Provider so that the offensive user can be reprimanded. Later in this discussion, we will explain how to identify the ISP with an offending customer and how to report the abuse.

Windows 95/98 systems don't have a built-in way to detect unauthorized connection attempts. Therefore, these systems must run additional security software to monitor the Internet connection for such attempts. Such software is currently growing in popularity among Windows users.

When choosing a security program, you should pay close attention to the date of the latest release. New vulnerabilities are discovered and announced all the time, so be sure to use the very latest version you can find. Many of these programs offer "auto-update" features which will automatically send the latest versions at regular intervals.

Security program software often creates a log file that can be used to report incidents. Be sure to keep your system date and time accurate to produce accurate logs.

Listed below are several of the most popular Windows security programs and where to find them.

Norton Internet Security 2000  [Our Top Pick]

http://www.symantecstore.com/Product/0,1057,2-1-SN106720,00.html 

Norton Internet Security 2000: Essential Internet protection for home computers.

• Eliminates dangerous viruses: Your computer can be attacked even when you’re just reading email or browsing Web sites. Norton Internet Security 2000 not only guards against viruses and worms, but also against malicious Java applets, ActiveX code, and other Internet threats. The latest version of award-winning Norton AntiVirus software is included with Norton Internet Security 2000, giving you instant access to the world’s most popular and powerful anti-virus capabilities.
• Defends against malicious hackers: The more time your PC spends connected to the Internet-especially if you have a high-speed connection—the more opportunity there is for malicious hackers to break in and create havoc. They can steal files from your computer and even damage its contents. Norton Internet Security 2000 lets you fully enjoy the Internet while blocking attacks and alerting you to unauthorized connections and attempted intrusions.
• Controls children’s Internet access: Parents today are understandably concerned about what kinds of photos and text their children might run across on the Internet. Norton Internet Security 2000 protects your children from exposure to inappropriate material online by giving you control over which Web sites they can visit and how much time they can spend online. It even lets you restrict outgoing information so that, for example, children can’t give out the family phone number or credit-card numbers in a Web form without your permission.
• Protects personal information: Chances are you already have a lot of personal information stored on your PC, including credit-card numbers, online banking details, and confidential financial data. That’s why Norton Internet Security 2000 allows you to designate key information that should be protected from unsecured Web sites. It also prevents Web servers from retrieving your email address without your permission or tracking your online activities through cookies.
• No more ads, Thanks: Norton Internet Security 2000 blocks out banner ads, pop-up windows, and other clutter on Web pages. It includes many other features for convenience and ease of use, even letting you set up a different Internet configuration for each user in your home, protecting your kids while giving adults full access to the Net. You can view an instant summary of your most important program settings in one easy-to-understand window.

BlackIce Defender 

http://www.networkice.com/Products/BlackICE/blackice%20defender.htm

BlackICE Defender is a popular firewall software program designed to monitor and block incoming connection attempts. It provides a simplified configuration process by allowing the user to choose between four broad levels of protection. These four levels are: Trusting, Cautious, Nervous, and Paranoid ­ with the default being Cautious. The levels correspond to different combinations of incoming protocol type (TCP or UDP) and incoming port range (1-1024 or 1024-65535). This is briefly explained in the configuration window, as well as in the online help file.

Unfortunately, this simplicity also leads to a firewall that is not very configurable. For instance, BlackICE Defender is known for reporting "false positive" hack attempts on cable/DSL networks. BlackICE has no capability of allowing the user the choice to ignore certain types of incoming packets. Therefore, when using this product on your network, the user may see incoming traffic that is reported as malicious ­ when in actuality it may be a harmless broadcast packet. For more information, please see the section labeled False Reports. The NetworkICE website also provides such information along with a full list of intrusions detected by BlackICE.

After intercepting an incoming packet, a direct (NetBIOS) and/or indirect (DNS) back tracing can be performed to help identify the hacker's originating domain. BlackICE also provides "Trusted" and "Blocked" lists which can easily be amended to allow or ignore certain IP addresses. This feature is not configurable to specific ports, but simply acts as an IP filter on all ports. Print and file sharing can be manually disabled using a simple check box, although many ISPs implement NetBIOS filtering to hinder print and file sharing over the internet. BlackICE Defender does not offer any outbound filtering or monitoring tools.

BlackICE Defender also keeps several forms of log files. Of most importance is the "attack-list.csv" file. This is a summarized list of all recorded incoming traffic that can be opened in Notepad or Microsoft Excel. This data is what the ISP needs for investigating an abuse issue. For information on reporting hack attempts please see the section labeled Once You Have an IP Address. Below is a sample line copied from the log file:

39 2000-05-02 04:00:58 2000301 TCP port scan 207.71.92.221 shieldsup.grc.com 216.243.8.246 port=21|23|25|79-80|110|113|143|443 42

NetworkICE provides an excellent description of how to read "attack-list.csv". Briefly, the example above is a port scan generated by Shields Up, a web-based scanner, mentioned previously in the section Securing Your System. The date, time, type of attack, and the hacker's IP address are all shown. This is then followed by the user's IP address and a list of ports that were scanned.

Several other evidence files can also be recorded; however, some of these files can only be viewed by a packet-monitoring tool, such as Network Monitor, that comes with Windows NT/2000 Server. In most cases, such data is not necessary for an ISP to complete an investigation of reported abuse.

For an extensive explanation of this software, download the BlackICE Documentation in PDF format.

BlackICE is currently available for Windows 95/98 and Windows NT at $39.95.

Conseal PC Firewall 

http://www.signal9.com/products/firewall/index.html

Conseal PC Firewall is a comprehensive firewall package offered by Signal 9 Solutions. It requires a more advanced understanding of IP protocols, ports, and services than many other firewall packages. However, it can be an extremely powerful firewall for those users with a familiarity in networking, but with no desire to become security experts. It has the ability to create very specific or generalized rules and has an optional learning mode that prompts with user on configuration issues.

One positive aspect of the Conseal PC Firewall is the thorough log files that are kept of incoming connection attempts. The comprehensive logs are typically saved in the "C:\Program Files\Signal9\FIREWALL" directory and have been given the ".log" extension. This file can be converted to a text file, then copied and pasted into an e-mail message to be sent to the attacker's ISP. A real-time log can also be displayed as the attack is occurring.

For more information on Conseal PC Firewall or to download a 15-day evaluation copy, please visit http://www.signal9.com/products/firewall/index.html.

Jammer 

http://www.agnitum.com/

The Agnitum (a company devoted to Internet security) web site describes Jammer as a multi-barrier system, featuring antiviral, blocking, and monitoring software in one package. This is not a firewall software program but, rather, a monitoring tool that detects and blocks mostly NetBus and Back Orifice Trojan variants.

The monitoring portion of the program analyzes all 65536 TCP and UDP ports for certain types of scanning activity. If a malicious port scan is detected, the program then blocks the incoming connection and logs this information. The following excerpt from the Agnitum web site shows many of the Trojan programs that Jammer can detect:

Jammer detects NetBus 1.2, NetBus 1.53, NetBus 1.6, NetBus 1.7, NetBus 2.0 Pro Beta, NetBus 2.0 Pro, Back Orifice 1.2, Back Orifice 1.2 modified, BO2K (also known as Back Orifice 2000) International and BO2K US version.
Jammer also includes a mail feature that allows the user to send a simple e-mail to the hacker's ISP, which includes the appropriate log information. 

The software is also designed to detect any changes to Windows Registry keys, and it provides a pop-up warning when changes are about to occur. You then have the option to allow/disallow the procedure to continue. According to their web site, this is how 90% of all Trojan software is installed.

If Jammer detects that your computer is infected with one of these Trojan programs, it then cleanses the system by removing the Trojan from startup files, as well as from the Windows Registry.

A free 30-day trial of Jammer is available at http://www.agnitum.com/download, and a 1-User license is also available for $19.95.

LockDown 2000 

http://www.lockdown2000.com

LockDown 2000 is a firewall and Trojan cleaning utility combined. The software is designed to run under Windows 95/98/NT. The program will detect and log any attempts to access known Trojan listening ports. Lockdown 2000 also contains some other distinct features, including a trace route and whois look-up tool, network file sharing monitor, and a system file checker.

LockDown 2000 can sound an audible alert and display a pop-up notification when a connection attempt is registered. At the same time, the daily log file is updated on the main screen.

The trace route and whois look-up tools are useful for taking the hacker's IP address and tracking down their Internet Service Provider (ISP). This information can then be used to forward the relevant log file to the ISP's abuse department for investigation.

By clicking the log feature it is easy to view a log from any given day. On the log screen there is an option to export the information directly to the clipboard and paste into an e-mail, or it can open it in Notepad to be saved as a ".txt" file. Below is an excerpt from the help.log included with the program to demonstrate the easy-to-read output. This example log file was created on 12-23-1999.

122399.LOG
<3:14:24 PM> Incoming hack attempt from IP Address: 207.136.9.251
<3:14:24 PM> Hacker is attempting to gain access using the SubSeven Trojan.
<3:14:24 PM> Terminated connection attempt... 
<3:14:24 PM> Attempting trace route... Please stand by... 
<3:14:50 PM> => 194.ATM8-0-0.GW1.DFW1.ALTER.NET 
<3:14:50 PM> => iadfw3-gw.customer.ALTER.NET 
<3:14:50 PM> => big-bro-f5-0.iadfw.net 
<3:14:50 PM> => ghtia-ds3-1.net.iadfw.net 
<3:14:50 PM> => atnt03.ght.iadfw.net 
<3:14:50 PM> => pppt03-251.ght.iadfw.net 

Notice the incoming hack attempt IP address and the hack attempt type on the next line. One drawback to this program is that it does not show the actual port information. Instead, the log only shows the Trojan name. The program then attempts a trace route to help find the domain name of the originating ISP. When reporting these logs it is important to forward not only this information, but also the time zone in which the logs were recorded. The network file-sharing feature allows the owner to disconnect remote users attempting to access shared files or deny all access. Alternately, the program also allows for file sharing only with specific IP addresses that the owner can define.

LockDown 2000 also contains a substantial help file with useful information regarding how Trojans infect your system and how to eliminate them. There is also an extensive listing of port descriptions, domain names by country, and a whois server listing to aid in accurately tracking down an attacker's ISP.

Single user copy can be purchased for $99 at http://www.lockdown2000.com/secure.html.

NukeNabber 

http://www.dynamsol.com/puppet/nukenabber.html

NukeNabber is a port-monitoring software. It is different from firewall software that is designed to entirely block incoming traffic to designated ports. Simply put, this program listens for a certain type of attack to be directed at you. Upon seeing this attack, the program ignores the incoming data for approximately 10 seconds. This effectively prevents the computer from being vulnerable to certain attacks. According to the author of NukeNabber, he originally wrote the program to stop WinNuke/OOBNuke attacks on port 139 tcp. He has since added many other default ports to monitor, as noted below.

The following information is excerpted from the NukeNabber FAQ. This document can be found in its entirety at http://www.dynamsol.com/puppet/faqs/nnfaq.html.

What are the default ports?
19 udp (chargen)
53 tcp (DNS)
129 tcp (undefined)
137 tcp (netbios name)
138 tcp (netbios datagram)
139 tcp (netbios session)

* ports above 1024 are generally undefined *

1027,1029,1032 tcp (used to protect ICQ)
1080 tcp (used to detect wingate sniffers)
5000 tcp (used to detect and block Sockets de Trois v1)
50505 tcp (used to detect and block Sockets de Trois v2)
31337 udp (used to detect and block Back Orifice 

NukeNabber also has trace route, finger, and whois tools built in to allow for tracking down the hacker's Internet Service Provider (ISP). The relevant log file could then be sent to his/her ISP for investigation. The following is a sample entry from a log file:

[03/20/2000 14:47:49.260 GMT-0500] Connection: COMPNAME (192.168.0.1) on port 1080 (tcp)
[03/20/2000 14:47:49.540 GMT-0500] GET / HTTP/1.1

[03/20/2000 14:47:49.540 GMT-0500] Port 1080 (tcp) is now disabled for 60 seconds. 

The hacker was scanning for a Socks/WinGate proxy (Port 1080) from a local network IP address (192.168.0.1). Notice the log also shows the full Time/Date stamp including the time zone. All this information is needed by the ISP to track down the hacker.

Some important notes can also be found within the FAQ regarding different Windows operating systems and their monitoring capabilities.

NukeNabber reports: "Winsock does not support ICMP monitoring." What does this mean?

For Windows95 users, only those who have upgraded to Winsock 2.2 can monitor ICMP.
Windows98 users should never see this message.
WindowsNT only allows users with Administrative access to monitor ICMP. 
Warning - If you are using Windows 95 or Windows 98, adding too many ports in NukeNabber may cause certain problems (*about* 20 or 25, depending on your system). This is not the case if you are running Windows NT (up to 50 in Nuke Nabber version 2.9b).

For more about this warning and a list of common ports to monitor please see http://www.clic.net/~hello/puppet/nnports.html.

Other Options

Hardware Firewalls 

In the past, using a piece of hardware to share a network connection and perform firewall duties was something only small businesses seemed to do. Now, with more homes having multiple computers, these products are being marketed to home users. 

SonicWall
http://www.sonicsys.com/firewall/
(Please see "False Alarms" for more info on SonicWall.)

Umax Ugate
http://ugate.umax.com/

Linksys
http://www.linksys.com/scripts/indexer.asp?part=Broadband 

For more examples, see http://www.timhiggins.com/ppd/hwrouters.htm.

Many of these hardware router/firewalls have a web-based administration page that is protected by a password. From the factory, some have a default password, some have a random password that is printed on the device itself, and some have no password until the owner sets one. Make sure you have set a strong password that will not be easy for someone to guess.

Unix-style Firewalls 

Unix-style logging should only be done by a system administrator or an experienced UNIX user. It is done in two ways:

First, logging is done from the server program itself. This style of logging uses the syslog daemon (program) to make note of certain data that is important to the system. Examples include:

Connections to the machine, including the source's IP address 
Problems that the system encounters 
Authentications after the initial connection 
Typically, these logs are stored in the /var/log directory. For information about specific logs, consult the server program's documentation.

The second type of logging, is done before the server program has a chance to receive any data. If you're running a firewall, and have told it to log certain data, the syslog daemon will note connections that are attempted, regardless of their success. Below is an example of output from a linux IP Chains firewall on a failed connection.

Mar 15 14:35:13 hostname kernel: Packet log: input DENY eth0 PROTO=6
192.168.1.1:3305 10.0.0.1:111 L=60 S=0x00
I=7750 F=0x4000 T=52 SYN (#44)

In this example, the packet was denied (DENY). The protocol used to attempt the connection was 6 - TCP. The source address is 192.168.1.1. The port on the source machine that was used to attempt this connection was 3305. The target machine was 10.0.0.1 and the target port was 111. This is a common log entry you'll receive when running a firewall.

False Alarms

A false alarm occurs when a monitoring program that has been installed reports an attack against your machine ­ and in actuality, what is happening is benign. Below are some examples of false alarms.

BlackIce 

The Fusion Source Abuse Department has found that BlackIce Defender produces a high number of "False Positives" when used on a cable modem network because of visible broadcasts on the network. Broadcasts are packets of data that are sent out to all systems on part of the network. Because these "False Positives" can desensitize a user and cause him/her to overlook genuine attacks, we cannot recommend that you use this product. If you choose to use BlackIce, you will need to know a little about subnet broadcasts and how to distinguish them from real attacks. Broadcasts are harmless and do not use up any significant portion of bandwidth. BlackIce reports them as "Smurf Attacks" or "Fraggle Attacks." BlackIce will also alert you to "SNMP Discovery Broadcasts" and "PC Anywhere Pings". On a cable modem network, you may also find that other customers are running software that does an automatic discovery process on the local subnet for machines listening on port 111. To find out if another IP address is on your subnet, use a "Subnet Calculator" (available on the web).

Unix-style Logging 

Just like any monitoring scheme, Unix-style logging can be hard to understand. It is advisable to be sure when you report possible hacking activity that it truly is hacking activity and not a poorly configured computer in your area. The best way to determine this is to look at the log. For example:

Mar 21 10:16:28 hostname kernel: Packet log: input DENY eth0 PROTO=17 24.##.##.##:1029 255.255.255.255:111 L=64 S=0x00 I=41324 F=0x0000 T=128 (#1) 

In this log, the destination address is "255.255.255.255". This indicates that someone in the area is broadcasting on 111. While this should be reported, it does not mean that someone is trying to hack you.

SonicWall 

SonicWall also mistakes some broadcasts for "attacks." Here's an example:

03/02/2000 14:41:43.544 - Smurf Amplification Attack Dropped -
Source:24.218.164.190, 8, WAN - Destination:255.255.255.255, 8, LAN

In this example, a ping with destination address 255.255.255.255 (local broadcast) is mistaken for a Smurf Attack, which uses directed broadcast and IP spoofing.