A remote PC is trying to access your PC; what exactly does this mean?

I'm running XP home with Norton Internet Security. About a dozen times
during a one hour session I will get this alert and always take the
recommended action "block".
These alerts occur within seconds of connecting to my ISP, even before I
launch my brower or Outlook.
It seemed like only last year, as long as you didn't open email attachments
or click on dubious links, you were safe.
What exactly are the capabilities if someone did succeed in accessing my PC.
Can they do things such as reformat my HD or replace word.exe with
virus.exe?

Gary Helfert wrote:

> I'm running XP home with Norton Internet Security. About a dozen
> times during a one hour session I will get this alert

Judging by your Subject line, these are Inbound alerts.

> and always take the recommended action "block".

...a wise choice.

> These alerts occur within seconds of connecting to my ISP, even
> before I launch my brower or Outlook.

If you would provide the IP address and the port number, we could give
more specific advice. Is there any other info on the alert? Maybe it
is your ISP confirming you are connected?

> It seemed like only last year, as long as you didn't open email
> attachments or click on dubious links, you were safe.

That was last year. <g>

> What exactly are the capabilities if someone did succeed in
> accessing my PC. Can they do things such as reformat my HD or
> replace word.exe with virus.exe?

Most of the probes will be attempting to send you a worm that would
allow a nefarious person (or bot) to take over your computer and use
it for things like sending/relaying spam.

Generally, it would be ok to just turn off the alerting, and relax
knowing your firewall is doing its job.

Consider upgrading your own software (browser, mail, news ...) to
modern applications.
http://home.rochester.rr.com/bshagnasty/tips.html

--
-bts
-This space intentionally left blank.

So the worm is an executable file that is deposited someplace on HD.
I assume the remote computer accesses my computer again at a future date and
sends an execute command and the worm springs into action. Is this how it
works?

"Beauregard T. Shagnasty" <a.nony.mous@example.invalid> wrote in message
news:Q%4ld.2117$zk7.618@twister.nyroc.rr.com...
> Gary Helfert wrote:
>
> > I'm running XP home with Norton Internet Security. About a dozen
> > times during a one hour session I will get this alert
>
> Judging by your Subject line, these are Inbound alerts.
>
> > and always take the recommended action "block".
>
> ..a wise choice.
>
> > These alerts occur within seconds of connecting to my ISP, even
> > before I launch my brower or Outlook.
>
> If you would provide the IP address and the port number, we could give
> more specific advice. Is there any other info on the alert? Maybe it
> is your ISP confirming you are connected?
>
> > It seemed like only last year, as long as you didn't open email
> > attachments or click on dubious links, you were safe.
>
> That was last year. <g>
>
> > What exactly are the capabilities if someone did succeed in
> > accessing my PC. Can they do things such as reformat my HD or
> > replace word.exe with virus.exe?
>
> Most of the probes will be attempting to send you a worm that would
> allow a nefarious person (or bot) to take over your computer and use
> it for things like sending/relaying spam.
>
> Generally, it would be ok to just turn off the alerting, and relax
> knowing your firewall is doing its job.
>
> Consider upgrading your own software (browser, mail, news ...) to
> modern applications.
> http://home.rochester.rr.com/bshagnasty/tips.html
>
> --
> -bts
> -This space intentionally left blank.

Gary Helfert wrote:

> So the worm is an executable file that is deposited someplace on
> HD. I assume the remote computer accesses my computer again at a
> future date and sends an execute command and the worm springs into
> action. Is this how it works?

While there are different kinds of worms and trojans, what you
describe is pretty much how it works. Some of them are set to execute
immediately, dig into your OS so they start every time you boot, and
start pinging their hosts with a "Here I am! Here I am!" message.

--
-bts
-This space intentionally left blank.

"Gary Helfert" <ghelfert@worldnet.att.net> wrote in message news:xm_kd.9979$7i4.8913@bgtnsc05-news.ops.worldnet.att.net...

> It seemed like only last year, as long as you didn't open email attachments
> or click on dubious links, you were safe.

Except for the exploit based worms, and file infector viruses. It is just that last year you were less aware than this year

> What exactly are the capabilities if someone did succeed in accessing my PC.
> Can they do things such as reformat my HD or replace word.exe with
> virus.exe?

They could do anything that you could do, depending on the security of the OS involved and the permissions of the
remote user. What you probably are seeing is the noise generated by exploit based network enumerating worms
looking for vulnerable systems, which your firewall is (thankfully) blocking.

If you are just curious (and it seems that you are) you might do a search for "Phatbot" and see how complex malware
can behave.

Of course my firewall protects me but sometimes I'll use my parents PC which
only has AntiVirus protection.

If I log on to the OS as an individual with guest privledges instead of
administrative, would that help limit the damage a worm could do?

"Beauregard T. Shagnasty" <a.nony.mous@example.invalid> wrote in message
news:TPald.2255$zk7.1931@twister.nyroc.rr.com...
> Gary Helfert wrote:
>
> > So the worm is an executable file that is deposited someplace on
> > HD. I assume the remote computer accesses my computer again at a
> > future date and sends an execute command and the worm springs into
> > action. Is this how it works?
>
> While there are different kinds of worms and trojans, what you
> describe is pretty much how it works. Some of them are set to execute
> immediately, dig into your OS so they start every time you boot, and
> start pinging their hosts with a "Here I am! Here I am!" message.
>
> --
> -bts
> -This space intentionally left blank.

Gary Helfert wrote:

> Of course my firewall protects me but sometimes I'll use my parents
> PC which only has AntiVirus protection.

Why not do them a favor and install a firewall?

> If I log on to the OS as an individual with guest privledges
> instead of administrative, would that help limit the damage a worm
> could do?

Nope.

--
-bts
-This space intentionally left blank.

By vulnerability do mean they scan for open ports? I'm not exactly sure what
a port is but I understand computer users involved in
music sharing & online games have ports that are open for exploitation. If
you don't use these services can't you make sure all ports
are closed except minimum need to surf & access email? Surely it can't be
all that complicated.
Can you perhaps recommend a book ei; "Exploit based worms for Dummies". I
accept the fact that a firewall will protect you but
I'd like to know how it all works.

"Roger Wilco" <yesman@yourservice.invalid> wrote in message
news:10pakeupkh2sl62@corp.supernews.com...
>
> "Gary Helfert" <ghelfert@worldnet.att.net> wrote in message
> news:xm_kd.9979$7i4.8913@bgtnsc05-news.ops.worldnet.att.net...
>
>> It seemed like only last year, as long as you didn't open email
>> attachments
>> or click on dubious links, you were safe.
>
> Except for the exploit based worms, and file infector viruses. It is just
> that last year you were less aware than this year
>
>> What exactly are the capabilities if someone did succeed in accessing my
>> PC.
>> Can they do things such as reformat my HD or replace word.exe with
>> virus.exe?
>
> They could do anything that you could do, depending on the security of the
> OS involved and the permissions of the
> remote user. What you probably are seeing is the noise generated by
> exploit based network enumerating worms
> looking for vulnerable systems, which your firewall is (thankfully)
> blocking.
>
> If you are just curious (and it seems that you are) you might do a search
> for "Phatbot" and see how complex malware
> can behave.
>
>

"Gary Helfert" <ghelfertpublic@comcast.net> wrote in message news:8oudnbGSRsZC2gXcRVn-og@comcast.com...
> By vulnerability do mean they scan for open ports?

Specifically for ports with services that are known to mishandle data (usually buffer overruns creating stack or heap
corruption).

> I'm not exactly sure what
> a port is but I understand computer users involved in
> music sharing & online games have ports that are open for exploitation.

Ports are used during any communication between computers and sometimes even within a single machine. Vulnerability
is not limited to p2p sharing and gaming, even some security programs have been shown to add vulnerability in their
attempt to do the opposite.

> If you don't use these services can't you make sure all ports
> are closed except minimum need to surf & access email? Surely it can't be
> all that complicated.

It is not at all complicated, what IS complicated is getting "everyone" to be minimalist in their configurations. MS's default
configuration for new installs is far from it and many of their users leave the default settings alone. Peeps don't always
know what new software is doing, so having a software firewall alert to incomming and outgoing comms helps to get
them educated about what they are doing.

> Can you perhaps recommend a book ei; "Exploit based worms for Dummies".

Sorry, no. Did you google "Phatbot"? Most descriptions that I have seen contain links to information on the set
of vulnerabilities being used.
I
> accept the fact that a firewall will protect you but
> I'd like to know how it all works.

Reading about how at least one of these exploits work, and "Networking for Dummies" should help.
Strangely, you could investigate how the KaZaa p2p system works (a fascinating program) and get an idea how other
worms can take advantage of legitimate port usage to sort of tunnel through firewalls.

On Sun, 14 Nov 2004 22:08:17 -0800, Gary Helfert <ghelfertpublic@comcast.net> wrote:

> I'd like to know how it all works.

I can give you a quick summary...

When one computer sends information over the internet, it's sent as one or more
packets.

Each packet contains, a destination ip (Internet Protocol) address, a protocol type
usually, tcp, udp, or icmp, a port or type id, some control fields, and the actual data.

For tcp and udp, a port id or number will be included, that is used by the receiving
computer to decide which program should be used to process the data in the packet.
For ICMP, there will be a type field, indicating what the data is for.

UDP - User Datagram Protocol is used to send a message to another computer, when
no response is expected. One example is windows messenger spam, which is normally
sent to udp port 1026.

ICMP - Internet Control Message Protocol is used primarily to report errors in the
transmission of TCP packets, although it can also be used to get information from
another computer, such as the current time, etc. The type (and sometimes an
additional code field), indicate what info is being supplied, or requested.

TCP - Transmission Control Protocol - is used when information has to be sent
in both directions. The packet will have both destination and source ip addresses,
and port numbers.

When you want to view a website, your browser will generate a TCP packet with
the destination address set to the ip address of the website, a destination port of
80 (which is the port number usually assigned to HTTP aka web servers), a source
address set to your ip address, and a source port number generated by your computer,
that it has assigned to your web browser.

In order to receive the packet, the computer at the website's address must be setup
to allow incoming packets from your ip address, destined to port 80. When it receives
the request, it gives the packet to the web server, which generates a TCP packet with
your ip address as the destination, and port number assigned to your browser, with
the data for your browser to display.

Your firewall keeps track of where it's sent packets to, and accepts the response, and
gives the packet to your browser, to format and display on your screen.

If your computer has no servers running, such as p2p software, then it will automatically
reject all incoming packets, that are not responses to previously sent outgoing packets. You
don't need a firewall unless you have one or more servers running.

A default install a M$ operating system prior to XP SP2 will include servers, such as file
and printer sharing, distributed computing remote procedure call, etc.
You may also have other software such as your own web server, for testing, that you
don't want other to be able to access. In these cases, you need a firewall, to control
which ip addresses (if any), are allowed to send packets to your computer, other then
the responses to packets from your computer.

*** Actual answer to your subject line follows ****

When your firewall gets a packet that you don't want, many firewalls will alert you of this,
to advertise that it's doing it's job. You can and should turn off such alerts. The only use
for info about rejected incoming packets, is if you're trying to id an infected computer, the
source of messenger spam (for sending complaints), or the source of a denial of service attack,
where your computer is being sent so many unwanted packets, it can't keep up. This info
should come from a log file, not popup messages.

*** End of Actual answer to your subject line<G> ****

In addition, malware (trojans, spyware, adware, viruses, worms, remote administration tools,
etc.) often use the internet to either phone home, or spread. A good firewall (i.e. not M$), will
alert you to the connection attempt, and allow you to block it. This is often an end user's first
alert to the presence of malware on their computer. Finally bringing the response on topic
for the newsgroup<G>.

There's quite a few details I've left out, such as the use flags, name servers, etc, but I think
the above should be sufficient for a layperson to grasp the concepts. If you'd like to get into
more of the details, a good place to start is
http://www.cisco.com/univercd/cc/td.../ito_doc/ip.htm

Regards, Dave Hodgins


--
Change nomail.afraid.org to rogers.com to reply by email.
(nomail.afraid.org has been set up specfically for
use in usenet. Feel free to use it yourself.)