- Worldstart's Tech Tips Newsletter - http://www.worldstart.com -
Posted By On April 6, 2005 @ 2:09 PM In Security Help | Comments Disabled
I know I promised to send you this tip last week but I felt it important to tell you about the Firefox problem (which, by the way, has been fixed so download and install the latest version).
OK, so two week’s ago we took a look at how to not only see, but to decipher your router logs. To review this info, check out the webpage…
This week I wanted to touch on some things you can do if you notice some strange activity on your firewall.
If when you view your Firewall and notice some odd addresses coming in from outside the local network, the first thing you want to figure out is who this is and where this is coming from. Hackers can and often do cover their tracks by routing their information through other PCs (usually some infected system). This makes exposing the true attacker hard if not impossible. I think a good way to at least narrow down the candidates is to use a well known hacker technique: reverse engineering.
You can take any suspect IP address and attempt to resolve it to the actual host name. To do this there are a couple tricks we can use to try to uncover the reason behind these firewall hits . We are going to utilize the “Ping” and “NSLookup” commands for starters which are both Network Administrator tools to help locate the source of connection issues.
In order to use these command line tools you must have IP addresses as shown in the router log article linked above . Once you see any IP addresses coming into you network jot them down and let’s begin our procedure.
The Ping and Nslookup command must be run from a command line, so to start things off go to Start/Run and type “cmd” (without the quotes) for XP/2K users and “command” for the 95/98/ME users. This will bring up a DOS window and from here you can type the Ping command along with the switch such as “-a” and then the IP address of the suspicious service. It should look like this:
C:\Documents and Settings\Owner> ping –a 126.96.36.199
Note: With XP you can also try using the Nslookup command for this and may even be able to put the the IP address in the address field in your Internet browser which will work if they have a website.
This isn’t going to work for every situation, and this is why I mentioned the reverse engineering method. As I said earlier, hackers are trying to remain hidden and they do this by routing their transmissions through other’s infected machines, and some ISP’s may stop the commands at their servers. So by reverse engineering I mean that you can go through the list of IP addresses that you jotted down earlier and start pinging them all. Make marks in your notes as to which addresses could be resolved or pinged and which could not.
Next you might want to go through the list and try the other two techniques (nslookup and using you browser) if these two methods produce no useful results then consider blocking them. You can block sites and domains through your firewall quite easily and you shouldn’t notice any adverse affects like not being able to connect to a site or miss an update for you antivirus. You will not be blocking anything important out because if your firewall stopped it it never got into you network,
Another command line utility that can possibly help you narrow down and even locate the source of intrusion using the ‘tracert” command. This is short for traceroute , and what it does is show you everywhere youR packets are going online in order to get to the desired destination. For instance, if you type in “tracert google.com” from the command line you will come up with a strange looking list similar to the Ping list.
What this will show is the route your information (packets) uses to get to Google.com, including your local ISP and any other servers along the way. This can be useful because it can possibly track down where the IP address is being sent from and possibly display the ISP’s name, such as Netzero.com for example. You can use this along with the IP address that you can’t resolve and shed some light on where all this is coming from, and who to tell.
If you do get an ISP’s name you can look them up online for some sort of contact information and possibly send them an email describing what’s going on with one of their users. This may be news to the person caught in the middle as well, for they may have been infected with some sort of worm or Trojan and are not aware of the fact that they are a hacker relay.
With any of these methods it’s a crap shoot at best—clever hackers conceal who they are and where they come from. These tools will help you see who is not a threat and you can use that to your advantage.
Just a few other things you may want to keep in mind if your firewall hits are out of control. Call you ISP and tell them that you are getting constant hits on your firewall. They may do something for you as far as try to track them down (especially if they are a small ISP) and you may also request a new IP address. This should stop the intrusions—for a while at least.
Just as a last thought it may be a good idea to run your anti-virus/spyware after everything is cleaned up, to make sure you’re not a hacker relay.
Check out our website if you want to learn about nslookup…
Stay safe out there,
Article printed from Worldstart's Tech Tips Newsletter: http://www.worldstart.com
URL to article: http://www.worldstart.com/firewall-hits/