NPF 2002 Version 4.0

Archived from groups: comp.security.firewalls (More info?)

I have two questions:

1.) One of our computers, an older NT machine, is getting hit
repeatedly with 'Sokets de Trois v1. Trojan horse'. The machine's a
little slow and is having a lot of trouble keeping up with anything
else while NPF is blocking the attacks. How can I stop the attacks or
block them in manner that is not so debilitating to the system?
Opening a website is taking about 10 times as long as it used to, even
when an attack is not ongoing, which is rare.

2) I would like my XP to be excluded from my NT's NPF blocking. I've
put the XP's IP address and submask in the excluded list but I still
can't log in without completely shutting off NPF.

Any suggestions?

Thanks.
8 answers Last reply
More about 2002 version
  1. Archived from groups: comp.security.firewalls (More info?)

    Weaver wrote:
    > 1.) One of our computers, an older NT machine, is getting hit
    > repeatedly with 'Sokets de Trois v1. Trojan horse'. The machine's a

    i have had the exact same problem on my ME machine. i think a recent
    update must be screwing up something because it's showing a multitude of
    IP addresses attacking me with the same trojan horse. i'm pretty sure
    that a zillion different people didn't all start picking on me with the
    same trojan at the same time, so it seems to me that norton's just a
    little off-base. i haven't taken a performance hit, just the annoyance
    of being constantly allerted to attacks. i'd love to know how to fix
    things too if anybody's got any ideas...?
  2. Archived from groups: comp.security.firewalls (More info?)

    >>that's the only way I can make sense out of your post.<<


    First, allow me to appologize for a wretchedly incomplete post.
    Here's the situation:

    An NT 4.0 with NPF 2002 V4.
    An XP Home with the latest NPF.
    A DSL line and both PCs connected to a hub. No gateway machine on the
    LAN.

    If I take down the NT's NPF I can see it with the XP. Even with the
    XP's IP address and submask in the excluded list of the 'block these
    guys' window, the XP is still being blocked.
    All websites on the NT are opening slowly, no exceptions that we've
    been to.
    I don't know what a NAT router or Akamai site is.

    I do know what being DoSed means and it was my first suspicion in
    regard to the loss of web related performance. The only reason I'm
    doubting it now is that during periods of time when Norton is not
    reporting attacks I'm still crawling onto to web.

    Thanks for your help.
  3. Archived from groups: comp.security.firewalls (More info?)

    Curtis <crnstopspam@hotmail.com> wrote in message news:<X0Xsc.13446$J02.7124@edtnps84>...
    > Weaver wrote:
    > > 1.) One of our computers, an older NT machine, is getting hit
    > > repeatedly with 'Sokets de Trois v1. Trojan horse'. The machine's a
    >
    > i have had the exact same problem on my ME machine. i think a recent
    > update must be screwing up something because it's showing a multitude of
    > IP addresses attacking me with the same trojan horse. i'm pretty sure
    > that a zillion different people didn't all start picking on me with the
    > same trojan at the same time, so it seems to me that norton's just a
    > little off-base. i haven't taken a performance hit, just the annoyance
    > of being constantly allerted to attacks. i'd love to know how to fix
    > things too if anybody's got any ideas...?

    This makes me highly suspicious. I'm going to see if I can determine
    when I last ran the live update on that machine. That may be the
    problem. Oddly enough, Norton says they no longer support the
    product.
  4. Archived from groups: comp.security.firewalls (More info?)

    "Weaver" <we.aver@verizon.net> wrote in message
    news:667211a4.0405251340.d94e65f@posting.google.com...
    > I have two questions:
    >
    > 1.) One of our computers, an older NT machine, is getting hit
    > repeatedly with 'Sokets de Trois v1. Trojan horse'. The machine's a
    > little slow and is having a lot of trouble keeping up with anything
    > else while NPF is blocking the attacks. How can I stop the attacks or
    > block them in manner that is not so debilitating to the system?

    Use an external firewall.

    > Opening a website is taking about 10 times as long as it used to, even
    > when an attack is not ongoing, which is rare.
    >
    > 2) I would like my XP to be excluded from my NT's NPF blocking. I've
    > put the XP's IP address and submask in the excluded list but I still
    > can't log in without completely shutting off NPF.
    >
    > Any suggestions?

    Yup, use an external firewall.
  5. Archived from groups: comp.security.firewalls (More info?)

    "Mike" <nospam@notherematey.com> wrote in message news:<c92hrf$39d$1@thorium.cix.co.uk>...
    > "Weaver" <we.aver@verizon.net> wrote in message
    > news:667211a4.0405251340.d94e65f@posting.google.com...
    > > I have two questions:
    > >
    > > 1.) One of our computers, an older NT machine, is getting hit
    > > repeatedly with 'Sokets de Trois v1. Trojan horse'. The machine's a
    > > little slow and is having a lot of trouble keeping up with anything
    > > else while NPF is blocking the attacks. How can I stop the attacks or
    > > block them in manner that is not so debilitating to the system?
    >
    > Use an external firewall.
    >
    > > Opening a website is taking about 10 times as long as it used to, even
    > > when an attack is not ongoing, which is rare.
    > >
    > > 2) I would like my XP to be excluded from my NT's NPF blocking. I've
    > > put the XP's IP address and submask in the excluded list but I still
    > > can't log in without completely shutting off NPF.
    > >
    > > Any suggestions?
    >
    > Yup, use an external firewall.

    Would you define 'external firewall' for me? I'm thinking that you
    mean a firewall running on an internet gateway machine.
  6. Archived from groups: comp.security.firewalls (More info?)

    It could be your DSL company checking the status of its DSL modem. I had
    the same thing, except in my case, it was the Shockrave trojan horse, I
    traced the IP's all back to my ISP and when I contacted their abuse team via
    phone, they told me that several times an hour, their computers send out
    prompts to each modem to check its status and that it comes up as a certain
    trojan, depending on the system. As an example, he prompted my IP on the
    count of three and sure enough, I got a " A remote system is attempting to
    connect to your system using the Shockrave Trojan Horse, IP in question has
    been added to block list"

    Take note of the IP addy then check it at http://www.network-tools.com, just
    input the offending IP and it will do a reverse trace and give you the phone
    number of the offenders ISP. If it's your ISP then contact them and find
    out whats up.
    "Curtis" <crnstopspam@hotmail.com> wrote in message
    news:X0Xsc.13446$J02.7124@edtnps84...
    > Weaver wrote:
    > > 1.) One of our computers, an older NT machine, is getting hit
    > > repeatedly with 'Sokets de Trois v1. Trojan horse'. The machine's a
    >
    > i have had the exact same problem on my ME machine. i think a recent
    > update must be screwing up something because it's showing a multitude of
    > IP addresses attacking me with the same trojan horse. i'm pretty sure
    > that a zillion different people didn't all start picking on me with the
    > same trojan at the same time, so it seems to me that norton's just a
    > little off-base. i haven't taken a performance hit, just the annoyance
    > of being constantly allerted to attacks. i'd love to know how to fix
    > things too if anybody's got any ideas...?
  7. Archived from groups: comp.security.firewalls (More info?)

    Weaver,

    Sorry, I must have missed your response yesterday. My apologies. Inline,
    below ...

    "Weaver" <we.aver@verizon.net> wrote in message
    news:667211a4.0405260828.f7aa303@posting.google.com...
    .. . .
    > An NT 4.0 with NPF 2002 V4.
    > An XP Home with the latest NPF.
    > A DSL line and both PCs connected to a hub. No gateway machine on the
    > LAN.

    Okay, NT 4 with NPF 2002 and XP Home with NPF 2004. But, are you sure it's
    a HUB and not a ROUTER? I mean, if the DSL line connects to that HUB, it
    sounds as if it's really a ROUTER.

    > If I take down the NT's NPF I can see it with the XP. Even with the
    > XP's IP address and submask in the excluded list of the 'block these
    > guys' window, the XP is still being blocked.

    No, that's not the problem. You've got the XP in the wrong list on the NT.
    It needs (as a first solution) to be in the NPF's Trusted Zone (not that
    this is ideal, but it's better than what you've got). Putting it in the
    "Exclusions List" (presumably in the IDS pane of NPF 2002 isn't doing a
    thing for you, in this instance).

    > All websites on the NT are opening slowly, no exceptions that we've
    > been to. I don't know what a NAT router or Akamai site is.

    Okay, the websites opening slowly is a different matter -- and we're still
    trying to figure out just what the hell Symantec has done since 12 May.
    Just yesterday, THIS showed up from
    http://isc.sans.org/diary.php?date=2004-05-26 .

    " . . . And an unconfirmed report that Norton Internet Security 4.0 2002,
    2003 & 2004 for Windows has added a new feature which pre-scans the inline
    html images prior to writing the images to the temp directory and displaying
    them in the web-browser. This effort is to try to identify web borne worms
    and viruses. The unfortunate side effect is that pages load incredibly
    slowly. The report stated that Verizon's page took over 3 minutes to load
    with the scanner and under 3 seconds without it. This could result in users
    disabling their firewalls which is not a good thing. "

    > I do know what being DoSed means and it was my first suspicion in
    > regard to the loss of web related performance. The only reason I'm
    > doubting it now is that during periods of time when Norton is not
    > reporting attacks I'm still crawling onto to web.

    Yeah, we can forget the DOS attack, I think. I think the possibility
    discussed above is far more likely and I know a LOT of NIS/NPF 2002 people
    are getting hit by it and, more recently, I'm starting to see NIS/NPF
    2003/2004 users complaining about this. If there's a solution out there
    yet, I don't know what it is.

    Will try to keep you apprised.
  8. Archived from groups: comp.security.firewalls (More info?)

    "Weaver" <we.aver@verizon.net> wrote in message
    news:667211a4.0405260829.703b02c@posting.google.com...
    > Curtis <crnstopspam@hotmail.com> wrote in message
    news:<X0Xsc.13446$J02.7124@edtnps84>...
    .. . . .

    > This makes me highly suspicious. I'm going to see if I can determine
    > when I last ran the live update on that machine. That may be the
    > problem. Oddly enough, Norton says they no longer support the
    > product.

    Do a Start | Search | Files ... and look for Log.LiveUpdate* (The things
    almost impossible to read, but it should come up in Notepad or Word and you
    just have to struggle through it.)

    And yes, that really is Log [period] LiveUpdate* .
Ask a new question

Read More

Firewalls Networking