NPF 2002 Version 4.0

[Weaver]

Archived from groups: comp.security.firewalls (More info?)

I have two questions:

1.) One of our computers, an older NT machine, is getting hit
repeatedly with 'Sokets de Trois v1. Trojan horse'. The machine's a
little slow and is having a lot of trouble keeping up with anything
else while NPF is blocking the attacks. How can I stop the attacks or
block them in manner that is not so debilitating to the system?
Opening a website is taking about 10 times as long as it used to, even
when an attack is not ongoing, which is rare.

2) I would like my XP to be excluded from my NT's NPF blocking. I've
put the XP's IP address and submask in the excluded list but I still
can't log in without completely shutting off NPF.

Any suggestions?

Thanks.

 

[curtis]

Archived from groups: comp.security.firewalls (More info?)

Weaver wrote:
> 1.) One of our computers, an older NT machine, is getting hit
> repeatedly with 'Sokets de Trois v1. Trojan horse'. The machine's a

i have had the exact same problem on my ME machine. i think a recent
update must be screwing up something because it's showing a multitude of
IP addresses attacking me with the same trojan horse. i'm pretty sure
that a zillion different people didn't all start picking on me with the
same trojan at the same time, so it seems to me that norton's just a
little off-base. i haven't taken a performance hit, just the annoyance
of being constantly allerted to attacks. i'd love to know how to fix
things too if anybody's got any ideas...?

 

[Weaver]

Archived from groups: comp.security.firewalls (More info?)

>>that's the only way I can make sense out of your post.<<


First, allow me to appologize for a wretchedly incomplete post.
Here's the situation:

An NT 4.0 with NPF 2002 V4.
An XP Home with the latest NPF.
A DSL line and both PCs connected to a hub. No gateway machine on the
LAN.

If I take down the NT's NPF I can see it with the XP. Even with the
XP's IP address and submask in the excluded list of the 'block these
guys' window, the XP is still being blocked.
All websites on the NT are opening slowly, no exceptions that we've
been to.
I don't know what a NAT router or Akamai site is.

I do know what being DoSed means and it was my first suspicion in
regard to the loss of web related performance. The only reason I'm
doubting it now is that during periods of time when Norton is not
reporting attacks I'm still crawling onto to web.

Thanks for your help.

 

[Weaver]

Archived from groups: comp.security.firewalls (More info?)

Curtis <crnstopspam@hotmail.com> wrote in message news:<X0Xsc.13446$J02.7124@edtnps84>...
> Weaver wrote:
> > 1.) One of our computers, an older NT machine, is getting hit
> > repeatedly with 'Sokets de Trois v1. Trojan horse'. The machine's a
>
> i have had the exact same problem on my ME machine. i think a recent
> update must be screwing up something because it's showing a multitude of
> IP addresses attacking me with the same trojan horse. i'm pretty sure
> that a zillion different people didn't all start picking on me with the
> same trojan at the same time, so it seems to me that norton's just a
> little off-base. i haven't taken a performance hit, just the annoyance
> of being constantly allerted to attacks. i'd love to know how to fix
> things too if anybody's got any ideas...?

This makes me highly suspicious. I'm going to see if I can determine
when I last ran the live update on that machine. That may be the
problem. Oddly enough, Norton says they no longer support the
product.

 

[Mike]

Archived from groups: comp.security.firewalls (More info?)

"Weaver" <we.aver@verizon.net> wrote in message
news:667211a4.0405251340.d94e65f@posting.google.com...
> I have two questions:
>
> 1.) One of our computers, an older NT machine, is getting hit
> repeatedly with 'Sokets de Trois v1. Trojan horse'. The machine's a
> little slow and is having a lot of trouble keeping up with anything
> else while NPF is blocking the attacks. How can I stop the attacks or
> block them in manner that is not so debilitating to the system?

Use an external firewall.

> Opening a website is taking about 10 times as long as it used to, even
> when an attack is not ongoing, which is rare.
>
> 2) I would like my XP to be excluded from my NT's NPF blocking. I've
> put the XP's IP address and submask in the excluded list but I still
> can't log in without completely shutting off NPF.
>
> Any suggestions?

Yup, use an external firewall.

 

[Weaver]

Archived from groups: comp.security.firewalls (More info?)

"Mike" <nospam@notherematey.com> wrote in message news:<c92hrf$39d$1@thorium.cix.co.uk>...
> "Weaver" <we.aver@verizon.net> wrote in message
> news:667211a4.0405251340.d94e65f@posting.google.com...
> > I have two questions:
> >
> > 1.) One of our computers, an older NT machine, is getting hit
> > repeatedly with 'Sokets de Trois v1. Trojan horse'. The machine's a
> > little slow and is having a lot of trouble keeping up with anything
> > else while NPF is blocking the attacks. How can I stop the attacks or
> > block them in manner that is not so debilitating to the system?
>
> Use an external firewall.
>
> > Opening a website is taking about 10 times as long as it used to, even
> > when an attack is not ongoing, which is rare.
> >
> > 2) I would like my XP to be excluded from my NT's NPF blocking. I've
> > put the XP's IP address and submask in the excluded list but I still
> > can't log in without completely shutting off NPF.
> >
> > Any suggestions?
>
> Yup, use an external firewall.

Would you define 'external firewall' for me? I'm thinking that you
mean a firewall running on an internet gateway machine.

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

It could be your DSL company checking the status of its DSL modem. I had
the same thing, except in my case, it was the Shockrave trojan horse, I
traced the IP's all back to my ISP and when I contacted their abuse team via
phone, they told me that several times an hour, their computers send out
prompts to each modem to check its status and that it comes up as a certain
trojan, depending on the system. As an example, he prompted my IP on the
count of three and sure enough, I got a " A remote system is attempting to
connect to your system using the Shockrave Trojan Horse, IP in question has
been added to block list"

Take note of the IP addy then check it at http://www.network-tools.com, just
input the offending IP and it will do a reverse trace and give you the phone
number of the offenders ISP. If it's your ISP then contact them and find
out whats up.
"Curtis" <crnstopspam@hotmail.com> wrote in message
news:X0Xsc.13446$J02.7124@edtnps84...
> Weaver wrote:
> > 1.) One of our computers, an older NT machine, is getting hit
> > repeatedly with 'Sokets de Trois v1. Trojan horse'. The machine's a
>
> i have had the exact same problem on my ME machine. i think a recent
> update must be screwing up something because it's showing a multitude of
> IP addresses attacking me with the same trojan horse. i'm pretty sure
> that a zillion different people didn't all start picking on me with the
> same trojan at the same time, so it seems to me that norton's just a
> little off-base. i haven't taken a performance hit, just the annoyance
> of being constantly allerted to attacks. i'd love to know how to fix
> things too if anybody's got any ideas...?

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

Weaver,

Sorry, I must have missed your response yesterday. My apologies. Inline,
below ...

"Weaver" <we.aver@verizon.net> wrote in message
news:667211a4.0405260828.f7aa303@posting.google.com...
.. . .
> An NT 4.0 with NPF 2002 V4.
> An XP Home with the latest NPF.
> A DSL line and both PCs connected to a hub. No gateway machine on the
> LAN.

Okay, NT 4 with NPF 2002 and XP Home with NPF 2004. But, are you sure it's
a HUB and not a ROUTER? I mean, if the DSL line connects to that HUB, it
sounds as if it's really a ROUTER.

> If I take down the NT's NPF I can see it with the XP. Even with the
> XP's IP address and submask in the excluded list of the 'block these
> guys' window, the XP is still being blocked.

No, that's not the problem. You've got the XP in the wrong list on the NT.
It needs (as a first solution) to be in the NPF's Trusted Zone (not that
this is ideal, but it's better than what you've got). Putting it in the
"Exclusions List" (presumably in the IDS pane of NPF 2002 isn't doing a
thing for you, in this instance).

> All websites on the NT are opening slowly, no exceptions that we've
> been to. I don't know what a NAT router or Akamai site is.

Okay, the websites opening slowly is a different matter -- and we're still
trying to figure out just what the hell Symantec has done since 12 May.
Just yesterday, THIS showed up from
http://isc.sans.org/diary.php?date=2004-05-26 .

" . . . And an unconfirmed report that Norton Internet Security 4.0 2002,
2003 & 2004 for Windows has added a new feature which pre-scans the inline
html images prior to writing the images to the temp directory and displaying
them in the web-browser. This effort is to try to identify web borne worms
and viruses. The unfortunate side effect is that pages load incredibly
slowly. The report stated that Verizon's page took over 3 minutes to load
with the scanner and under 3 seconds without it. This could result in users
disabling their firewalls which is not a good thing. "

> I do know what being DoSed means and it was my first suspicion in
> regard to the loss of web related performance. The only reason I'm
> doubting it now is that during periods of time when Norton is not
> reporting attacks I'm still crawling onto to web.

Yeah, we can forget the DOS attack, I think. I think the possibility
discussed above is far more likely and I know a LOT of NIS/NPF 2002 people
are getting hit by it and, more recently, I'm starting to see NIS/NPF
2003/2004 users complaining about this. If there's a solution out there
yet, I don't know what it is.

Will try to keep you apprised.

 

[Guest]

Archived from groups: comp.security.firewalls (More info?)

"Weaver" <we.aver@verizon.net> wrote in message
news:667211a4.0405260829.703b02c@posting.google.com...
> Curtis <crnstopspam@hotmail.com> wrote in message
news:<X0Xsc.13446$J02.7124@edtnps84>...
.. . . .

> This makes me highly suspicious. I'm going to see if I can determine
> when I last ran the live update on that machine. That may be the
> problem. Oddly enough, Norton says they no longer support the
> product.

Do a Start | Search | Files ... and look for Log.LiveUpdate* (The things
almost impossible to read, but it should come up in Notepad or Word and you
just have to struggle through it.)

And yes, that really is Log [period] LiveUpdate* .