trojan TCP/IP ports
trojan TCP/IP ports
ghost | 17452 Reads | This page is a companion to my main TCP/IP Ports table. That page lists ports that you might want to open or be aware of in order to use various Internet services.
This page documents DANGEROUS TCP/IP ports, that are used by trojan horse and backdoor programs or that expose system vulnerabilities, that hackers use to break into your network. These are ports that you definitely want closed, possibly with firewall alarms set on them to detect any external probes or internal compromise.
Please note that unfortunately, trojans can use the same port number as legitimate services; therefore, just because a port shows up, it doesn't necessarily mean that it has been trojanized.
I have found many much better resources for trojan and insecure ports, so instead of trying to list every port here, I am just going to provide links to some sites with good lists, as well as a variety of other security resources. I have placed a particular emphasis on home broadband network security.
Please contact me with any suggestions, corrections, or comments. See below if you have Questions.
FAQ on Port Probes Firewalls: What am I seeing? is an excellent must-read FAQ on what kind of probes you may be seeing on different ports.
Trojan Port Lists Trojan list database with many different sorting options Jerry Latham's Trojan Ports List Denial of Service Help: Trojan Ports to Block hyperlinked port list ONCTek List of possible Trojan/Backdoor port activity Commonly Probed Ports Threats to your Security on the Internet in particular the Current list of Trojans provides an excellent description of various trojan programs Andrew Daviel's Internet ports, services and trojans has lots of good links advICE:Exploits:Ports a nice hyperlinked port list PestPatrol - About Ports and Trojans - A Port List Additional Resources Trojan Horses: Back Orifice & Netbus Anti-trojan.org Although not specific to trojan ports, you may find the port search resources from my TCP/IP Ports page to be useful.
Trojans in the News and Commonly Probed As of 2004-07-25, based on news reports and probes I see on my network.
Port Trojans Notes
1080 MyDoom.B, MyDoom.F, MyDoom.G, MyDoom.H registered port for SOCKS
2283 Dumaru.Y registered port for Lotus Notes LNVSTATUS
2535 Beagle.W, Beagle.X, other Beagle/Bagle variants registered for MADCAP
2745 Beagle.C through Beagle.K registered port for URBISNET
3127 MyDoom.A registered port for EMC CTX-Bridge
3128 MyDoom.B This port is commonly used by the squid proxy.
3410 Backdoor.OptixPro.13 and variants This port is registered for NetworkLens SSL Event.
5554 Sasser through Sasser.C, Sasser.F This port is commonly used by SGI ESP HTTP.
8866 Beagle.B not a registered port. within a range 8800-8900 used by Ultima Online Messenger.
9898 Dabber.A and Dabber.B This port is registered for MonkeyCom.
10000 Dumaru.Y This is the registered port for the NDMP network storage backup protocol.
10080 MyDoom.B This is the registered port for the Amanda backup software.
12345 NetBus This is the registered port for the Italk Chat System. TrendMicro OfficeScan antivirus also uses this port.
17300 Kuang2 not a registered port.
27374 SubSeven not a registered port.
65506 various names: PhatBot, Agobot, Gaobot in the dynamic/private ports range. More info at TCP port 65506 proxy scan and New Worms scanning on 1025 and others
MyDoom.A actually may choose in a range from port 3127 to 3198. Some of these trojans may also use port 80 (registered HTTP port) and 8080 (common HTTP port).
Information mostly from Symantec Security Response (used to be called SARC).
Other Dangerous Ports Please note, the port numbers listed below are not trojans. They are for services that have security vulnerabilities. I have listed these particular ones because you might not recognize them.
These are ports you may want to BLOCK, at least at the edge of your network. (Of course, the best security of all is "default deny", where you block EVERYTHING and then only allow a small number of required services.) An asterisk * in the Notes field indicates that the ports are IANA registered. There is no way I can keep up with all of these, but this is a selection of ones I have noticed. Note that some of these vulnerabilities may be platform-specific.
Service TCP UDP Notes
SWAT, RealSecure 901 901 Samba Web Administration Tool. Also port that RealSecure IDS listens on for console communications. IANA registered for SMP NAME RES (Simple Messaging Protocol name resolution?). Also used by a Trojan.
possible Messenger Service or others 1026-1029 1026-1029 this low range in the ephemeral ports is a usual place for services to be communicating, however see MS Messenger 1026 info
MS SQL Server 1433, 1434 1433, 1434 * CERT Advisories CA-2002-22, CA-2003-04
MS Universal Plug and Play (UPnP) 1900, 5000, 2869? 1900, 5000, 2869? Port 1900 is IANA registered by Microsoft for SSDP (Simple Service Discovery Protocol). Port 5000 is also registered, but not by Microsoft, and not for this service I don't think. Microsoft Security Bulletins: MS01-054, MS01-059. NIPC Advisory 01-030.2, SecurityFocus. Also see the Remote Access Trojan FAQ about port 5000. About 2869 (which is IANA registered as MS ICSLAP), Microsoft says starting with Windows XP SP2, SSDP event notification service will rely on TCP port 2869. Currently this is only a speculative risk.
Remote Desktop Protocol 3389 3389 potential for unauthorized use of XP Pro Remote Desktop or XP Remote Assistance
radmin 4899 4899 remote administration of your computer, essentially remote control. See Radmin Default Installation Security Vulnerabilities.
DameWare 6129 6129 CERT Vulnerability Note VU#909678 DameWare Mini Remote Control vulnerable to buffer overflow via specially crafted packets
NET SEND on Windows There has been a recent (2002-10-11) upsurge in NET SEND spam. This will pop up a window on a Windows machine, using the Messenger Service (note this is different from Windows or MSN Messenger, it's a low-level service built-in to the Windows operating system).
The NET SEND messages are making it past the usual NetBIOS filters (ports 137-139, port 445) because in Windows 2000 and XP, the Messenger Service now works using RPC. A lookup is done on port 135 (epmap, DCE [RPC] endpoint resolution). That tells what high-numbered port the Messenger Service is listening on. The best way to stop this is to permanently disable the Messenger Service. You may also want to block port 135. I have also included information about Microsoft Distributed COM (DCOM), which uses port 135.
You may also want to block port 1026, based on Windows Messenger Popup Spam on UDP Port 1026.
For more information on the NET SEND issue and how to handle it, read:
Spam Takes New Form (this describes the "classic" NetBIOS way of exploiting the Messenger Service) Minimization of network services on Windows [2000 and XP] systems DSLreports Broadband Security Forum: Messenger Service window popped up on my Server myNetWatchman Alert - Windows PopUP SPAM Wired News: Spam Masquerades as Admin Alerts How To Disable Messenger Service in 2000 and XP Microsoft Q330904 - Messenger Service Window That Contains an Internet Advertisement Appears Microsoft Q148991 - How to Disable Pop-up Dialog Boxes in Windows NT DCOM info:
Privacy Power - DCOM and SOAP advICE : Countermeasures : Firewalls : Tunneling : DCOM Advanced, for Win2000: Disabling Distributed COM (Not recommended: may have unintended side-effects) Blaster Worm on Windows The W32 Blaster Worm has gotten a lot of attention recently (2003-08-13). It uses a vulnerability in MS RPC port 135 to compromise a Windows system. For more information, see my page Microsoft RPC and Blaster Worm.
For more information about some of the ports that Windows uses (for legitimate purposes) see the Windows Resources section of my TCP/IP Ports page.
Protecting Yourself Note that this is not an endorsement or recommendation of any software or services listed.
Security Sites and Guidelines As a starting point I suggest CERT's Home Network Security. It explains a lot of terminology and technology and gives a comprehensive guide to steps you can take to secure your home network. Their Home Computer Security guide is also good.
I recommend the video Warriors of the Net which gives a good general overview of networking and firewall concepts. It's quite entertaining, really. It is a free download, in MPEG format.
PracticallyNetworked: Securing Your LAN Home PC Firewall Guide The DSL Zone: Broadband Internet Security Basics dslreports.com: Security for Cable Networks (also available in German: Sicherheit im Kabelnetzwerk), broadband security FAQ Common Sense Guide for Home and Individual Users: Recommended Actions for Information Security (PDF) from the Internet Security Alliance Dell Vectors White Paper Personal Firewalls: Firewall Protection for PCs and Home Networks July 2001. Good general overview, some Windows-specific info. The US NIST has produced a very detailed guide to Security for Telecommuting and Broadband Communications (3.6 MB PDF). It's document SP 800-46 in their 800 series of Computer Security Special Publications. See below for information related to US National Strategy to Secure Cyberspace There is Canadian information as part of the Canadian Public Safety portal. Internet Safety. There is also a government portal called cyberwise which covers Illegal and Offensive Content on the Internet. The SANS/FBI list of the Twenty Most Critical Internet Security Vulnerabilities has some useful information, including Appendix A - Common Vulnerable Ports. However be aware that this is quite a technical, detailed report - it's really more targeted at enterprises and organizations rather than home users. As well, in many cases the ports that they list are also the most commonly used ports for normal services, so blocking them may not be practical.
Windows Microsoft's Protect Your PC site lists the steps you should follow to improve the security of your Windows installation. However note there is more software available than they list, including free versions. See the list in the Windows Security Software section below.
Microsoft's main site for home user security is http://www.microsoft.com/security/home/. The most relevant item for this page is Checklist: Install a Firewall.
I liked the Q&A format in Securing your [Windows] Computer by Marcus Jansson.
The Windows 2000 - Home User Self-Defence guide from UK Security Online is pretty good.
Karl Levinson has a very comprehensive page on microsoft.public.*.security Frequently Asked Questions.
Some relevant USENET groups:
comp.os.ms-windows.nt.admin.security Google Groups, newsreader microsoft.public.win2000.security: Google Groups, newsreader microsoft.public.windowsxp.security_admin: Google Groups, newsreader Advanced:
Windows Security Resource Kit: Chapter 9 Implementing TCP/IP Security Securing Windows NT/2000 Servers for the Internet: Chapter 1 Windows NT/2000 Security Macintosh To keep up-to-date with security patches, you should run Software Update and also regularly update your anti-virus signatures (although virii are in general a fairly minor problem on the Mac platform).
Mac OS X Security Introduction July 24, 2001 (first of a multi-part series) Sample Chapter 7: Principles of Securing Internet Services from Internet Security for Your Macintosh (MacOS 9) Apple Security, Apple Security Updates (page listing all updates, with a brief description of each) MacInTouch Security Resources despite the title, has some information that applies to non-Mac platforms (it's usually a little bit out-of-date on the latest Mac security issues) TidBITS: What's a Firewall, and Why Should You Care? 22-Feb-1999 Linux A good starting point is the comp.os.linux.security FAQ.
Some relevant USENET newsgroups:
comp.os.linux.security: Google Groups, newsreader redhat.security.general: Google Groups, newsreader Scanning Services Shields Up! from Gibson Research Corporation Symantec Security Check nice scanner that checks for Mac or PC specific ports and trojans. You can also just Scan for Viruses. Sygate Security Scan scans for known vulnerable ports dslreports.com: Secure-Me (now also called broadbandreports.com) AuditMyPC.com has scans and information. Scan worked fine using Mac IE. PC Flank: Test Your System has a variety of different scans Panda ActiveScan free online virus scan for Windows. PC PitStop AntiVirus Center also uses Panda. TrendMicro HouseCall Free online virus scan for Windows. BitDefender Scan OnLine free antivirus scan for Windows. Also used by Help Net Security (net-security.org) GFI EventLogScan.com security event log scanner for Windows NT, 2000, XP GFI Email Security Testing Zone mostly for testing Microsoft Windows Outlook and Outlook Express email vulnerabilities McAfee.com - Free Services includes SecurityCenter, Free Virus News, World Virus Map and Internet Connection Speedometer. You can also use FreeScan to scan for viruses. Or if you want to just upload a specific file to check it, you can use WebImmune. Kaspersky offers Free online [single] virus scan You upload the file, you don't have to have an account (unlike WebImmune). Computer Cops Offers a variety of scans. Also has useful security news. HackerWhacker Comprehensive scan. Also has many useful links. ExtremeTech Syscheck categorized and rated links to different online scanning services for Windows computers advICE:Support:KB: How can I scan myself from across the Internet? Inprotect.com Nessus and Nmap scanning CNET CatchUp offers free scanning of your Windows computer to detect needed security updates and identify spyware (discontinued) Software to List Open Ports You may find that you have ports open (e.g. by using the scanning services above) but that doesn't tell you exactly what's going on. It may be a legitimate service is using that port. That's where local software to view what ports are open can come in handy, particularly when it can show what application or process is using each port.
Windows Port Viewer Software Viewing the process attached to a port is for the most part only supported using NT/2000/XP.
TCPview Active Ports Netstat Viewer Foundstone: fport (command line), Vision DiamondCS Port Explorer US$30 for home use, free demo download available. G-Lock AATools US $50, "AATools Network Monitor maps the ports in use to their respective applications" Inzider works in Windows 98 (although there is a small possibility of problems) Microsoft Port Reporter (PortRptr.exe). Port Reporter logs TCP and UDP port activity on a local Windows system. Port Reporter is a small application that runs as a service on Windows 2000, Windows XP, and Windows Server 2003. It can only report what app is using the port under XP and 2003.
Macintosh Port Viewer Software IPNetMonitor for MacOS 9 and IPNetMonitorX for MacOS X Interarchy is an all-in-one omni-network-everything program from Stairways that can show TCP/IP connections along with many other things. To some extent I preferred their older (OS 9 only) Mac TCP Watcher (port viewer) and OT Session Watcher (network session capture) applications, as they each had one specific purpose. They don't appear to be available from Stairways any more, but you could do a Google search for them. For more advanced network monitoring (more than just viewing ports) some other handy tools are:
AGNetTools (which has turned into iNetTools) available for Mac OS 9 and X OT Tool from Neon Software (OS 9 and X) WhatRoute (OS 9, OS X Carbon) Port Viewing on Other Operating Systems You can also use the netstat -an command on many different operating systems, UNIX/Linux/BSD based in particular (including MacOS X), but also some versions of Windows.
The rather obscurely named lsof -i (LiSt Open Files) command with the -i option will list what program opened a particular port. The command has quite a powerful syntax. It comes with some UNIX and BSD distributions (including MacOS X), and can be downloaded and/or compiled for other distributions. Here are some resources:
lsof FAQ Track network connections with LSOF on Linux (or try the Google cache of the article) I also found an article that said you can get similar information from the Solaris pfiles program and from AIX's pstat, but in both cases, lsof offers more functionality and ease of use.
If you want to capture TCP sessions, you can use tcpflow, which runs on various BSD flavours, including OS X.
Software Windows Security Software You may not have the bandwidth to download Microsoft's hundreds of megs worth of patches. Fortunately, they provide many patches and tools on CD.
You can get Windows XP Service Pack 2 free on CD.
In North America, Office Service Packs can be obtained free of charge on CD. Order Office Service Packs on CD-ROMs.
ZoneAlarm free port monitor utility / firewall Sygate Personal Firewall free single-computer firewall Kerio Personal Firewall free for home use Tiny Personal Firewall free for home use Agnitum Outpost Personal Firewall free. Includes some additional filtering beyond just firewalling. AVG Anti-Virus System free for home and non-commercial use. Includes email scanning. Avast. Free anti-virus. Includes email scanning. BitDefender free edition. Also see the complete list of free products which includes versions for Instant Messaging protection. eTrust EZ Armor Security Suite from CA has antivirus and some firewall capabilities. Free 12-month software subscription to CA's eTrust EZ Armor-LE Antivirus and Firewall security suite. Valid for new users only. Limit 1 per household. AntiVir Personal Edition free anti-virus Ad-Aware The basic version is a free multi-spyware removal utility. SpyBot Search-and-Destroy The leading free software for spyware removal. SpywareBlaster Adds an extra level of protection by blocking bad ActiveX controls. GFI LANguard network security scanner, free for non-commercial use GFI System Integrity Monitor "GFI LANguard System Integrity Monitor (S.I.M.) is a utility that provides intrusion detection by checking whether files have been changed, added or deleted on a Windows 2000 system." Microsoft Baseline Security Analyzer (MBSA) a standalone application that scans Windows NT 4.0, Windows 2000, and Windows XP systems Shavlik HFNetChk scans for needed patches - command line and GUI (HFNetChkLT) versions available Mischel TrojanHunter shareware DiamondCS Trojan Defense Suite (TDS) shareware. 30 day evaluation period. Pest Patrol "utility that finds and eliminates hacker tools, spyware and trojans". Free evaluation download. "The only difference between evaluation and licensed versions of this product is the ability to delete or quarantine pests when found." additional commercial firewalls: Freedom Personal Firewall Built-in Windows Firewalls There are also some built-in firewall features in recent versions of Windows. In particular, Windows XP Service Pack 2 (XP SP2) has replaced the rather basic Internet Connection Firewall (ICF) with a more advanced one now just called Windows Firewall.
The XP SP2 Windows Firewall is a stateful host firewall that provides protection for computers against incoming traffic. Note that it DOES NOT provide outbound filtering, unlike many of the firewalls in the list above. You can configure it to allow a particular application, or specific ports.
Understanding Windows Firewall Manually Configuring Windows Firewall in Windows XP Service Pack 2 Microsoft Knowledge Base Article - 875357 - Troubleshooting Windows Firewall settings in Windows XP Service Pack 2 Troubleshooting Windows Firewall in Microsoft Windows XP Service Pack 2 (Word document) PC World Security Tip: Opening ports in the Windows Firewall for broken applications PC World Security Tip: Opening Ports in XP Service Pack 2 Information about firewalls in previous versions of Windows.
Security Features of Internet Connection Sharing (Q241570) (Win 98SE and Win ME) HOW TO: Configure TCP/IP Filtering in Windows 2000 (Q309798) IP Security Filtering on Windows 2000. NOTE: Terminology is incorrect. IPSec normally refers to an IP security standard for IPv4 and IPv6. HOW TO: Enable the Internet Connection Firewall Feature in Windows XP (Q283673) How to Open Ports in the Windows XP Internet Connection Firewall has a list of ports followed by instructions Mac Security Software Microsoft updates for Mac software can be found at Mactopia: Downloads. Also see Mactopia: Making sure your version of Office is up to date.
If you're using MacOS X 10.2 Jaguar, you should of course check with the vendor to ensure their application is fully compatible.
IP Net Router and IP Net Sentry will run on MacOS 8 and 9, as well as some versions of MacOS 7. IP Net Sentry X is a firewall (not based on ipfw) for OS X. DoorStop Firewall, Server edition is for protecting MacOS 8 and 9 servers NetBarrier for OS 9 and X Norton Internet Security for OS 9 and X. Specifically Norton Personal Firewall (based on DoorStop firewall). FireWalk X 2 for OS X. A separate system that does not use the built-in firewall. Little Snitch monitors outgoing network connections and allows you to decide which applications are allowed to make such connections MacFixIt Forums: Firewall software recommendations 17-Jun-2003 The Open Door "Who's There?" Firewall Advisor is a neat product. It takes firewall logs in a number of formats and analyzes them further to give you some more informative reports. The MacOS X version reports directly from the built-in firewall logs.
OS X 10.2 Mac OS X has some built-in firewall features (it uses the BSD ipfw utility) and OS X 10.2 now includes a limited interface to the firewall. The firewall is OFF by default. Logging is also OFF by default, and the interface provides no way to turn it on.
The interface is rather obscurely hidden in System Preferences… Internet and Network: Sharing, the middle tab "Firewall". Unless you have some particularly important reason not to, I recommend you turn it on. If it causes problems, you can always turn it off later. For example, I had a problem doing an FTP upload using SiteMill 2 from Classic - so I just turned the firewall off for the duration of the transfer, and then turned it back on. It does have some really stupid behavior, like interfering with sending email (the email will be sent once you turn the firewall back off).
You can see an image of the OS X 10.2 firewall preferences interface here (image from the Ars Technica review of MacOS X 10.2).
There is some more information in the article Configuring Jaguar's Firewall.
Currently for full control you would either have to write the firewall setup yourself in a text editor, or use one of the configuration utilities.
OS X Firewall Config Utilities BrickHouse (shareware, U$25) Has a lot of nice features being developed for monitoring and logging in addition to configuring. Also can help with IP sharing (i.e. "Internet Connection Sharing"). Jaguar compatibility is being worked on. sunShield (kewlware) Version 1.0 and later is Jaguar compatible. Impasse (30 day eval, then U$10) OS X Manual Firewall Configuration Advanced Users Only
Since MacOS X is based on BSD, it includes the BSD ipfw firewall. To access its full functionality, you will need to use a command line (e.g. the Terminal).
Section 10.7 Firewalls from the FreeBSD Handbook gives a good overview of firewalls and ipfw specifically.
You don't have to worry about any kernel configuration stuff, all the needed features have already been compiled in by Apple (thank goodness:)
Writing your own setup in a text file is for advanced users only.
USENET comp.sys.mac.comm thread OS 10.2.1 Internet Sharing and Firewall Setting up firewall rules on Mac OS X 10.2 Mike's Marathon Blog: OS X and ipfw Firewall Protection Some basic commands (note that since most of these commands require root access, you will have to preface them with sudo and enter your password to run them):
ipfw l (that's a lowercase letter "L") will give you a list of the current rules ipfw show will give you a display of the count for each rule (how many times the rule has been used) You can find all of the parameters for ipfw by doing the standard UNIX command man ipfw
In order to activate logging, you will need to use the command sysctl -w net.inet.ip.fw.verbose=1 This would normally be done as part of a script at startup.
REMINDER If you configure the firewall incorrectly, you can completely screw up your Internet and network connections. Please only try this if you know what you are doing.
Here is a report from Macintouch on scanning a default (firewall off) OS X 10.2 install:
For example, here's a scan of an un-firewalled Jaguar box: [rei:~] rmohns% sudo nmap -v -O -F [hostname] […] The SYN Stealth Scan took 20 seconds to scan 1149 ports. […] Interesting ports on rei.ncipherusa.com (172.24.2.36): (The 1144 ports scanned but not shown below are in state: closed) Port State Service 21/tcp open ftp 22/tcp open ssh 139/tcp open netbios-ssn 427/tcp open svrloc 548/tcp open afpovertcp Remote OS guesses: FreeBSD 4.4-5 or Mac OS X 10.0.4 (Darwin V. 1.3-1.3.7 or 4P13), FreeBSD 4.4 for i386 (IA-32) Uptime 5.999 days (since Thu Aug 29 10:58:40 2002) OS X 10.1 and earlier Here's some information on firewall configuration for previous versions of Mac OS X. Much of it still applies to Jaguar.
Setting up firewall rules on Mac OS X 10.1 updated 2002-01-08 Building your own personal firewall 2000-10-09 (from the Internet Archive - original page no longer available) Linux Security Software Abacus Project: The Intrusion Prevention System BitDefender for Linux free antivirus NOD32 commercial antivirus for Linux (and BSD) McAfee VirusScan for Linux Linux has extensive firewall and security features built-in.
Other Security Software BitDefender has free MS-DOS and PalmOS versions. Security Hardware This page currently lists mostly host-based, software security solutions. As part of a strategy of defence-in-depth, you may also want to add security hardware devices that sit in between your "internal" home network and your connection to the Internet. For the home user, this usually consists of firewall features built-in to a broadband router.
Note that the term "firewall" is bandied about quite freely. Most of the inexpensive boxes only provide NAT (Network Address Translation) and port filtering. This is not the same as a full Stateful Packet Inspection (SPI) firewall.
For this topic in general you should look to other sites on the web for reviews and information, and to the vendor and your ISP for support on how to configure the firewall features of your broadband router.
Some good starting points are:
Links to Firewall Router Reviews from FirewallGuide.com Practically Networked HomeNetHelp Small Net Builder Hardware By Brand forums at BroadbandReports.com Another possibility, for advanced users, is to built your own firewall using commodity hardware and free software. There are too many software possibilities for me to list here. I will mention just one that was recommended.
Astaro Security Linux is free for home use. You will still have to register it in order to get a license key. You will of course have to also supply your own hardware to run it on.
Wireless Security Wireless is becoming a popular technology. Please be aware that there are many security concerns with current wireless implementations. This page does not deal with wireless security, but there are many other good ones that do.
Some starting points:
Wireless LAN Security FAQ. Ars Technica: Security Practicum: Essential Home Wireless Security Practices IBM developerWorks: Securing 802.11 transmissions, Part 1: 802.11x's elusive security Dell Vectors Tech Brief: Wireless Security in 802.11 (Wi-Fi) Networks Free Wi-Fi Security Chapter 8: Unauthorized Access and Privacy (PDF).
Articles on Security Free [Windows] Antivirus: Finally Ready for Prime Time by Scott Spanbauer in PC World Magazine January 2004 Ultimate Network Security: How to Install a [Free Windows Software] Firewall Scott Spanbauer in PC World Magazine December 2003 Keep Hackers Out: Part One, Personal Edition by Konstantinos Karagiannis and Matthew D. Sarrel and Keep Hackers Out: Part Two, Professional Edition by Davis D. Janowski and Oliver Kaven November 19, 2002 in PC Magazine Low-Rent IDSes (Intrusion Detection Systems) using Tiny Firewall on Windows. by Marcus J. Ranum in Information Security Magazine October 2002 Cybersecurity and You: Five Tips Every Consumer Should Know by Brian Krebs in The Washington Post 2002 September 17 (I think) Privacy and Security on your PC by David Rittenhouse in ExtremeTech May 28, 2002 Trojans - Combating Nonviral Malware by Jay Heiser in Information Security Magazine May 2002 SOHO Security by Bruce Brown and Marge Brown in ExtremeTech February 27, 2002 Broadband Security by Jon Udell in Byte January 21, 2002 CNET reviews five personal firewalls by Stephen J. Bigelow in CNet October 4, 2001 Personal Firewalls Under Fire by Gary Bahadur in Information Security Magazine July 2001 cover story Internet Insecurity is the July 2 2001 Time magazine cover story Fortress PC by Stan Miastkowski in PC World May 2001 Broadband: Are You Exposed? by Judi Clark of NetAction Don't neglect desktop when it comes to security by Erik Sherman in ComputerWorld September 25, 2000 Personal Firewalls And Local Proxies: Don't Forget Outbound Filtering by Jon Udell in Byte March 13, 2000 Security: Are You Vulnerable? by Jason Levitt and Gregory Smith in InformationWeek February 21, 2000 Personal Internet Firewalls for Windows from Gibson Research Corporation ZDNet:News:Has your PC been hijacked? by Robert Lemos in ZDNet News February 17, 2000 Excite@Home, McAfee make pact for network security by Wylie Wong in CNet News January 31, 2000 Personal firewalls protect stray users by Ken Phillips in PC Week January 24, 2000 Do-It-Yourself Telecommuter Security by Ken Phillips in PC Week September 27, 1999 High-Speed Lines Leave Door Ajar for Hackers by Ian Austen in The New York Times July 8, 1999 Brian Livingston Window Manager Brian Livingston's Window Manager columns from InfoWorld on security for "always on" (cable/xDSL) Internet connections.
New program stops Windows 2000/NT/98 security weaknesses and Trojans for free Feb. 04, 2000 Readers share secrets on how they handle Internet intruders and moles in e-mail Jan. 21, 2000 To protect against Trojan horses, you will need a strong gate as well as a firewall Jan. 10, 2000 'Moles' are one thing, but malicious e-mails are an even worse form of Web abuse Dec. 27, 1999 E-mail and Web 'moles' are getting downright dangerous for your Windows systems Dec. 20, 1999 Internet service providers are starting to fix Windows' gaps in high-speed protection Nov. 8, 1999 Software solutions can provide remedies for Windows security risks lurking on the Internet Nov. 1, 1999 Security appliances offer users protection during 'always on' high-speed access Oct. 25, 1999 High-speed Internet Access can be harmful to your health, and to the health of your PC Oct. 18, 1999 US National Strategy to Secure Cyberspace The final version has been released at http://www.securecyberspace.gov/
A lot of the material in the draft has been removed.
For the purposes of this page, the most relevant section is "Level 1: The Home User and Small Business". (Used to be on page 15 of the draft document.) They suggest 5 steps, of which I think 4 are important:
Use a tough password Maintain an updated anti-virus program Update patches And of course, the most relevant one for this page
Use a firewall As well, the strategy points to many other (US) network resources on security, including:
Stay Safe Online The Federal Trade Commission (FTC) Consumer Information Security initiative, featuring Dewie the e-Turtle, your cybersecurity companion, and Safe at Any Speed (about high-speed connection security). InfraGard The resources they indicate do give useful basic guidelines, but nothing really in the way of detailed technical information. This page tries to provide some of that technical info. Plus I use the term "cyber" a lot less.
Contributing Your Logs For Analysis Although it may not help you in the short term, one way you can participate in improving Internet security is by contributing your logs for analysis by a third party. Of course, you will have to decide for yourself whether you have any privacy or security concerns about this.
SANS has DShield.org The results of the combined analysis for all logs is reported at Incidents.org (the "Internet Storm Center"). MyNetWatchman SecurityFocus DeepSight Analyzer can take logs from many different security tools. Help I'm Being Hacked I sometimes get questions from people who are seeing unusual Internet traffic or experiencing other Internet security problems. Unfortunately, the resources available (that I know of) are mainly targetted at helping companies recover from security breaches, rather than individuals. My main advice is: remain calm. Try to determine if it is a serious (i.e. criminal) problem, or just some unusual network traffic. A good place to start is the FAQ way at the top of this document, it has lots of information that will help you identify most common types of port probes. Here are some other resources:
Network Ice has an article Oh my gosh, I'm being HACKED!!! What do I do now?
SANS has a report on Incident Handling Step by Step but it is mainly targetted at corporate networks dealing with Unix Trojans and related Denial of Service issues. Network Magazine also has an article on Incident Handling that discusses planning, the law and who to contact, and incident response steps.
Reporting Serious Computer Crime If the nature of the problem is cyberstalking or other related personally directed attacks, you can try Wired Patrol.
Other resources you can try are your ISP (Information Service Provider - the company that provides your Internet service), the attacker's ISP, and local law enforcement.
United States Department of Justice: How to Report Internet-Related Crime (part of the www.cybercrime.gov site) also report the incident to CERT however if you are reporting illegal material involving minors then use CyberTipline.com Canada Contact the RCMP. You can find a bit more information in their FAQ. also report the incident to CanCERT however if you are reporting illegal material involving minors then use Cybertip.ca en français Cyberaide.ca European Union Safer Internet if you are reporting illegal material involving minors then see the list of European hotlines or you can go via INHOPE.org You may also be interested in the EU's Internet Action Plan (IAP), of which Safer Internet is a part.
United Kingdom if you are reporting illegal material involving minors then use Internet Watch Foundation Australia I am told contact your local police - they will then refer it on to your states computer crimes unit.
also report the incident to AusCERT if you are reporting illegal material involving minors then use Australian Broadcasting Authority: Complaints Everywhere Else Sorry, I don't know. I would assume local or national policing authorities.
Spam Scams (including Phishing) United States In the US, forward all spam (junk email) to the Federal Trade Commission's collection address for Unsolicited Commercial Email: uce@ftc.gov
Canada In Canada, the main organization set up to deal with phone / snailmail / email fraud is PhoneBusters.
You can forward "Nigerian scams" (advanced fee fraud) to them at the West African Fraud Letter address: wafl@phonebusters.com. For anything else, content them at info@phonebusters.com.
You can read more in the e-mail section of the Scams FAQ from the RCMP.
More Resources Google has an overwhelming list of resources for dealing with Internet abuse in its directory Computers > Internet > Abuse