PPRuNe Forums - View Single Post - Have I been hacked?
Thread: Have I been hacked?
View Single Post
Old 11th May 2002 | 10:58
  #8 (permalink)  
Evo7
 
Joined: Apr 2001
Posts: 871
Likes: 0
From: Chichester, UK
(slight edit for clarity)

A 'serious' attempt to hack will scan a range of ports on your machine to determine which ports are open and therefore what the attack options are (and to try and gain information about the software listening on these ports - e.g. the software version), whereas a sweep across a range of IP addresses will generally focus on a single port on each machine just to see if something is active - this is not a what I'd call a 'serious' attempt.

A firewall should therefore always go into overdrive if a range of ports are scanned from the same IP address - for example, one of mine (on a moderately sensitive machine) is set up to dump the internet connection if this happens. Receiving a number of 'broken' TCP packets in a short time (which could correspond a stealthed scan) can also trigger this response - even if the IP address is different on each packet, as the IP address can easily be spoofed.

A firewall will normally log any port scan (unless told not to), and will also issue an alert if it corresponds to a known danger. For example, a scan on port 7215 corresponds to a port number that SubSeven is known to listen on, and this will probably trigger an alert - I suspect that ZoneAlarm is referring to this kind of activity as a 'serious' attempt, as even if you are running a server there is no innocent reason for trying to connect to this port (whereas an attempt to connect on ports 23 or 80 could be perfectly innocent). It's very unlikely that you are getting 10+ of what I'm calling a 'serious' attack each day.

If you're interested, go and get nmap and set it up on your home network. Try scanning your firewalled machine yourself (pointing nmap at the IP address 127.0.0.1 will work fine), and have a play with some of the stealth-scan options (turning the firewall off is also useful, as it tells you what services your computer is offering to the outside world) - this is by far the best way of finding out what your firewall can really do. BTW, this is a similar, but much more thorough, version of what GRC.COM offer.
Last edited by Evo7; 11th May 2002 at 11:31.
Evo7 is offline