I am wondering if anyone can help. My ISP has twice emailed me to say my account has been used for port scanning but I cant see how for the following reasons:
1) All 3 PC's here connect through a Netgear Router, I have blocked the following within its firewall all UDP traffic inbound and outbound. Ports 135 to 139 and ports 445 and 8998 are blocked in both directions.
2) The router password was changed before it went online to a long password with numbers and upper and lower case. The wireless side has the SSID set to not broadcast and its name has been changed. On top of this WEP is enabled and restricted to a set MAC address.
3) All PC's run Zone alarm and up todate Norton 2004 Antivirus.
4) I do lot log on to the XP PC via an administrator share unless I really have to.
5) All PC's have password access and all passwords are long with numbers in. No passwords for the XP machine, Router or wireless access point are written down in fact my husband does not know the passwords. My isp is BTopenworld - i now have the BTyahoo option.
6) All PC's are switched off when not in use, only the router is left on.

If anyone has any ideas as to how I can prove my account is not carrying out port scanning or suggest how it could be with the security I have in place I would be grateful. Also if there is anything lacking with my secutity I would be open to suggestions.

A couple of questions:

1. Are you POSITIVE there's no non-standard (i.e. not installed yourself) software on the PCs ?

2. Although it won't make any difference, when your Netgear box connects does it use a fixed IP, or get a WAN-side DHCP address ?

3. Suggestion - put a Sniffer or similar (maybe MS Netmon, Ethereal) or the link on an Ethernet port and see if there's any port scanning traffic going out.

4. Get verification - by letter or telephone - from your ISP that it is indeed your account being used. Get times/dates of the alleged scanning, and try to collate it with times you're using the computers.

As far as your security goes, you seem to have it covered. To ensure it's not rogue software I suppose you could block ALL outbound traffic except port 80 and any other required ports - that way you can conclusively tell the ISP it's not your machines.

HelenD,

With Wireless anything is possible. Remember if you can buy the router off the shelf, so can the hacker. There are ways around the security of any wireless router.

If you know the frequency your account is being used to port sniff, try going wired for a little while to see if the problem goes away.

Now if it is in fact, just your Account and not the location where you currently live, then have BT Internet close the account and issue you a new one with a new password.

Take Care,

Richard

You might want to doublecheck (if not already done) with yout ISP that these complaints are genuine in the first place...

HelenD,

Only time for a few brief remarks right now (I'm assuming that you are on broadband).

As Richard says, breaking WEP is a lot easier than people think; but first...

1. Get detailed logs of the activity from BT. See if you can correlate them with periods when you either were or were not using your PCs. (It would be helpful you could ensure that your PCs clocks are synchronised with UTC so that timestamps in logfiles between you and BT can be meaningfully compared. This is easy with the NTP protocol -- but BT doesn't seem to offer a publicly or even customer-only accessible NTP server -- perhaps you could ask them about that ?)

2. Does your router provide hubbed or switched ports ? If it's a hub, you can use sniffer s/w like ethereal or Packetyzer (http://www.networkchemistry.com/products/packetyzer/) to see what's going on -- this will be more difficult if you have a switch.

3. Again, as alluded to by Richard, try switching your router off when you are not using it to see if the problem goes away.

Possibly more later ... :rolleyes:

Thanks for the advise I will try to answer all your queries honestly.
As much as I would like to say that I am positive that all programs on the system are installed by me I feel I cant because I dont know how many of the executables that I dont recognised are part of the standard Windows operating systems. Everything on the add remove programs menu I do recognise and could vouch for.
The ISP assigns the IP dynamically using Wan sided DHCP I believe.
Only 1 PC uses the wireless side and that cannot really go wired because it is 30 m away from the router and through many walls including outside ones.
The Router ports are switched. I could swits of my router but I would have to remind the other half to switch it on if he wants Internet access while I am out.
I have asked my ISP for dates/ times and ports being used and they have provided nothing to help me prove or disprove that my equiptment could be at fault. in fact when I decided to stop logging incomming traffic I got next to nothing on the log produced ie it took over a week for the log to half fill up. With logging inbound traffic I usually get 6 or so filled log reports a day

HelenD,

If you need to have the third computer networked, you could get a 100 ft cable and wire it up. (It would be unsightly but it will do the job for testing.) The turn off the wireless side.

The only question you need answered is where the attacks originated from. We know your account was used but we do not know the physical location the attacks originated from. If your ISP and telephone company are one in the same, it should be easy for them to answer that question.

Take Care,

Richard

Helen,

We need to establish whether the alleged scanning is coming from one of your machines (either becasue it has some "unauthorised" software on it, or becasue somebody has actually manged to take control of it -- unlikely but possible) or whether it's coming from a third-party machine which is able to piggy-back onto your wifi connection.

In any case, as I'm sure you are aware, you should run a full anti-virus scan across all you machines to check for backdoor software.

If there is any kind of pattern to the alleged abuse, you should try to switch WiFi off at at least these times to eliminate that possibility.

Your ISP really should provide you with detailed logs to work from :hmm:

Hope this help some.

Just to add another possible (for the paranoid!) ask the ISP if they can prove somone was not spoofing your IP address.

nmap for example lets decoy IP addresses be specified, so if your IP is in someone's decoy list you could be getting blamed for their activity.

This is an extract from the nmap manual page:

"-D <decoy1 [,decoy2][,ME],...>
Causes a decoy scan to be performed which makes it appear to the remote host that the host(s) you specify as decoys are scanning the target network too. Thus their IDS might report 5-10 port scans from unique IP addresses, but they won’t know which IP was scanning them and which were innocent decoys. While this can be defeated through router path tracing, response-dropping, and other "active" mechanisms, it is generally an extremely effective technique for hiding your IP address."

HelenD, Memetic,

I'm assuming (dangerous, I know) that you are using the term "account" as synonymous with "ADSL connection". If bother of those assumptions are not true, we need to start over. If my assumptions are correct, then your ISP is asserting that "naughty traffic " is coming from your connection. We now are back at the point where we need your ISP's logs (showing not just IP addresses, but also the authentication records from their RADIUS server.) Another assumption: is your phone from BT ?

What we're trying to do is differentiate between the following 3 possibilities.

1) It's really you -- by that I mean one of your PCs, either inadvertantly (e.g. virus), maliciously (i.e. somebody's taken control of your PC) or becasue they're piggy-backing onto your wireless LAN.

2) It just looks like you -- because somebody has guessed/stolen your authentication tokens and is logging in from somewhere else as you.

3) It isn't you at all. Somebody is spoofing your IP address from somewhere completely different.

RTFM - the following is what BT wrote to me A complaint was received regarding a BT customer carrying out unauthorised port scans on other internet users. The account that these scans took place from was identified as belonging to you. You may not be aware that your account has been misused in this way, and we hope that the following information will help you make sure that your account details and computer are secure and protected. Port scanning is the general term given when one user 'scans' another internet user's PC. This port scan can be used to attempt to gain unauthorised access to the user's computer with a view to copying private information or causing damage of some sort. This activity is a breach of the BT Terms & Conditions.

There are several possible reasons for the port scan attack being detected from your account, including:

1 - Someone who has physical (or remote) access to your computer has carried out this activity, possibly gaining access via incorrectly set-up software.

2 - Someone has accessed your machine without authorisation to carry out this activity.

3 - Your account details have been compromised and are in use by an unauthorised third party.

4 ? Your computer has a virus or trojan which has allowed unauthorised access.

In any of the possibilities above it is ultimately your responsibility to make sure that your account details are kept secure.

We recommend installing a firewall to prevent unauthorised remote access to your computer and a virus checker to remove any viruses from your computer. (Some viruses can allow other users to access your computer without your knowledge.) You should also change your primary account password immediately. If you?re a BT Business customer, you can change your password online via the Member?s Area at
http://www.btopenworld.com/business

In addition, we offer the Internet Security Pack for our Business customers - a firewall and virus protection product. The Internet Security Pack stops detected viruses entering your PC via email, instant messaging and peer-to-peer file exchanges. You?re also protected while you view internet pages, download software or files, and load software from CDs or floppy disks. Its firewall functionality helps to protect you from ?hackers? who may try and gain access to your PC to look at any confidential business information including company credit card and bank account details, business plans, research data, etc. The Internet Security Pack is paid for by monthly subscription and includes automatic updates to combat the latest viruses. For more details, please go to
http://www.abuse-guidance.com/broadband/forwork/solutions/internet_security.html

Finally, if you do believe that your computer has been accessed without your permission then you should ask your local police to investigate the matter for you.



I already had inplace most if not all of what they suggested. I have since changed my account password to another secure password. Our phone is from BT as well. I have asked twice for the logs from BT and they have yet to provide them so it appears I am stuck until they provide them. Once I have the times I would have a good idea which PC would need looking at closely. All virus scans have revealed nothing .
I suspect that unless someone has just reported my IP for no reason at all I would think your second or 3rd reasons are most likely and both would be out of my control to prevent.
I have since blocked all outgoing ports on the firewall save those I really need so I am making a big effort to tighten up security here as best as I can. I do know that what I have in place is stronger than many home users have.

HelenD,

Finally, if you do believe that your computer has been accessed without your permission then you should ask your local police to investigate the matter for you.

Oh yeah, that will do a lot of good. I am sure the police have nothing better to do. :rolleyes:

Since it is your account, then changing your password was a very good move. I do not understand why BT does not reply with the location the attack originated from.

Take Care,

Richard