Unfortunately to use the internet i have to use my windows partition. I have been looking at my firewall logs today and have seen
-a DoS attack
-an Attacker Seal attack

my firewall dealt with both of these attacks but i am worried about what i see in the traffic logs. I am continually sending a UDP package to an IP address (always the same) on port 137, the machine then reciprocates a package on 138. The application involved is ntoskrnl.exe

I'd like to be running linux when i see things like this happening but unfortunately i have still to configure red hat to my wireless network.

Has ayone heard of a tool that would cause this UDP exchange to occur ? What's the best course of action from here ?

Thanks

Zonealarm and block the port - or rip out the cable

thanks, i already blocked it but i can see in the logs it still keeps attempting to send - even after a reboot. is this a sign that my machine has already been compromisied ?

Hard to say. Windows netbios service runs on port 137, so it could be legitimate traffic. If your machine is part of a network with multiple windows systems, then you should expect to see lots of it. If you have any doubts whatsoever though, just un-plug the machine from the network until you're sure it's clean.

Hopefully you have some type of Antivrus software, so make sure your virus definitions are up to date If they're not, you can download the definitions using another computer and transfer them on a floppy. If you don't have AV, this would be a pretty subtle hint that you should buy one. Then do a scan of your entire system. There are also some freeware trojan detectors that you can find with a google search.

Are you behind a router? or a hardware firewall other than software?

What kind of troubles are you having with your wireless network with redhat?
what brand is it?
Hopefully it isn't something like belkin... :-o but even that is better than nothing.

almost sounds like msblast.exe.


there is a nice program called Stinger.exe that checks for the more common worms/viruii/trojans and variants. we run it on my job (over 6,000 hosts with public IPs all connected to the internet with no firewall unless the user installs one).

Stinger.exe, ZoneAlarm, Virus Scan (McAfee) and a Mozilla install are our weapons. Most of our problems recently have come from IE letting web pages and banner ads screw around with the file system (oh and file sharing software that comes with all types of malware/spyware/adware).

here is the link to stinger: http://vil.nai.com/vil/stinger/ it's from a trusted company (NAI) the same people that make McAfee virus scan.

thanks, ill check that out, i ran spybot but i didn't find anything.

Im not in a network, - only me and the router. Im behind 3 firewalls. WindowsXP wall, router firewall, and a commercial wall. I think i know how to sort out linux with the internet, its just a case of downloading some drivers, but i havn't had the chance to do it yet. Kinda chuffed DoS didnt even touch my system

the application ntoskrnl.exe is your windows kernel. if a virus somehow got in and renamed itself or attached itself to the kernel, i'd expect boot problems. with the file protection implemented in win2k sp2, it could very well be possible.

edited

felt i should elaborate, the file protection put on sys files w/ sp2 was put in place to protect the kernel & all sys files. if the kernal is altered, it shows up w/ a diff. name and boot.ini is ediited to boot from the clean kernel. so in theory the alleged virus could be running and active, as, ntoskrnl.exe. i'd check my boot.ini file and see what it says, i'd also follow the above recomendations as to anti-virus software. i have not yet, but, will search the security forums on this subject, as they probably have more useful info. good luck.

mblaster runs on port 135 [ unless a variant uses another port ].

With all the firewalls you have with the exception of the windowsxp firewall.. Id suspect that you're probably safe. I don't think anyone would have the time to hack into your system unless you seriously made them angry or you have something they just gotta have.
If I understand how long it takes to hack through most routers. You're probably fine
I would sort out your issues with linux and the internet though asap.

thats true, its hardly worth the effort. But i was reading yesterday that becos wireless netorks operate on the unlicensed spectrum of 2.4 or 5 ghz interference by mobile phones and microwaves can cause what apears to be DoS attacks.

Im thinking the attacks are probly this interference as only a really stupid hacker wud keep DoS'ing my system when it acheives absolutely nothing. You are right about me getting online with linux - maybe this wkend . . .

There are many virus variants of the mblaster and it could still possibly be one of those. There is even on e that will destroy your dns [just to annoy you].

you're probably right

If it was interference from other wireless devices like phones or microwaves you wouldn't see packets addressed to port 137 or any port whatsoever. I'm not an electrical engineer, but I don't think your microwave cooks food by sending netbios packets at it Usually with wireless interference either you get really bad signal degradation, to the point where it brings your network to a crawl or overloads that portion of the spectrum and you get something similar to a syn-flood. Either way you wouldn't be seeing structured TCP/IP packets.

I would put my money on a misconfigured system or viral-generated traffic. If you really want to find out, you can get Linux up and turn on tcpdump/ethereal and take a look at the packets.