Am I being Scanned or Probed??

[morriswindgate]

About a week ago the Transmit/Recieve LED on my cable Modem (Toshiba)started flashing like it was constantly recieving or transmitting. The flash is irregular like that when you are using the internet instead of like a rapid regular plusing when you have modem/connection problems. At the same time the WAN Action light on my 4 port Linksys Router also flashes in sequence with the Modem LED.
I have two computers connected to this Router, one (mine) running WIN98Se with all the Updates, Norton AV (Up to Date), and was running ZoneAlarm. The Other computer is in my daughter's room, running ME, Norton AV, and ZoneAlarm.
About fifteen days ago she had a friend over who was using Yahoo Voice Chat and Yahoo Messenger on her computer. After they left I removed all references of these programs from her computer, cleared caches, cookies, and histories. Plus I also updated the AV Defs. This computer has not been turned on since that day.
I have ran a full system scan with Norton on my machine, on both machines File and Print sharing are disabled, I uninstalled ZoneAlarm and installed Sygate (I have read of a program that if it gets on your computer it can disable ZoneAlarm but it will appear to be working), I have ran F-Prot with nothing found, I have ran Steve Gibson's Leaktest and Port scan which showed Stelth on all, I have use Sygate's Port Scan/Stealth Scan/TCP scan/Trojan Scan all of which showed Ports as Blocked. Additionally, I enabled the Router Log and it shows no incoming/outgoing packets. I User profile in the router only shows my computer (remember the other one is off). I have also released my IP address without result and renewed it. The cable connection software(Road Runner Mechanic) shows the connection as good. (However there does seem to be some traffic as download speeds and packet requests look a little slow)
My question is, Am I being scanned by a program that got my IP address when the other computer was being used with the Voice Chat or instant messenger. Am I being scanned with a Password Cracker (I changed the router password). Or finally is it possible for a Trojan program to leave no detectable packet activity on a machine and router but still be sending information.

[morriswindgate]

Ok, So that's what I get for not reading other parts of the forums before posting. It looks like a Code Red problem with Road Runner.
However here is a list of links that I used during this hunt to look at this problem.

Sygate online scan and free firewall

http://scan.sygatetech.com/

F-Prot Freeware

http://www.europe.f-secure.com/downl...se/tools.shtml

Gibson Research

http://grc.com/default.htm

Ad-Aware free spyware scanner/cleaner

http://www.lavasoftusa.com/aaw/aaware.html

Information downloads

http://www.webattack.com/get/sygatefw.shtml

http://www.angelfire.com/art/proxyblind/index2.html

[Billnodeal]

From what I have read it said the win98 program was not open to the code red variant. You did detect it on yours though?

[morriswindgate]

I did not detect it on mine, and that was what caused me to go through all of the searching. The light on the Modem was flashing the same as if you were downloading, but my firewall, and my router logs showed no activity, other than my own.
According to this Thread, the flashing LED is caused by CodeRed looking for NT and 2000 Server machines.
http://forum.pcmech.com/showthread.php?threadid=16116

[Billnodeal]

So instead of infecting your computer, it is just playing with it! I did do some checking on my end & have found my cable modem to have been constantly bombarded now also. How about the new variant announced yesterday? Is it something that the virus people are missing the boat on maybe? I mean that it is possible something else is going on with this code red that they are missing.

[mc2phat]

The best firewall out there for free is Zone Alarm. http://www.zonelabs.com/zap26_za_grid.html

[morriswindgate]

Yes Zone Alarm is the best Firewall, but I have read about a trojan that is including a program that disables ZoneAlarm while making the computer user think that all is fine by showing the down-up activity tray icon. Sygate uses the same logic that ZoneAlarm does, but is not subseptable to this trojan. Additionally, Sygate gives you other info that zonealarm doesn't and it is also free.

[mc2phat]

Please find a link to info on this trojan and post it.

[morriswindgate]

Here is the refer: for the Batch File that can be included with a trojan to diable ZoneAlarm. It is my understanding that there is now a batch that not only uninstalls protions of Zone Alarm and Zone Alarm Pro but also creates an Zone Alarm Type Tray Icon that is noting more than a Down/Up meter, thus leading you to believe that Zone Alarm is Still working.

http://www.securityportal.com/pr/pr.20001230142750.html

[SARGE]

Well, that's just great; now there's a debate between 2 good firewalls. To be expected following modems, cpu's, Intel vs. AMD, Mickeysoft vs. Mac, and anti-virus programs. However, those were along the lines of Fords vs. Chevy. The trojan spoken about is more than coffee shop banter. Think I'll try it...(Sygate)

[morriswindgate]

One neat feature of SygatePE is that the WhoIs nettrace utility does not open in the same browser window that you were viewing.

[K A Hall]

FYI. I have the same thing going on here with my cable modem and router. Lights flickering like crazy for the last week or so. I did have some incoming access according to the logs. Corrected that, but the activity on the modem and router continue. @home must be up to something goofy. I have seen other incidents of this reported on the net lately.

[morriswindgate]

For all of you that want to read about the hole in Zone Alarm you can read it here,

http://neworder.box.sk/showme.php3?id=5364

This site has a lot of info on security and various holes in computer security, and since it is maintained by White Hat Hackers (Good Guys who try to find these security flaws and fix them) it can be useful to all, so book mark it

[mc2phat]

Thanks morriswindgate...v2.6 is not vulnerable according to that article, nor is any version of Zone Alarm running on NT/2000.

-phfat

[surfmaster2000]

I too have been experiencing a LOT of activity from my cable provider (@home)for about the last week or so. I am very happy to say that my trusty linksys BEFSR11 router has been blocking every bit of it. I have 5 PC's connected to the router through a 5 port hub, and there is no activity on the hub side other than when surfing the web, etc. If you can afford it, and have the broadband system to support it, get one! It will let you sleep a lot better at night

[morriswindgate]

The best security investment for the home broadband user is a router with a firewall such as ZoneAlarm Pro (E-Mail Firewalling) or Sygate PE (free)
The other thing is to change your router's password from the factory defaults.

One tip on Passwords, most of the blunt force breakers I have seen rely on word lists and the one thing missing from these lists are jr, sr, and ending the password with stuff like 3rd or 2nd. Most people use numbers alot of times but do not add the "rd" or "nd" like you would say it.