Personal Hack Attack

greenspun.com : LUSENET : TB2K spinoff uncensored : One Thread
A couple of days ago my computer started running REAL SLOW while I was browsing posts on this august forum. I looked at the indicator light and it was flashing at a rapid rate. The machine was effectively incapacitated. This went on for several minutes, whereupon I zapped my internet connection. The flashing continued for a short time and then stopped. I had to kill my Netscape 3.1 session to clear the machine because it seemed to be locked up. Nothing like this has ever happened to me before, and I haven't installed any new software lately, either. It happened once or twice on Tuesday, a few more times on Wednesday, and finally this morning when I had barely started my browsing. It's not my McAfee Virus Scan running. Finally out of desperation, I downloaded McAfee's personal firewall and installed it. Since then, I have had no more problems. I'm wondering if someone was scanning the IP addresses at my ISP and then hacking into my system and downloading files. Any ideas on this?

BTW a friend in Idaho who acts as an ISP for some of his customers had his server under DNS attack about a month ago. He somehow changed all the IP addresses and left the hacker pinging a dead address, but it was a royal pain in the posterior!

-- Flash (flash@flash.hq), May 18, 2000

Answers

bummer, dude!

-- LL is nutz! nutz! nutz! nutz! (nutz@nutz.nutz.nutz.nutz), May 18, 2000.
Flash,

I don't know shit about these freekin boxes, but I will admit to having a stinking feeling about some stuff that I will remain nebulous about, concerning just how open to inquiry we may be without knowing it.

I keep nada important on this thing, net and game stuff mostly, I do NO online banking, no paying bills, etc with my PC because I don't understand it 100% from top to bottom inside and out. Standing in line at the bank to make a deposit I understand, but then again, mebbe I'm nuts.

-- Uncle Deedah (unkeed@yahoo.com), May 18, 2000.

Sounds like you just got locked up Flash. Do you leave Java on? That crashes me everytime. With all the netbanners (doubleclick.com -gawd I hate them) you'll find constant activity while just sitting there doing nothing.

I recommend ZoneAlarm from grc.com for a good cheap firewall for home use. It's FREE and light. Doesn't take up alot of CPU useage. Do you have an old computer? Netscape 3.1 is pretty old.

If you're wondering if someone is hacking you, the quick and easy way to find out is:

Open a DOS box (ms-dos prompt) and type "netstat -an" (without the quotes and a space after netstat)

It will give you the local address of your computer in the left hand column. It will tell you what ports are open on your computer in that column.

In the righthand column, it will tell you the IP # of who is connected to your computer for that port. If you see ports 12345, 12346, 31337 open in the local address column on the left, you could have a trojan and hacker problem.

There are a ton of other ports to watch, but those should give you the most common hacker holes. Here are some of the ports that are common for hackers:

port 2 - Death

port 21 - Back Construction, Blade Runner, Doly Trojan, Fore, FTP trojan, Invisible FTP, Larva, Net Administrator, Senna Spy FTP Server, WebEx, WinCrash port 23 - Tiny Telnet Server, Truva Atl port 25 - Ajan, Antigen, Email Password Sender, Haebu Coceda (Naebi), Happy 99, Kuang2, NewApt, ProMail trojan, Shtrilitz, Stealth, Tapiras, Terminator, WinPC, WinSpy port 31 - Agent 31, Hackers Paradise, Masters Paradise port 41 - DeepThroat port 48 - DRAT port 50 - DRAT port 59 - DMSetup port 79 - Firehotcker port 80 - Executor, Hooker, RingZero port 99 - Hidden Port port 110 - ProMail trojan port 113 - Kazimas port 119 - Happy 99 port 121 - JammerKillah port 123 - Net Controller port 146 - Infector port 146 (UDP) - Infector port 421 - TCP Wrappers port 456 - Hackers Paradise port 531 - Rasmin port 555 - Ini-Killer, NeTAdministrator, Phase Zero, Stealth Spy port 605 - Secret Service port 666 - Attack FTP, Back Construction, Satanz Backdoor, ServeU, port 777 - Aim Spy port 911 - Dark Shadow port 999 - DeepThroat, WinSatan port 1000 - Der Spacher 3 port 1001 - Der Spacher 3, Silencer, WebEx port 1010 - Doly Trojan port 1011 - Doly Trojan port 1012 - Doly Trojan port 1015 - Doly Trojan port 1020 - Vampire port 1024 - NetSpy port 1042 - Bla port 1045 - Rasmin port 1050 - MiniCommand port 1080 - WinHole port 1090 - Xtreme port 1095 - RAT port 1097 - RAT port 1098 - RAT port 1099 - RAT port 1170 - Psyber Stream Server, Streaming Audio trojan, Voice port 1200 (UDP - NoBackO port 1201 (UDP - NoBackO port 1207 - SoftWAR port 1234 - Ultors Trojan port 1243 - BackDoor-G, SubSeven, SubSeven Apocalypse port 1245 - VooDoo Doll port 1269 - Mavericks Matrix port 1313 - NETrojan port 1349 (UDP) - BO DLL port 1492 - FTP99CMP port 1509 - Psyber Streaming Server port 1600 - Shivka-Burka port 1807 - SpySender port 1969 - OpC BO port 1981 - Shockrave port 1999 - BackDoor, TransScout port 2000 - Der Spaeher 3, Insane Network, TransScout port 2001 - Der Spaeher 3, TransScout, Trojan Cow port 2002 - TransScout port 2003 - TransScout port 2004 - TransScout port 2005 - TransScout port 2023 - Ripper port 2115 - Bugs port 2140 - Deep Throat, The Invasor port 2155 - Illusion Mailer port 2283 - HVL Rat5 port 2300 - Xplorer port 2565 - Striker port 2583 - WinCrash port 2600 - Digital RootBeer port 2716 - The Prayer port 2773 - SubSeven port 2801 - Phineas Phucker port 3024 - WinCrash port 3128 - RingZero port 3129 - Masters Paradise port 3150 - Deep Throat, The Invasor port 3456 - Terror Trojan port 3459 - Eclipse 2000 port 3700 - Portal of Doom port 3791 - Eclypse port 3801 (UDP) - Eclypse port 4092 - WinCrash port 4242 - Virtual Hacking Machine port 4321 - BoBo port 4567 - File Nail port 4590 - ICQTrojan port 5000 - Bubbel, Back Door Setup, Sockets de Troie port 5001 - Back Door Setup, Sockets de Troie port 5011 - One of the Last Trojans (OOTLT) port 5031 - NetMetropolitan port 5031 - NetMetropolitan port 5321 - Firehotcker port 5400 - Blade Runner, Back Construction port 5401 - Blade Runner, Back Construction port 5402 - Blade Runner, Back Construction port 5550 - Xtcp port 5512 - Illusion Mailer port 5555 - ServeMe port 5556 - BO Facil port 5557 - BO Facil port 5569 - Robo-Hack port 5637 - PC Crasher port 5638 - PC Crasher port 5742 - WinCrash port 6000 - The Thing port 6272 - Secret Service port 6400 - The Thing port 6667 - ScheduleAgent port 6669 - Host Control, Vampyre port 6670 - DeepThroat port 6711 - SubSeven port 6712 - SubSeven port 6713 - SubSeven port 6771 - DeepThroat port 6776 - 2000 Cracks, BackDoor-G, SubSeven port 6912 - Shit Heep (not port 69123!) port 6939 - Indoctrination port 6969 - GateCrasher, Priority, IRC 3 port 6970 - GateCrasher port 7000 - Remote Grab, Kazimas, SubSeven port 7215 - SubSeven port 7300 - NetMonitor port 7301 - NetMonitor port 7306 - NetMonitor port 7307 - NetMonitor port 7308 - NetMonitor port 7789 - Back Door Setup, ICKiller port 8080 - RingZero port 8787 - Back Orifice 2000 port 8897 - HackOffice port 8989 - Rcon port 9400 - InCommand port 9872 - Portal of Doom port 9873 - Portal of Doom port 9874 - Portal of Doom port 9875 - Portal of Doom port 9876 - Cyber Attacker port 9878 - TransScout port 9989 - iNi-Killer port 9999 - The Prayer port 10067 (UDP) - Portal of Doom port 10086 - Syphillis port 10101 - BrainSpy port 10167 (UDP) - Portal of Doom port 10520 - Acid Shivers port 10607 - Coma port 10666 (UDP) - Ambush port 11000 - Senna Spy port 11050 - Host Control port 11223 - Progenic trojan, Secret Agent port 12076 - Gjamer port 12223 - Hack499 KeyLogger port 12345 - GabanBus, NetBus, Pie Bill Gates, X-bill port 12346 - GabanBus, NetBus, X-bill port 12349 - BioNet port 12361 - Whack-a-mole port 12362 - Whack-a-mole port 12623 (UDP) - DUN Control port 12631 - WhackJob port 13000 - Senna Spy port 16484 - Mosucker port 16772 - ICQ Revenge port 16969 - Priority port 17300 - Kuang2 The Virus port 17777 - Nephron port 19864 - ICQ Revenge port 20001 - Millennium port 20034 - NetBus 2 Pro port 20203 - Chupacabra, Logged port20331 - Bla port 21544 - GirlFriend port 22222 - Prosiak port 23456 - Evil FTP, Ugly FTP, Whack Job port 23476 - Donald Dick port 23477 - Donald Dick port 26274 (UDP) - Delta Source port27374 - SubSeven port27573 - SubSeven port 29891 (UDP) - The Unexplained port 30029 - AOL Trojan port 30100 - NetSphere port 30101 - NetSphere port 30102 - NetSphere port 30303 - Sockets de Troie port 30999 - Kuang2 port 31336 - Bo Whack port 31337 - Baron Night, BO client, BO2, Bo Facil port 31337 (UDP) - BackFire, Back Orifice, DeepBO port 31338 - NetSpy DK port 31338 (UDP) - Back Orifice, DeepBO port 31339 - NetSpy DK port 31666 - BOWhack port 31785 - Hack4a4Tack port 31787 - Hack4a4Tack port 31788 - Hack4a4Tack port 31789 (UDP) - Hack4a4Tack port 31791 (UDP) - Hack4a4Tack port 31792 - Hack4a4Tack port 32418 - Acid Battery port 33333 - Prosiak port 33911 - Spirit 2001a port 34324 - BigGluck, TN port 34555 (UDP) - Trinoo port 35555 (UDP) - Trinoo port 37651 - YAT port 40412 - The Spy port 40421 - Agent 40421, Masters Paradise port 40422 - Masters Paradise port 40423 - Masters Paradise port 40426 - Masters Paradise port 47262 (UDP) - Delta Source port 50505 - Sockets de Troie port 50766 - Fore, Schwindler port 52317 - Acid Battery 2000 port 53001 - Remote Windows Shutdown port 54283 - SubSeven port 54320 - Back Orifice 2000 port 54321 - School Bus port 54321 (UDP) - Back Orifice 2000 port 57341 - NetRaider port 60000 - Deep Throat port 61348 - Bunker-Hill port 61466 - Telecommando port 61603 - Bunker-Hill port 63485 - Bunker-Hill port 65000 - Devil port 65432 - The Traitor port 65432 (UDP) - The Traitor port 65535 - RC

hope it formatted ok. These ports are on the local address side (left column) If they are open, investigate further. The list is 2/99 so some may be obsolete.



-- (doomerstomper@usa.net), May 18, 2000.

sorry man -- I'm not gonna clean that mess up! Got surfing to do :-)

-- (doomerstomper@usa.net), May 18, 2000.

Having fun with HTML...

-- Debbie (dbspence@usa.net), May 19, 2000.

Thanks for the advice and info, folks!

-- Flash (flash@flash.hq), May 19, 2000.
Flash, now that you have a list of all the possibly opened ports on your puter, what ya gonna do about it?

You could do like I did, follow Steve Gibson's intrustions in his Shield's UP website, then installed ZoneAlarm firewall. When I test and try to hack into my puter, it's a veritable fortress. And since I disabled cookies and made my cookie file "read only", I'm virtually invisible on the net.

-- (close@ll.your.ports!), May 19, 2000.

thanks for the cleanup Debbie :-)

CYP's --- did you know if you keep cookies enabled, but mark it "read only" in properties/attributes, you can still get into cookies only sites? Dumb ass computers don't know the difference. They "think" they are writing to the file. Been doing that for years and it works like a charm.

-- (doomerstomper@usa.net), May 19, 2000.

Jesus Christ, I've never met a bigger bunch of paranoids in my life.

Flash if you have a direct dial up you probably will NEVER have anything to worry about. Don't go spending money or bother with the grc site if you do.

There are other things that make a connection or your computer slow down... REAL.EXE file, server drag, etc. I don't have time to tell you today, but I'll make some this weekend.

Sheesh.

~*~

-- (Ladylogic@....), May 19, 2000.

I logged on to Gibson's GRC site and ran Shield's up. All but one of my ports tested "stealth" and one tested "closed" with the McAfee Personal Firewall. I've got it free for a two week trial. After that I may try ZoneAlarm.

LL, I am interested in any suggestions or observations you might have. I've never had anything like this happen before. It suddenly surfaced and happened intermittantly for 3 days. It ceased completely after I installed the firewall and has not resumed. I know of nothing that I have going on the machine that should cause such an occurrance.

For all I know it could be Bulgarian intelligence or China trying to steal my state secrets! [G].

Thanks again for all the suggestions!

-- Flash (flash@flash.hq), May 19, 2000.

Ladylogic likes to brag about how good she is at using IP addresses to track people and such. Now she tells us that we are all paranoid. Maybe it's Ladylogic that is screwing with your machine Flash.

-- LL (is@psycho.case), May 19, 2000.
The bitch is lying her cellulite ass off again.

If you install Zone Alarm, _even_ if you're on a dialup, you'll discover _numerous_ breakin attempts from IP-walking port-scanners.

The bitch is probably running a dozen of them right now.

I suggest you _do_ go read the info at Gibson Research. It'll make your hair stand on end.

And unlike the bitch, Steve Gibson is a decent person.

-- No one (wants@the.old.nag), May 19, 2000.

Flash,

Your problem sounds more like low memory than anything else. As you run low on physical memory, the hard disk starts to take over as virtual memory. The more memory used, the more disk access until it seems like your HD is running forever. If this is what's causing the problem, you'll see it again even with the firewall program.

You should have at least 64mb's of RAM and 128mb is even better.

If you see this happen again, check the amount of free User memory available. You can do this in most MS programs by going to help, about, and clicking on the System Info. If the figure is below about 50% then that's your problem and only a reboot will solve it.

-- Jim Cooke (JJCooke@yahoo.com), May 19, 2000.

Flash,

I used to "ping" fiends". We would have little contessts to see who could knock the other off first. We also used it for a test of his webserver. It is basically harmless except for slowing down your modem. I understand there is something out now that closes the connection if too many packets are recieved too fast. But I doubt that is what happened to you, there is a lot of things that could be happeneing. The banner adds sounds like one. So much software is out there now that can go in and copy a lot of information about your computer-Not what is in your computer-But info about what version browser you are using, your operating system, even your monitor model. It doesn't hurt you at all, it is superficial information.

Have you cleaned your cache lately? It can hang you up if you don't clear it out often, especially with your early version of Netscape and from what I can tell, "antiquated" computer *grin* that means it is less than 6 months old.

-- Cherri (sams@brigadoon.com), May 19, 2000.

Dear Closeurports:

If I have Mcavee virus protection, does this keep me from this?

BTW, ALL should chck this out, omg, it is amazing!

Close, how do you try to hack your own computer?

Got 2 know. NOW.

please and thank u.

-- mom (mom@uhoh.my), May 19, 2000.

Laura, it's not paranoid to be concerned about PC security. It's a good place to start actually. :-) But the more knowledge, the less the need for paranoia.

The only practical difference between a dialup connection and a static connection, as far as security is concerned, is the amount of time spent using the same IP address. If a person stays connected for 6 hours or even 2 hours, then that's enough time to be found and attacked. It is less likely that any attacker will want to, because dialup connections are slower, so not as fun of a target. Nor will they have the same address next week, as a fast connection will. But all it really takes is for someone running a scan to find a computer with open ports right now, and some mischief in mind, and they can go to work.

When I first got BlackICE Defender firewall installed last year on my dialup connection, I logged over *120* intrusion events in the first two weeks - after subtracting for false alarms. By "intrusions" I mean events where someone found my computer, by whatever means and for whatever purpose, and which BlackICE fended off and logged.

Before I installed BlackICE my computer was not "stealth" as per Steve Gibson's site. My computer's ports tested as "closed", which means that they WOULD show up in someone's scans even though they were relatively invulnerable to attack. One port (NETBIOS) tested as Open - vulnerable. Fortunately, I never have had File and Print Sharing enabled while online- as that's one thing I already knew not to do - which is the biggest vulnerability and one of the easiest places to break in because it is so common, as Gibson explains.

Gibson (Grc.com) only tests about a dozen of the most common ports (out of ~65,000) but typically, if those are closed then all of them are, knock on wood. But ideally, you want to be not just "closed" but "stealth" - which means you can't be seen at all. This can be accomplished only with a firewall, McAfee, ZoneAlarm, whatever. Most ports in common use are in the low numbers. As you can see, a lot of the mischief is done via the less-used, high numbered ports. And BTW the attackers do NOT always use just the above port numbers, they may change them.... We are all moving targets. Yesterday's good defense will become tomorrow's soft white underbelly. This thing (intrusion) has gotten so popular, all the kiddies are doing it, and probably most mean no harm, but I for one do NOT want BackOrifice on my system.....

Last year a woman came to a computer support forum having detected an intruder... we got a blow by blow account. She wasn't even aware of "intrusion" as an issue whatsoever, but she happened to have NetWatcher loaded (like netstat), and it was dawning on her that there was this strange computer logged in to her system each day. (She had a cable connection.) She reported him, and it became a bone of contention with her provider - how much responsibility should the new fast services assume in alerting/helping users with the possible problems?, etc.

Anyway, all this is important for everyone to know about, because Microsoft has made Windows so that it installs with open-port vulnerabilities *by default*. So, it is the casual user (who doesn't like to go under the hood) who is the one least likely to know anything about this, and will just blithely surf his merry way along.

BTW I am now down to only about 1 or 2 intrusions logged (deflected) per day. The most common are BackOrifice ping, SubSeven port probe, TCP port probe, TCP OS Fingerprint, UDP Trojan Horse probe.

Interestingly, I registered a TCP SYN Flood (DOS) attack on my computer at the very same moment that the Greenspun server went down before rollover. (Yes, I was one of those foolish people downloading the forum - not because I thought it was going to Y2k-destruct but because in my pollyish mood, I thought post-rollover it would soon die off from attrition - lack of interest!) The logged IP address of the attacker was... ta-da...my own address. I can well believe that the combined load of all the robots is what brought the server down (and the irony of this is not lost on me!) I don't know if that would cause a "false alarm" intrusion attempt in my log (anyone know?), or whether some other mischief was really indicated.... It all doesn't seem to matter much any more.

Getting back to Flash, of course there are many possible reasons for a slowdown, other than being attacked, as mentioned by Jim and Cherri. Or bad sectors developing maybe? (run SCANDISK.. even if you are OK now, keep an eye on it) or a ton of TEMP files. But, if it's putting in the McAfee firewall that made the difference, then who knows- it could have been an intrusion. As for why your one port is not stealth (is it 139 maybe?), I am having the same issue since I just reinstalled Windows 98 and I am not sure why; it wasn't like that before. Must check into it.

I installed an early version of ZoneAlarm, which was great for monitoring inbound and outbound traffic (which BlackICE does not do) - will catch nosy applications in the act of going out to the internet (such as RealPlayer or ad software) It (ZoneAlarm) was buggy and messed up my system, but I understand the current version is much more stable and highly recommended. I don't know how the McAfee firewall is - good? but most of the personal firewalls require a ton of configuring and rules-making, which is fine only if you enjoy that sort of thing. ZoneAlarm is easy by comparison.

Hope it helps... running on at the mouth here - making up for time not responding on the philosophy and religion threads I guess!

-- Debbie (dbspence@usa.net), May 19, 2000.

Jim,

I have 96 MB so that is normally enough, unless something is malfunctioning. I am having occasional trouble with my video memory filling up, due to unknown reasons, but that has been going on for about a year. It is transient, and if I exit WIN98 and then start it back up again, no more problems. What you describe makes sense, though. It's certainly possible that something fails or gets switched off and the machine starts reading and writing to disk like crazy.

Cherri,

Thanks for your tips, too. Actually my computer is fairly new (400 MHz HP Pavillion. The operator is what's ancient. After 55+ years of changes, I'm starting to get a little stubborn and the ole R/C (resistance-to-change) factor sets in. I tried the earlier versions of Netscape Communicator and didn't like them so have been staying with good ole 3.1 as long as possible. I also have MS Internet Explorer (fairly new version) which I use when forced to. I resisted using it because I hate what Billionaire Bill has done to us all and how much he has fleeced us with buggy products, Now that AOL has bought Netscape, I like them and Steve Case even less!

It has been a while since I cleared my cache, so I'll check it out. It's probably clogged up like my brain get sometimes! What do they say, Use it or Lose it?

Debbie,

I forgot to thank you for the tip about Java possibly being on. I think that I turned it off a while back. I do get a lot of Java errors when WEB pages load, although some if it could be due to the ancient version of Netscape that I use and love.

Thanks also for your detailed info, which I am still digesting. I used to take the idea of someone scanning my machine with a grain of salt until my ISP friend said that it was a lot more common than most of us think. My problem began 4 days ago and went on over a 3 day period until I installed the McAfee firewall. The problem stopped immediately and has not resurfaced.

I grabbed the McAfee firewall only because it was right there and I also wanted to update my copy of ViruScan. I keep hearing good things about ZoneAlarm, so maybe I should grab it and test it as well (after de-installing McAfee)! Is ZoneAlarm really free? If so, how do they stay in business? I'm not sure how much the McAfee firewall costs yet, but I'm sure they'll let me know.

-- Flash (flash@flash.hq), May 19, 2000.

Flash,

Actually that was doomerstomper with the Java tip. (Yup the locking up could be due to your old version of Netscape.)

Oh, while I'm on a roll here, disable Microsoft FastFind - In fact delete every trace of it from your system. It consumes all your resources, indexing everything in sight at the slightest provocation. What a disaster of a utility. It will slow your system down to like a snail crawling through molasses. Well, this one never gets better, so I guess this wasn't your problem, but it's always worth a mention - this thing will drive you stark raving bonkers if you've got it loaded and can't track down what it is.

ZoneAlarm is free because they have a very similar paid, licensed product for commercial sites, and paid development work that they do. It has been useful to them to get feedback from the users of the free (home user) product. (It was quite buggy for some people so not everyone had a free lunch.)

Good luck!

-- Debbie (dbspence@usa.net), May 19, 2000.

Ping-flooded by your own machine?

No, I don't think so.

More likely explanation would be that someone else ping-flooded you, using a spoofed IP (that be _yours_).

Most likely suspect would have to be whoever owned the machine that you were currently bringing to its knees, doncha think?

-- No one (wants@the.old.nag), May 19, 2000.

More likely explanation would be that someone else ping-flooded you, using a spoofed IP (that be _yours_).

Most likely suspect would have to be whoever owned the machine that you were currently bringing to its knees, doncha think?

One thing which I initially speculated was a third party spoofed my IP, and using my IP to cover their tracks, flooded the server .... thought this, just because that is how a TCP SYN flood attack works.

But it seemed over-dramatic to theorize a scene like this, when the simpler reality was probably it was just the crowd of robots bringing things down. So then... no third party, and the ping flood was triggered from the dying server. Does make sense.... except why the spoofed IP?

-- Debbie (dbspence@usa.net), May 19, 2000.

Flash if you have a direct dial up you probably will NEVER have anything to worry about. Don't go spending money or bother with the grc site if you do.

Guess you don't frequent the hacker boards that I do, Laura. A wealth of information. Y2k was not the threat that some believed, yet computer security is a risk, that most ignore. Most blindly surf and leave a trail a mile long.

note: HD drive spinning is secondary to those modem lights flashing. One is memory -- one is activity. Both will crash you. With 98megs of memory, I'd setup your computer as a network server. Might speed you up.

right click My Computer --Properties -- Performance Tab -- File System --HD tab --Click Network Server in the drop down box for *typical role for this computer*.

-- (doomerstomper@usa.net), May 19, 2000.

I have somewhat recently installed McAfee Firewall. What I did to check if it was working was to go to this site. I entered my own IP address, and when it couldn't get through, I figured the firewall was good to go. =)

-- cin (cin@cin.cin), May 19, 2000.
Doomerstomper -- Thanks!!! I'll give it a try. Thanks for your other advice, too.

Cin -- Thanks, I'll check out your suggestion, too. Have you heard from McAffee as to how much their firewall costs?

No more problems since yesterday (Thu 05/18) after I installed the McAffee firewall.

-- Flash (flash@flash.hq), May 19, 2000.

Flash, it was I think about 20 bucks; not too unreasonable.

-- cin (cin@cin.cin), May 19, 2000.
Another thing I've seen that solves the problem of hard drive "thrashing", which seems to be what Flash's machine was doing, is to set the size of the Windows swap file, win386.swp, at some constant size.

By default, Windows sets the swap file to whatever size it sees fit, when doing virtual memory 'disk swapping'. But several times when people have complained of "thrashing" symptoms, I've set their swap file to a set size, and the problems stopped.

To do this:

go Start > Settings > Control Panel > System.

Click on the Performance tab, then the Virtual Memory button.

You'll see the Windows default setting, "Let Windows manage my virtual memory settings (Recommended)." That will have its radio button selected.

Select the other option, "Let me specify my own virtual settings". Then set the size of the swap file to be about twice the size of the RAM installed in your computer; i.e. if you have 64 megs of RAM, set the minimum AND maximum size for the swap file to 130 MB. Then click OK all the way out. Windows will give you warnings about doing this, but you can go ahead.

Additionally, if you have two hard drives in your machine, your performance can be enhanced by putting a single small partition at the front of the second hard drive (the one that doesn't have Windows installed on it), and putting the swap file there. You can make such a partition with a utility like Partition Magic, from PowerQuest. If you have 64 MB of RAM, you'd make a 130 MB partition at the front of your 2nd hard drive, then tell Windows to use that partition (i.e. drive letter) for the swap file, setting the minumum and maximum size of the swap file to 130 MB.

The reason this makes the machine run better is that instead of having one set of hard drive read/write heads looking for both the application/file AND the swap file at the same time; there are now two sets of heads on two hard drives doing the same work. The heads on the Windows HD are dealing with the application/file in question, while the heads on the 2nd HD are dealing with the swap file, freeing up the heads on the 1st hard drive. I've used this type of setup for a couple of years now; works like a charm.

If you can't put the swap file in its own partition, you can still set its size at a constant, and put a statement in your autoexec.bat file that tells it to delete the swap file every time your computer boots. The swap file becomes fragmented over time if it doesn't reside in its own partition; deleting it eliminates this, and doesn't hurt anything, since Windows just automatically re-creates the swap file if it's deleted.

The statement would look like this:

erase C:\Windows\win386.swp

Deleting the swap file every time you boot up will slow boot time by a second or two, since Windows has to re-create win386.swp; but other than that you'll notice no difference, except maybe better performance.

-- Chicken Little (panic@forthebirds.net), May 20, 2000.

Chicken,

Thanks for the Swap File info. It makes good sense.

Thanks All for your great suggestions. Hopefully they will benefit many others, as well. I'm sending this thread to several friends.

-- Flash (flash@flash.hq), May 20, 2000.

Flash, IMHO you were not being attacked. In order for someone to seriously bog your dial up connection down by sending packets, they'd have to be pinging from a lot of different machines with dial up or from some pretty considerable bandwidth on their end.

I see some good suggestions in this thread, but I think the first thing you should try to find out is if something you've installed recently is launching some nasty little process at bootup that is sending information across the Internet after it detects that a dial up connection has been established. (Depending on which OS you're running you may not be able to easily find the process while it's executing.) The best spots to check are your HKCU and HKLM registry run keys; also check your Startup group. If you need paths to these, let me know.

Case in point: I installed some MP3 ripper software and discovered that it placed a bot.exe in my HKCU run key. After my machine booted, this process would kick off and run in stealth mode -- in other words, I couldn't see it in Win 98's limited task list. Every time I dialed up, the bot would send a lot of bytes across the connection. (I don't even know what the hell it was sending.) Needless to say, I ripped that bad boy out of the registry and uninstalled the ripper software.

I hope this helps. If not, back to square one.

-- aqua (aqu@fin.a), May 20, 2000.

Thanks for the swap file info, Chicken Little. One (of very few) things I dig about Windows is that you can fool around with your swap file without creating new partitions - unlike Linux.

-- aqua (aqu@fin.a), May 20, 2000.
Chicken:

When you have time, I'd appreciate your providing some references for improving space allocations via partitioning. I have a total of 3 gig on my machine, separated into 1 gig for C, D, and E. As much as I try to load software on D and E, SOMETHING will always be placed on C, and C is always running too low for comfort. It didn't help when I.E. [versions 4 and above] were REQUIRED to run from C.

It's my understanding that when a partition is large, file allocation is done using large blocks, and when a partition is small, file allocation is done using small blocks. I'm not using the correct terms to describe what I mean, but I'm talking about something like 28K being used on a 1 gig partition to store a 1 byte file, where on a partition half that size, the file might be only 14K. If you know somewhere online where I can study this further, let me know.

I really think 3 gig should be enough for my purposes if I just knew more about organizing what I have. I had to laugh at Debbie's suggestion about deleting FIND, and I thought about that when I first considered making more logical drives from the 3 I have. I can't remember where I store files NOW. Find [for me] is a MUCH needed memory resource....as in my HUMAN memory.

-- Anita (Anita_S3@hotmail.com), May 20, 2000.

Doomerstomper:

Would you care to list some hacker sites? I would like to moniter them myself. Thanks.

-- FutureShock (gray@matter.think), May 20, 2000.

"Now that AOL has bought Netscape, I like them and Steve Case even less!"

Incidentally, it's fairly easy to kill the AOL Messenger after installing Communicator. Yep, you guessed it: HKCU run. Just out of curiosity, don't you have a hard time with Netscape 3.1 viewing sites that use newer HTML / scripting tricks?

-- aqua (aqu@fin.a), May 20, 2000.

Here are some sites to get you started Flash:

portal security

you'll spend alot of time here-- check out their message board and links

registr y forums

-- (doomerstomper@usa.net), May 20, 2000.

damn! Looks like I made a real mess. Can someone clean it up? I left off the Quotes on registry tag. what I meant to say was: hostile applets

That's enough to get you started. I'd rather leave off hard core sites. You can also check out USENET groups -- alt.hack --alt.hack.malicious, etc.

Another site that is great for tweaks and similar info that aqua and chicken little gave you is: registr y forums

-- (doomerstomper@usa.net), May 20, 2000.

Sorry -- meant to address that to Future Shock, not Flash.

-- (doomerstomper@usa.net), May 20, 2000.
Anita I didn't mean to delete Find. Heavens! No one could do without Find.

I meant FastFind, the add-on. Now if you have been lucky enough that FastFind doesn't bog you down, then congratulations. I speak from experience of myself and many others but I don't write it on graven tablets.

-- Debbie (dbspence@usa.net), May 20, 2000.

Amazing. Chicken Little and I are in almost total agreement!

You absolutely should set your swap file to a permanent size. And you should have it on a second drive, if you have one.

The only thing I disagree on is the size, but this is minor point, considering the size of today's drives.

There is a shareware program, called SWAPMON, that will suggest a size for you. Put it in your Startup folder, and let it run for a few days. Do the things that you would normally do. If you tend to run a bunch of applications at once, do it. Then look at SWAPMON's Swapfile Wizard, and it will tell you the recommended size. You can download SWAPMON from ZDNet's Hotfiles site:

http://hotfiles.zdnet.com/cgi- bin/texis/swlib/hotfiles/info.html?fcode=000HFJ

Anita,

It is true, that if you are using FAT16, the cluster size does go up for larger drives. On partitions larger that 1 Gig, the cluster size is 32K, and this is the minimum amount of space allocated, even for a 1 byte file.

However, starting with Win/95B, and Win/98, FAT32 is available. This does 2 things. First, it uses 4K clusters on even huge drives, and second, it eliminates the 2 Gig limit on partitions. Using FAT32, there is usually no need to partition a big drive. I'm running an 8 Gig drive on my home server as one partition, using Win/95B, It works just fine.

<:)=

-- Sysman (y2kboard@yahoo.com), May 20, 2000.

PS Anita,

While none of this may apply to you, I should mention it in fairness.

1) Some OLDER, third-party disk tools will not work with FAT32. However most software publishers do now have FAT32 versions available. Most APPLICATION programs work just fine with FAT32.

2) While FAT32 will support drives up to 2 terabytes (2,000 Gig), many BIOSes, even on newer machines, will not support a bootable partition larger than 8 Gig. However, BIOS extensions, like EZDRIVE, will support larger partitions, and work with FAT32.

3) On very large drives, or partitions, the cluster size does grow, just like FAT16. But the 4K size works on partitions up to 8 Gig. Then it changes to 8K, and so on.

4) Win/98 does include a utility to convert existing FAT16 partitions to FAT32. Win/95B does not include this utility, forcing one to re- FDISK and re-FORMAT an existing drive to use FAT32.

5) At this time, disk compression is not supported on FAT32 partitions.

<:)=

-- Sysman (y2kboard@yahoo.com), May 20, 2000.

Flash, yes ZoneAlarm is still completely free for non-business use. And an advantage ZoneAlarm has is that it tells you when something from within your computer that you're not aware is there, such as a trojan virus, is trying to get info OUT. Don't know any other easy to use firewall that does this.

MOM, I'm not into teaching how to hack, but if you want to test how secure or stealth you are, use anonymizer.com and Gibson's Shield's Up. Take the time to read everything on Gibson's site and understand it, it's worth it.

"CYP's --- did you know if you keep cookies enabled, but mark it "read only" in properties/attributes, you can still get into cookies only sites?"

Stomper, yes I knew. I didn't use the disable cookies feature in NS, what I meant to say was that by making my cookie file "read only" it disabled the cookie monsters.

-- (close@ll.your.ports!), May 20, 2000.

I showed this thread to my hubby today, who installed the zone firewall. Then we kept getting 'booted' offline. Which is better the Macvee Fire Wall or zone. And after getting booted offline, is it because pehaps he did something wrong?

BTW, THANKS flash, this was a GREAT thread, very informative and scarey to say the least.

-- consumer (shh@aol.com), May 20, 2000.

Sysman,

Glad we agree (almost). Heck, I'm ready for the arguments to stop. Enough, I reckon. The past is the past.

Anita, did he answer your questions?

-- Chicken Little (panic@forthebirds.net), May 22, 2000.

aqua,

ZoneAlarm, while good, ain't perfect. I run it and BlackIce Defender, and ZA has given a few PITA's from time to time. Steve Gibson still hasn't given it a clean bill of health; seems results vary from user to user. ZoneLabs is still working out some bugs.

And where uninstalling AOL Instant Messenger is concerned, for Netscape users, there's a page explaining how to do so at the Netscape site: Link

-- Chicken Little (panic@forthebirds.net), May 22, 2000.

woops...the ZA comments should have been addressed to consumer

-- Chicken Little (panic@forthebirds.net), May 22, 2000.
Thanks, Chicken Little. That is probably a good alternative for someone who isn't willing to rip keys out of her registry.

-- aqua (aqu@fin.a), May 22, 2000.
"Heck, I'm ready for the arguments to stop."

Yea, me too CL. I've already kinda made up with my old "enemy" Stephen Poole.

So, can I add you to the list?

<:)=

-- Sysman (y2kboard@yahoo.com), May 22, 2000.

CL:

I responded [finally] to your E-mail on this, but I didn't thank Sysman. Yes...my questions are answered. With limited offloading capabilities currently, my best bet seems to keep my current logical drives intact and deal with my storage issues via other recommendations. Thanks for all the help.

-- Anita (Anita_S3@hotmail.com), May 22, 2000.

You're quite welcome Anita.

If you're interested, you can read more about FAT32 at Microsoft:

http://support.microsoft.com/support/kb/articles/q154/9/97.asp

And here's an old third party site with a FAQ page about Win/95B (aka OSR2) including some info on both FAT16 and FAT32:

http://www .compuclinic.com/osr2faq/index.html#fat32x

<:)=

-- Sysman (y2kboard@yahoo.com), May 22, 2000.

Sorry, use this link to start at the top of the FAQ page:

http://www.compuc linic.com/osr2faq/index.html

<:)=

-- Sysman (y2kboard@yahoo.com), May 22, 2000.

Thanks again, Sysman. I've bookmarked this thread so I can reference it all on my next "Clean the PC" day.

-- Anita (Anita_S3@hotmail.com), May 22, 2000.
Moderation questions? read the FAQ