I think I've been hacked - Page 3

The_Jaymz · #31 13th June 2007, 08:11 PM

Quote:

Unique “GAP” technology (Trademark: AlphaGAPTM)

Don't think I want any firewall with that kind of technology.

joegumbo · #32 15th June 2007, 12:06 AM

Hi Jaymz,

My understanding of this fancy "Gap" technology is that it offers the choice of either a logical or mechanical disconnect. It seems that I may have an issue with security, though. I'm going to search the Fedora fora for info others have offered re hw fws.

Btw, all seems well here now. Thank you everyone for your help and patience. I'm using the AlphaShield's disconnect when I'm away from the computer and only connecting to the net when absolutely necessary.

-Joe

The_Jaymz · #33 15th June 2007, 02:34 AM

I know. :-)
I was joking about not wanting to have a "gap" in security.

If you have an old (P100-64MB) PC, you could use m0n0wall. I use it and am *extremely* happy with it.

lmo · #34 15th June 2007, 02:58 AM

Watching traffic can be fun

Code:

tcpdump -i eth0 -n -nn -s 0 -XX not port \(80 or 53 or 443\)

The "-i eth0" is the interface to watch.
The "-s 0" is the snaplen bytes to display (0 means all, 1024 would mean 1K)
The "not port \(80 or 53 or 443\)" is: no need to capture web pages 80-http, 53-dns, or secure web pages 443-https.
Capture the output for later analysis by appending

Code:

 | tee mycapfile.log

CTRL-C to stop capture

joegumbo · #35 15th June 2007, 03:47 AM

Hi Jaymz and Imo,

I just went to one of these firewall testing web-sites. Not only is my address public, but so is my private address behind both my AlphaShield and Netgear router. It\'s actually being broadcast when I\'m online. So, I signed up for kaxy.com \'s webproxy service.

-Joe

v00d00 · #36 17th June 2007, 12:33 AM

Easy solution to this, is set the Netgear router to forward absolutely nothing to the AlphaJunk firewall, that is either very misconfigured, or just crap.

You do know of course you can build a hardware firewall for the cost of a pentium 200 system and 2 network cards. Then install smoothwall on it. It also does web caching and has quite a few security tools included with it.

http://www.smoothwall.org/

joegumbo · #37 17th June 2007, 04:43 AM

Hi v00d00!

AlphaJunk... I rolled around on the floor laughing after when I saw that!

I did do some configuration on my NetGear router after reading your post. I eliminated all but the most obvious services (Http, eg), but I don't see a way to preventing the forwarding to the AlphaShield, yet. I need to do a bit more reading on this.

I also read where it could be the browser that's possibly forwarding my private address rather than the hw fw. I use SeaMonkey rather than Firefox but don't see a way to config how much info is given to a web-site. But, i do have a paid-for web-proxy which should give me significant protection. I also decided to try another service other than Kaxy.

So, I now have Comcast's modem, then the AlhpaShield, the NetGear router, Firestarter firewall, and a paid-for webproxy service between my pc and the internet for protection. I'm also using GNU/Linux rather than Windows for security. If I have another problem, the only step I can see left for me is to just run Knoppix permanently from the CD-ROM. All this for a lowly home desktop on a cheap eMachine.

Thanks,
-Joe

joegumbo · #38 17th June 2007, 05:28 AM

JUst a quick followup....

I downloaded and tried Opera without my proxy server at a firewall testing web-site. My private address is no longer visible. So, apparently it wasn't the AlphaShield that was at fault. After trying firewall testing with my web-proxy, even the name of the web-proxy was not visible.

So, it appears that I have found the issue. I had the latest version of seaMonkey installed 1.1.2. So, i guess I'm switching to Opera.

Thanks again to everyone for your help and advice.

-Joe

joegumbo · #39 18th June 2007, 02:55 PM

A web-site testing security was able to find my private email address while I was using Opera today. My bad. Sorry.

-Joe

joegumbo · #40 21st June 2007, 01:52 AM

Well, I think the problem is finally tracked down. It seems to be JAVA in my browser.

http://forums.mozillazine.org/viewto...3159fccaecc8c1

The www.auditmypc.com site states that the way they are able find out this info is through JAVA. I'll include the post I made at the mozilla site...

But, when I go to www.auditmypc.com, my internal address is being broadcast. When i take the "Anonymous Surfing" test, my IP address, my host name and then below the map to where I generally live, there is also a notice in red with an red exclamation point in a triangle notifying me that it also has my Private IP address. And, the private IP address is correct. Something is giving all this away.

I've explored further in the auditmypc site. It states that the way it was able to get all this info was through JAVA. The site states that...

"The point is, you should be concerned that a Java applet ran without your knowledge, found some information and passed it back to the server."

"It was cross site leaking of java that gathered this information made possible by passing variables back from the applet and constructing a url in java to a web page using an iframe that contains the data to be collected. The server can then read this information, store and process the internal ip address as needed.

The only way to prevent this that we are aware of, is to disable active scripting in the browser."

It also says that...
"A malicious website owner could use a similar method to grab a lot more than your internal IP address, and you wouldn't even know it!"

So, I got it now. It's a JAVA leak. The site states that to prevent this, Javasacripting should be turned off. In fact, it states that it was able to do this by running a JAVA applet without even my knowledge.

So, apparently there's a hole in JAVA that's compromising security on my system.

But,

Well, after I disabled javascript in SeaMonkey, the auditmypc site complained and stated that is wasn't able to display the map to my area for me (but it still knew where I live), but it still found my internal IP address as well as my external Ip address and my hostname.

So, I'm not sure what my next step should be if I want to surf without a web-proxy.

Thanks,
-Joe

joegumbo · #41 21st June 2007, 01:58 AM

Oo-s...
Btw, I'm running JDK 1.6.0 update 1

joegumbo · #42 21st June 2007, 04:31 AM

The leak is plugged thanks to some good folks at Mozilla.

http://forums.mozillazine.org/viewto...931670#2931670

I was referred to

http://xsidebar.mozdev.org/modifiedmisc.html#refspoof

http://noscript.net/

Which give the option of preventing Javascript from running and spoofing your ip address.

azop · #43 23rd June 2007, 02:18 PM

I've found this topic by chance, because I was googling for IP address 77.67.127.42.
The fact is that this IP is part of the French Government Network ; check it out yourself : Who is gouv.fr ?

Like it's already solved previously in this topic, those servers are running AkamaiGHost.

Now, joegumbo can you explain why an IP address from a governmental network is connecting to your computer ?

joegumbo · #44 23rd June 2007, 03:24 PM

Hello Azop,

I have absolutely no idea why the French government wold want to connect to my computer. I don't even know anyone in France.

-Joe

joegumbo · #45 23rd June 2007, 03:33 PM

Btw...

Thank you for the info.