Post #63,980
11/20/02 5:35:43 AM
|
Security related - perhaps amusing to some but ...
almost all my posts to IWEthey are being blocked & I tend to only get them thru by logging on as another user (i.e. my wife's attglobal.net account).
The bizzare aspect of this is that it happens at work and at home. Firstly for those who don't know - I work in Hong Kong & am a regular & outspoken poster in War on Terrorism.
Some posts seem to get through but the moment I write particular words related to political stuff - the block happens & my Zone Alarm Pro software goes berserk with warnings of probes to my computer.
I am even wondering if this will get thru 1st go. If there is nothing past this line - it did.
|
Post #63,989
11/20/02 8:54:06 AM
|
I haf a few questions
you war on terrorism posts. Is that the only posts that could be considered politically sensative? Do you post on other boards elsewhere about mainland subjects? Have you ever been vetted(lately) for work etc? It sounds like your on a list that keywords trigger an automated response, because the way it is happening sounds like a 1/2 assed programmatical response.
thanx,
bill
will work for cash and other incentives [link|http://home.tampabay.rr.com/boxley/resume/Resume.html|skill set]
"Fifty-one percent of a nation can establish a totalitarian regime, suppress minorities and still remain democratic." Correction: All that can be achieved with 51 percent of the voters!" Ilanna Mercer
|
Post #64,252
11/21/02 9:22:10 AM
11/21/02 9:30:14 AM
|
Re: The blocks seem to be getting worse
but*only* when I talk about terrorism or china.
Now it may be coincidental that Zhu Rongji (who I greatly admire) was in town for Mon-wed (I hadn't realised he was coming until I read some major speeches he made in HK.
Zhu is the Chinese Premier (out going). The security all over town was heavy - police everywhere & our usual walkways over the main road fenced off for 3 feet along each side inside.
Possibly the local security people have been vetting naything that might be taken to pose a threat.
(let me now see if this gets thru)
Cheers
Doug
#1 - that got thru no trouble !!!.
Hmm but the 1st attempt to add further comments in edit mode got blocked !!!
#2 - 2nd attempt to add the prior blocked words got blocked - stupid part is that it contains no words that I can see that would justify blocking ??????
Edited by dmarker
Nov. 21, 2002, 09:27:09 AM EST
Edited by dmarker
Nov. 21, 2002, 09:30:14 AM EST
|
Post #64,111
11/20/02 3:24:35 PM
|
Definitely not amusing to me.
In fact, I would begin to worry about your safety. Hong Kong promises or not, the leash is getting shorter.
Alex
"Let others praise ancient times; I am glad I was born in these."\t-- Ovid (43 B.C.-A.D. 18)
|
Post #64,254
11/21/02 9:32:48 AM
11/21/02 9:33:27 AM
|
Re: It isn't as if I post anti
Chinese stuff - I tend to be very pro China as an emerging nation & very supportive of its views & politics.
At first the blocks only occured from work to Terrorism forum but now the blocks seem to be to many other forums
PS I only post here in IWETHEY - don't often visit other places.
Doug
#1 - this post was not blocked ???
Edited by dmarker
Nov. 21, 2002, 09:33:27 AM EST
|
Post #64,486
11/22/02 11:26:34 AM
|
Re This is getting worse
(THIS IS MY 4th ATTEMPT TO POST THIS FROM VARIOUS COMPUTERS AFTER BEING BLOCKED ON ANOTHER COMPUTER)
For the past few days I have suspected that something had gone wrong with my main computer (the one I do most Internet activity through).
Symptoms were
1) Zone Alarm stopped warning me of unexpected connections to my computer
2) Every now and then I seemed to lose control of my mouse & keyboard and at the same time there was taffic on my DSL modem (& Zome Alarm was saying nothing)
3) a few days ago A small Netscape window popped up saying that there was an update to Netscape and to click to apply it - because I had just installed Netscape 7 some weeks ago I clicked it then almost immediatel thought - thats a bit odd & tried stopping netscape but I have a feeling that loaded a trojan or back-door. My wife later said she has been getting that same Netscape message almost every 4 or 5 times she starts her Notebook up (it too has NS7).
Anyway, tonight what really satisfied me that someone into my computer was that when the mouse & keyboard froze & the cable activity falshed up, a message appeard on my screen that file 'InfoSec Policies' was no longer mounted - well that is a file I have on a memory stick & I had removed that memory stick earlier in the night. Then another file name came up for a security file I also keep on that memstick. These files were listed in my documents list as recent accessed files.
So after all the other funies with posting to IWETHEY, I think I am the target of someones security service. Being in China, my first suspicion is that it is local. I am not aware of any damage being done o any of my computers just a constant bombardment of emails with what I have always considered viruii attached & which I avoid like the plague they are.
So maybe I will need to rebuild this computer from scratch in the hope I can clean out any back-door software & as for Zone Alarm - it is supposed to warn me *any* time a bit of software tries to open a port to anything. I have removed and reinstalled it - I half wonder if there is some coperation between MS Netscape ZoneAlarm etc: with US security agencies who want to access peoples computers. I have no proof that is what is happenin here.
I am not sure what program is listening on port 49213 - looks odd - I also notice I am getting occasional flashes on my DSL modem (but I have shut down the network card).
The flashes look like what a back-door client seeking to access a backdoor-server, might make. What also puzzels me is the ports 192.168.0.3:137 192.168.0.3:138 as I have disabled sharing on that network adapter ???
Any comments on the ports in use allowing that I have ZoneAlarm Pro active, is welcomed
Cheers
Doug Marker
PS below is my netstat 192.10.100.x is my internal network
192.168.0.x is my WI_Fi network with router
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1025 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1028 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1030 0.0.0.0:0 LISTENING
TCP 0.0.0.0:1032 0.0.0.0:0 LISTENING
TCP 127.0.0.1:1031 0.0.0.0:0 LISTENING
TCP 127.0.0.1:1031 127.0.0.1:1032 ESTABLISHED
TCP 127.0.0.1:1032 127.0.0.1:1031 ESTABLISHED
TCP 127.0.0.1:5180 0.0.0.0:0 LISTENING
TCP 127.0.0.1:49213 0.0.0.0:0 LISTENING
TCP 192.10.200.11:139 0.0.0.0:0 LISTENING
TCP 192.168.0.3:139 0.0.0.0:0 LISTENING
UDP 0.0.0.0:135 *:*
UDP 0.0.0.0:445 *:*
UDP 0.0.0.0:1026 *:*
UDP 192.10.200.11:137 *:*
UDP 192.10.200.11:138 *:*
UDP 192.10.200.11:500 *:*
UDP 192.168.0.3:500 *:
Cheers
Doug Marker
|
Post #64,496
11/22/02 11:49:37 AM
|
Didja ever use...
Ever use DB2 on that machine?
Cause the "default" search server runs on that port as a service to the localhost only.
Also, the HTML help browser service for Visual Age comes to mind too... I think it was on that port for localhost only also.
Seems NetQuestion (part of UDB) also uses that port... All these products are form the SAME venodr... IBM.
[link|mailto:curley95@attbi.com|greg] - Grand-Master Artist in IT
[link|http://www.iwethey.org/ed_curry/|REMEMBER ED CURRY!!!]
Your friendly Homeland Security Officer reminds:
Hold Thumbprint to Screen for 5 seconds, we'll take the imprint, or
Just continue to type on your keyboard, and we'll just sample your DNA.
|
Post #64,500
11/22/02 11:56:46 AM
11/22/02 12:01:24 PM
|
Re: Yes both - still have VA Smalltalk Installed
I thought the number seemed familiar.
Thanks - Doug
#1 - hmmm this post didn't get blocked - the one above got blocked 4 times over 4 hrs until I dialled into to a different ISP port & it got thru.
I am begining to suspect that the entry into my computer may have been thru remote login as I had been using auto start-up for primary user. I have stopped that now & activated requiring ctl-alt-del
I have noticed a steady pattern of pings coming to my computers. Zone Alarm seems to be again picking up this stuff(after I did a reinstall).
Just now thoug, I noticed one of my computers with an alien ip addr with ports 137 & 138 open ???
169.254.174.15
I have no idea what that ip address is
Cheers
Doug
Edited by dmarker2
Nov. 22, 2002, 12:01:24 PM EST
|
Post #64,524
11/22/02 2:56:03 PM
|
Re: Yes both - still have VA Smalltalk Installed
The 169.254 address is the 'automatic' IP address Micosoft networking gives your machine when it can't find a DHCPish server on the network, or there's no static IP defined. Also, 192.168.x.x is a valid address range to use for an internal network, however 192.10.x.x is not..those are public addresses.
-----
Steve
|
Post #64,502
11/22/02 12:07:23 PM
|
Can't we do this over ssl?
-drl
I'm so happy I could scalp someone. Mark Twain
|
Post #64,505
11/22/02 12:26:46 PM
|
Re: That seems reasonable
Even as I sit here my computers ae being ping'ed - not heavily.
Today I bought a 33GB SCSI-II disk on which I will re-install RH8 and will see if that can get me away from the gaping holes windows seems to have open.
I have tried to make completely sure that I have no file-sharing on the network card that connects to the Router but each time I start up I see that the ip allocated has ports 137 & 138 showing when I run netstat - I use sharing on my local network but it still seems to activate it for the other card even though checked off in the properties box for that card.
Cheers
Doug
|
Post #64,529
11/22/02 3:28:09 PM
|
137 138 netbios scans (lotta trolling lately)
will work for cash and other incentives [link|http://home.tampabay.rr.com/boxley/resume/Resume.html|skill set]
I leave symbolism for symboltons,
Carlin
|
Post #64,566
11/22/02 9:22:45 PM
|
Re: Have decided to set up an NIDS & Honeypot
Anyone here tried installing SNORT ?
Cheers
Doug
|
Post #64,578
11/22/02 11:01:32 PM
|
Yeppers...
It is pretty straight forward, giving you understand the ideas and know how to put up the required services for it.
[link|mailto:curley95@attbi.com|greg] - Grand-Master Artist in IT
[link|http://www.iwethey.org/ed_curry/|REMEMBER ED CURRY!!!]
Your friendly Homeland Security Officer reminds:
Hold Thumbprint to Screen for 5 seconds, we'll take the imprint, or
Just continue to type on your keyboard, and we'll just sample your DNA.
|
Post #64,576
11/22/02 10:52:24 PM
|
Not at all amusing; sad, really
Doug, I'm sorry that this keeps happening to you -- especially since it's a sign of further decline in my old home town. (I grew up at 7B Bowen Road, Victoria, HKI, and attended Peak School, up near the top of the Tram.)
Your surmise that your systems have been compromised and played with seems reasonable. Personally, in a situation like that, I'd want to operate from an LNX-BBC or Knoppix disk, which would be a real challenge for the spook agencies to attack in the usual ways.
Rick Moen
rick@linuxmafia.com
If you lived here, you'd be $HOME already.
|
Post #64,627
11/23/02 6:38:49 AM
11/23/02 7:21:13 AM
|
Re: Not at all amusing; sad, really
Rick,
What a surprise - an old HongKongonian. Everyone tells me the place has changed over the years - much cleaner since 1997 - (I 1st came here in 1980 but in the many intervening vists learned nothing about the place except it was full of Cantonese & a few Gweilos.
I am not sure where the security problem is but I have made the following deductions ...
PS(this post is coming via my usual ISP but using Mozilla on RH8 & so far seems to be getting thru).
1) At work if I use my normal login I get blocked on controversial material to IWETHEY (I don't post anywhere else)
2) Same at home
3) No prob if I login to attglobal.net using my or wife's account
4) No problem at work if I use one of the many servers I have installed
5) No problem at home (thus far) using RH8
More soon - dinner is calling
#2 - back from rice & stir-fry <grin> (actuallywas lamb chops on a bar-b-que)
I first began to experience blocks about 6 months ago but they were few & I always managed to post the original material eventually.
But I was aware over the past 9 months of a growing volume of emails arriving with attachments that I would never open in a fit (because they were some form of executable).
I have enough experience from BackOrfice days to know when my computer is compromised (has happened approx 4 times since 1999). I always maintain two primary computers that can access thru the same cable & maintain several more that can use dial-up accounts.
Now if I dial-in to my usual ISP rather than use cable - I don't get blocked.
It seems that I don't get blocked using RH8 & Mozilla from the same computer I use Windows2K (which does get blocked). In fact both my main Win2K computers seem to get blocked but I have all sorts of strange failures to get recognised by my ISP & I haven't got a theory for these yet. Both these computers go thrugh a Buffalo AirStation. I am now working how to install an IDS (SNORT) so that I can filter & monitor ip traffic anytime I think there is strange activity.
It did come as a bit of a suprise to me when I realised I was losing control of my mouse & keyboard but I am ruthless when I see that - I just hit reset. The good thing is I have other computers that have my real work on & these are nearly always switched off when my 2 main computers are up & accessing the net.
My suspicion is that the blocking is occuring via my ISP - now the tricky part about this bit is that my ISP is also my employer!!!. But the belief here in HK is that HK Telecom does have a relationship with HK & Mainland security.
Cheers
Doug
PS how long did you live in HK - what age did you arrive ? - leave?
My wife & I really like it here & we enjoy visiting the emerging mainland - I am amazed at the changes since 1990 when I 1st went to Beijing - it isn't the same place I saw back then - nothing like it & the people are transformed in a way I find astounding.
Edited by dmarker
Nov. 23, 2002, 07:21:13 AM EST
|
Post #64,658
11/23/02 6:53:20 PM
|
Re: Not at all amusing; sad, really
Doug:
RH8 is certainly liveable. You'll want to probe its security using [link|http://www.linuxworld.com/linuxworld/lw-2000-08/lw-08-expo00-hacking.html|nmap] and make sure any services you leave enabled are tightly configured and kept up to date. If you choose to ssh/scp into it from elsewhere, you might make a policy of doing so only using the aforementioned LNX-BBC or Knoppix disks. (Either is a Linux system on a bootable CD. The LNX-BBC is burnable to business-card-sized media, and I was one of its designers.) And of course never, ever use for that machine passwords you use elsewhere. If you have a PalmOS PDA, you can get one of several encrypted password-storage utilities for it, such as GNU Keyring, from my [link|http://linuxmafia.com/pub/palmos/|archive] of open-source code for and about PalmOS.
I lived in HK in the late '60s, because my father was transferred there by Pan American World Airways, for whom he was a captain. That was before the Harbour Tunnel, so I saw a lot of the Star Ferry. Alas, we never got to cross the border from the New Territories: We were always jealous of the Brits, whose passports were valid over there. (Except, during the Cultural Revolution, the presence of that border was rather ominous.)
I'm curious: Do you know if Peak School is still in operation? It was or is a government-run grammar school, a few blocks from the top of the Peak Tram.
Rick Moen
rick@linuxmafia.com
If you lived here, you'd be $HOME already.
|
Post #64,720
11/24/02 6:40:48 AM
|
Re: Rick PS is still there, neibour teachs there ...
Yup PS is pretty well known.
Here are a couple of links (not much in them but they exist). The 1st link shows the PS home page & the women with the kids at the bottom right is out neibour (just had 1st baby - a son).
Cheers - Doug
[link|http://www.ps.edu.hk/|Peak School Home Page]
[link|http://www.esf.edu.hk/schools/peak_school.html|Another link]
[link|http://www.shambles.net/hongkong/|Map of Hong Kong]
(We live in Discovery Bay which is at the tip of Lantau Island - the map doesn't show the big bridge from mainland to Lantau. We travel by ferry to Central each day)
Cheers
Doug
|
Post #64,740
11/24/02 9:36:32 AM
|
WOW!!! Kowloon used o be where cheap lodging was available
when I was there circa 1970 etc now it looks larger than the Island itself!. I guess the Day of the 99$HK silk suit is long gone.
thanx,
bill
will work for cash and other incentives [link|http://home.tampabay.rr.com/boxley/resume/Resume.html|skill set]
GRAYBOAR-Strangleur Extraodinaire
"Have Thumbs Will Travel"
Customised Asphyxiations
No Gullet Too Big, No Weasand Too small
My Motto Satisfaction Garoteed, or the Chokes on Me!
Eric Flint
|
Post #64,804
11/24/02 7:28:03 PM
|
Re: And cheap girls <grin> - actually ...
Where it shows Kowloon are the suburbs of Mong Kok, Prince Edward, Kowloon Tong, Sham Shui Po etc: Kowloon is pretty much an area as well as a suburb (Kowloon Tong)
Tsim Sha Tsui is the tip below that & where the Star ferry crosses to Central.
Cheers Doug
|
Post #65,077
11/26/02 2:11:18 AM
|
Re: Rick PS is still there, neibour teachs there ...
Doug wrote:
Yup PS is pretty well known.
Thanks for the links. Since we're off-topic, I'll try to keep my comments short:
Nice to see the old place, a bit. E.g., photos at [link|http://www.ps.edu.hk/oldsite/school%20prospectus/history.html|http://www.ps.edu.hk/oldsite/school%20prospectus/history.html]. The changes since the '60s, inevitable in a handover from the UK government to the English Schools Foundation are quite apparent: The big one is heterogeneity. Back then, the students were all-British other than me, my sister, and one other Yank -- and we got in over stiff official opposition. Bizarrely, no Chinese students, then! Or staff, I think. It was also run by a headmistress, vs. today's "principal", and didn't have a "PTA".
Creeping Americanism, or at the least fading of Empire, is mostly a blessing, I'm sure. I could have done without the mandatory singing of "Onward Christian Soldiers" and such at 10AM assembly, at least.
(We live in Discovery Bay which is at the tip of Lantau Island - the map doesn't show the big bridge from mainland to Lantau.
Lantau was a boat ride, back in the day. I remember Discovery Bay well, as we had friends there. Also at other points around HKI, such as Deepwater Bay, where we shot off fireworks for American Independence Day and Guy Fawkes Day, every year. (For Chinese New Year, of course, the fireworks came to you.)
Rick Moen
rick@linuxmafia.com
If you lived here, you'd be $HOME already.
|
