Marque opened this issue on Jul 03, 2006 · 25 posts
Marque posted Mon, 03 July 2006 at 7:13 AM
Anyone else get hit with this earlier????
Intrusion: NMap Null Scan
Intruder: www.renderosity.com(66.18.106.204).
Risk Level: Medium
My norton picked it up and stopped it, tried to hit me when I came into the poser forum. If anyone knows what it is I would appreciate the info.
Marque posted Mon, 03 July 2006 at 7:13 AM
And yes....norton listed it as a worm.
Miss Nancy posted Mon, 03 July 2006 at 11:41 AM
did it try to load with one of the banners?
TrekkieGrrrl posted Mon, 03 July 2006 at 1:09 PM
O.o
I hane't seen that one, and my current AV (eTrust) didn't catch anything...
But ever since I was hit by the polip.a I get nervous twitches when I hear the word "worm"
FREEBIES! | My Gallery | My Store | My FB | Tumblr |
You just can't put the words "Poserites" and "happy" in the same sentence - didn't you know that? LaurieA
Using Poser since 2002. Currently at Version 11.1 - Win 10.
bevans84 posted Mon, 03 July 2006 at 3:08 PM
It's not a worm.
http://www.symantec.com/avcenter/attack_sigs/o93.html
Nmap is a network utility (standard on most *nix boxes) that can be used to identify open ports on a machine, and is often used by hackers to identify vulnerable ports.
It can also be used for the less sinister purpose of identifying the operating system of a connecting computer, although Windows operating systems don't respond to the scan in the standard manner. Probably not the wisest choice in this age of excessive paranoia.
Acadia posted Mon, 03 July 2006 at 4:15 PM
Why is renderosity scanning our ports?!!!
"It is good to see ourselves as
others see us. Try as we may, we are never
able to know ourselves fully as we
are, especially the evil side of us.
This we can do only if we are not
angry with our critics but will take in good
heart whatever they might have to
say." - Ghandi
Marque posted Mon, 03 July 2006 at 4:33 PM
I don't know what it tried to load with and don't care. If I don't get a good explanation for this from rendo they can kiss me and my money goodbye. They have NO business trying to scan ANYTHING on my system.
bevans84 posted Mon, 03 July 2006 at 5:30 PM
IDK why they would be scanning ports, I keep all unused ports closed on my systems.
The scan is probably benign. I mean, everyone is trusting them with their credit card info, or trusting that their paypal link isn't harvesting their password, so I wouldn't worry about it.
Every deal I've done with Rendo has ended well, and I've found them more than helpful with any problem, so I pretty much trust them.
You can worry about it, I guess, but I'm not. Anyway, it's been my experience that Norton usually causes more problems and confusion than it ever cures.
FWIW
Acadia posted Mon, 03 July 2006 at 7:07 PM
Quote - I wouldn't worry about it.
I'm not worried about it. I have no sensitive, classified information on my computer. I'd just like to know what reason they have for attempting to scan our ports.
I sit behind a router and software firewall most of the time and I've done those port scans to look for open ports and my computer always shows as "stealth".
"It is good to see ourselves as
others see us. Try as we may, we are never
able to know ourselves fully as we
are, especially the evil side of us.
This we can do only if we are not
angry with our critics but will take in good
heart whatever they might have to
say." - Ghandi
infinity10 posted Mon, 03 July 2006 at 7:35 PM
If I'm behind a router and firewall, does the scan even reach my individual pc ? I ain't been alerted by my antivirus software, and my machines have Norton, McAfee and AVG respectively ( ! )
Eternal Hobbyist
Marque posted Mon, 03 July 2006 at 7:39 PM
I'm also behind a router and firewall and norton picked it up which surprised me.
bevans84 posted Mon, 03 July 2006 at 8:50 PM
Network Address Translation (NAT) will allow the scan to pass through open ports. The fact that the firewall blocked the scan means that it did it's job, and you were in no danger.
A few years back, while bringing up a fresh NT 4 Server install, the server was compromised through a well known NT vulnerability before I could locate the Service Pack CD and install it. Less than two minutes. :-) Had to format and start all over again.
This kind of stuff just happens, and will keep happening. About all anyone can do is to protect yourself as well as you can. There are freeware programs like SpyWareBlaster that harden your system quite well. Spybot S&D and SpyWareBlaster makes a pretty good one/two punch.
As far as why, I could only guess. They honestly might not be aware of it. Could be something that is integrated in Bondware.
Darboshanski posted Mon, 03 July 2006 at 9:11 PM
I was fourtunate and picked up nothing. However, given the state of this site and it's server issues nothing would suprise me.
Miss Nancy posted Mon, 03 July 2006 at 10:07 PM
the client's browser sends an http request to the server, to port 80 or 8080 or something. the server isn't supposed to do anything similar, is it? I just get the feeling that the loading and functioning of any requests for certain ports on the client's machine was (or is) associated with one of their commercial banners, which may access some code from a remote server. AFAIK they have disabled the inclusion of any scripts in any of the forum messages or subject lines, which was a big problem that some hacker tried to exploit in a previous bondware version IIRC.
KarenJ posted Tue, 04 July 2006 at 1:08 AM
Hmmm. I'll alert the programming team to this thread. I've never seen anything like this and I tend to run with a fairly paranoid setup.
Has anyone else apart from Marque experienced this anywhere on site? (Nil returns not required)
Marque - I don't suppose you can remember what ad banner was on screen?
"you are terrifying
and strange and beautiful
something not everyone knows how to love." - Warsan
Shire
jww1960 posted Tue, 04 July 2006 at 1:23 AM
Norton Internet Security actually blocked the same thing coming from RDNA at 12:38 am PDT on my system.
Jeff
Marque posted Tue, 04 July 2006 at 5:53 AM
To be honest I rarely look at the banners.
mickmca posted Tue, 04 July 2006 at 6:11 AM
What banners? Oh, those.
elisandra posted Tue, 04 July 2006 at 6:56 AM
Seems strange that there are still net users who don't have full stealth. Steakthing your system is a good way to stop these stupid backdoor attacks.
PJF posted Tue, 04 July 2006 at 7:09 AM
This computer (not my regular) got "hit" with this 4 times. Norton Antivirus 2006.
3rd July 12:04:36 BST
TCP Destination Port: 2433.
TCP Header Flags: 0x00000e3d. These TCP Flags are invalid and the packet is characteristic of an NMap Xmas Scan.
3rd July 15:01:00 BST
TCP Destination Port: 2618.
TCP Header Flags: 0x00000eff. These TCP Flags are invalid and the packet is characteristic of an NMap Xmas Scan.
3rd July 16:16:00 BST
TCP Destination Port: 1712.
TCP Header Flags: 0x00000fff. These TCP Flags are invalid and the packet is characteristic of an NMap Xmas Scan.
3rd July 16:54:49 BST
TCP Destination Port: 1855.
TCP Header Flags: 0x00000cf9. These TCP Flags are invalid and the packet is characteristic of an NMap Xmas Scan.
(BST = British Summer Time = GMT +1)
Happy Independence Day to US members!
I’m off for a cup of tea (downfall of the British Empire! ;-)).
Posermatic posted Tue, 04 July 2006 at 9:27 AM
It has happened to me also 3 or 4 times yesterday. All in the Poser forum.
Norton security suite also.
Acadia posted Tue, 04 July 2006 at 11:50 AM
Attached Link: http://market.renderosity.com/mod/forumpro/showthread.php?thread_id=2655153
I made a post about this in the Community forum yesterday after readin this thread.There is an answer posted there.
"It is good to see ourselves as
others see us. Try as we may, we are never
able to know ourselves fully as we
are, especially the evil side of us.
This we can do only if we are not
angry with our critics but will take in good
heart whatever they might have to
say." - Ghandi
KarenJ posted Tue, 04 July 2006 at 2:38 PM
If anyone else gets this, please check what banner is on screen and if possible right-click and copy the link it's giving. The programmers have advised that there shouldn't be any port-scanning going on.
"you are terrifying
and strange and beautiful
something not everyone knows how to love." - Warsan
Shire
themomster0 posted Tue, 04 July 2006 at 7:23 PM
I haven't had any alerts from here (yet). I did get one from another Poser site, but it wasn't a real worm, just adware from a banner. I run Nod32 and it stopped it cold even though it wasn't anything too serious.
Fredy posted Thu, 06 July 2006 at 1:09 PM
got one 15 minutes ago... took some time to find this thread... I was browsing the galleries...