Your forum username:
Do you already have an account?
Forgot your password?
  • Log in or Sign up


    Welcome to Sky User - The Unofficial Support Forum for everything Sky! - Proudly helping over 65k members.


    Advertisement

    Results 1 to 9 of 9

    Under Attack

    This is a discussion on Under Attack within the Sky Router forums, part of the Sky Broadband help category; Hi Can anyone offer any help. Since going over to Sky & changing to the new Sagem Router I appear ...

    1. #1
      chopster's Avatar
      chopster is offline Sky User Member
      Exchange: Consett
      Broadband ISP: Sky Fibre Unlimited
      Router: Sky Hub SR101
      Sky TV: Sky+HD box
      Join Date
      Nov 2007
      Posts
      45
      Thanks
      0
      Thanked 1 Time in 1 Post

      Unhappy Under Attack

      Hi
      Can anyone offer any help. Since going over to Sky & changing to the new Sagem Router I appear to have come under attack my anti virus Kaspersky 5.0 is reporting several attacks a day -Intrusion.win.mssql.worm.Helkern Then an IP address these vary but after pinging they all appear to come from China. This has only started since going to the new sagem router previously I was with Zen internet & used the Netgear DG834G router & I never suffered any attacks I am using Windows firewall. I may be on the wrong track but is this because the netgear was repelling these attacks where as the sagem is letting them through up untill now all these attacks have been Successfully repelled. But am I at risk & is it because the sagem has an inferior firewall to the Netgear. Any help would be appreciated.


    2. Advertisement
    3. #2
      James67's Avatar
      James67 is offline Sky User Member
      Exchange:
      Broadband ISP: Other ISP
      Router: Non Sky Router
      Sky TV: Freesat
      Join Date
      Sep 2007
      Posts
      1,789
      Thanks
      0
      Thanked 2 Times in 2 Posts
      Blog Entries
      3

      Re: Under Attack

      The Sagem router - like any other ADSL router/modem - will not forward any unsolicited connection attempts, unless someone or something specifically instructs it too. These messages suggest that you have UDP port 1434 forwarded to your PC, either because you explicitly forwarded that port in the router's configuration pages, or because some other piece of malware on your PC has used UPnP to set up port forwarding on that port.

      So do you have a forwarding rule set up for UDP port 1434? Have you set up your router to put you PC in what's known as the DMZ, where all inward connection attempts get forwarded to your PC?

    4. #3
      Isitme's Avatar
      Isitme is offline Sky User Moderator
      Exchange: Bannockburn
      Broadband ISP: Sky Fibre Unlimited
      Router: Sky Hub SR102
      Sky TV: Sky+ HD
      Join Date
      Dec 2006
      Location
      Central Scotland
      Posts
      34,132
      Thanks
      64
      Thanked 1,641 Times in 1,602 Posts

      Re: Under Attack

      This is a long documented worm which tries to attack machines running SQL Server. Are you? If you are, there is a patch available, from the link below. Kapersky seems to be about the only one that reports it, other firewalls just seem to block it silently. The subject came up on another forum I frequent a couple of days ago.

      This is an extract from an article dealing with it -

      "Helkern" infects only computers running Microsoft SQL Server 2000, a multi-functional database system widely used primarily on Web-servers. To home users of any Windows version without the installion of Microsoft SQL Server the worm poses no threat.
      Maybe you would like to read the full article, which you will find HERE

      TomD


      Please note the views and recommendations in my posts are my own and in no way reflect the views of SkyUser.


      Useful Utilites

      http://www.nirsoft.net/utils/wifi_information_view.html/ TCPOptimiser /Test Socket

      Note - When downloading always select the Custom install or you will end up with stuff you don't want.





    5. #4
      chopster's Avatar
      chopster is offline Sky User Member
      Exchange: Consett
      Broadband ISP: Sky Fibre Unlimited
      Router: Sky Hub SR101
      Sky TV: Sky+HD box
      Join Date
      Nov 2007
      Posts
      45
      Thanks
      0
      Thanked 1 Time in 1 Post

      Re: Under Attack

      Hi
      Thanks for the replies. I will try to answer as accurately as possible but some of it is a little new to me firstly James- I dont believe I have any ports forwarded & how do I check to see if the router is in DMZ mode My router firewall has all inbound traffic in the default mode eg block always except I have created an exception for u torrent but have it set up to change incoming port at startup from within the program. My services table is empty. I have just run a Norton exposure to hackers check & it came back safe however my icmp ping was open is this normal its just I can't understand how it can come back safe with an open port.

      Isitme- No I am not running a SQL server so I take it from the extract you posted that it will not effect me (Good News) but how come it is getting as far as my AV surely it should be picked up by the routers firewall.

      Thanks to both of you it is appreciated.

    6. #5
      Keiran2K8's Avatar
      Keiran2K8 is offline Skyuser Serial Spammer
      Exchange: Redditch
      Broadband ISP: Max & VM VIP-85 & Be* Pro
      Router: Sagem F@ST 2504
      Sky TV:
      Join Date
      Oct 2006
      Location
      Redditch, WestMidlands, England, UK
      Posts
      3,763
      Thanks
      0
      Thanked 1 Time in 1 Post
      Blog Entries
      3

      Re: Under Attack

      Hey Chopster,

      Could you post your Sagem Log; http://192.168.0.1/sky_logs.html
      Mine records all the connections/intrusions (Ports and everything) and what it did with them, Allow and Block ect.

      If there is a record in the log, Saying it has been allowed, Then I guess the Sagem is allowing it through.
      If it isnt in the log, Either it is through a port you have opened manually and asked not to report on in the log or something else.

    7. #6
      James67's Avatar
      James67 is offline Sky User Member
      Exchange:
      Broadband ISP: Other ISP
      Router: Non Sky Router
      Sky TV: Freesat
      Join Date
      Sep 2007
      Posts
      1,789
      Thanks
      0
      Thanked 2 Times in 2 Posts
      Blog Entries
      3

      Re: Under Attack

      Quote Originally Posted by chopster View Post
      Thanks for the replies. I will try to answer as accurately as possible but some of it is a little new to me firstly James- I dont believe I have any ports forwarded & how do I check to see if the router is in DMZ mode
      Well, it's not on by default, so unless you've been changing settings entirely at random, it's safe to assume that it's probably still off.

      Quote Originally Posted by chopster View Post
      My router firewall has all inbound traffic in the default mode eg block always except I have created an exception for u torrent but have it set up to change incoming port at startup from within the program. My services table is empty.
      That confuses me. You've created an inbound firewall rule for utorrent, but the port changes at startup, and the services table is empty. That doesn't make any sense - you would have to add an entry to the services table in order to do that. Are you sure that you haven't added an inbound firewall rule that has a "service" setting of "All"?

      Quote Originally Posted by chopster View Post
      I have just run a Norton exposure to hackers check & it came back safe however my icmp ping was open is this normal its just I can't understand how it can come back safe with an open port.
      It just means that people can "ping" your router and all that does is tell Johnny Hacker that there is something there at that IP address - it doesn't give him access to your router or your PC. Some people like to stop the router responding to ping requests - it's not really necessary.

    8. #7
      chopster's Avatar
      chopster is offline Sky User Member
      Exchange: Consett
      Broadband ISP: Sky Fibre Unlimited
      Router: Sky Hub SR101
      Sky TV: Sky+HD box
      Join Date
      Nov 2007
      Posts
      45
      Thanks
      0
      Thanked 1 Time in 1 Post

      Re: Under Attack

      Hey James
      you were right I had an inbound setting of all.(Im such a dork) Hopefully that should be the last of the Kaspersky warning boxes. I have removed the tick from the randomize port box in U Torrent & added it to the list of services. Whats the score with the start & finish port no.s -If say you were using port 34412 would you just enter this into both boxs.
      Fiberoptic thanks for the info about the router log Ill bear that in mind for the future but theres not much point sending one now as hopefully its sorted.

      Cheers.

    9. #8
      James67's Avatar
      James67 is offline Sky User Member
      Exchange:
      Broadband ISP: Other ISP
      Router: Non Sky Router
      Sky TV: Freesat
      Join Date
      Sep 2007
      Posts
      1,789
      Thanks
      0
      Thanked 2 Times in 2 Posts
      Blog Entries
      3

      Re: Under Attack

      Yeah, that's right, if you want to use just one port, you enter the same number into both boxes.

    10. #9
      chopster's Avatar
      chopster is offline Sky User Member
      Exchange: Consett
      Broadband ISP: Sky Fibre Unlimited
      Router: Sky Hub SR101
      Sky TV: Sky+HD box
      Join Date
      Nov 2007
      Posts
      45
      Thanks
      0
      Thanked 1 Time in 1 Post

      Re: Under Attack

      Cheers & thanks for your help James

     

     

    Tags for this Thread

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •  
    SkyUser - Copyright © 2006-2017. SatDish and NewsreadeR | SkyUser is in no way affiliated with Sky Broadband / BSkyB
    RIPA NOTICE: NO CONSENT IS GIVEN FOR INTERCEPTION OF PAGE TRANSMISSION