Folks,
Just a heads up, don't know that it is a big deal yet, but while we were chatting at the site tonight Rich Jake had some alarms going off from Norton's personal firewall. There are several reasons this might happen, in fact I was getting hit so often for a while that I shut most of my alerts off. Anyway, the following is what I sent Matt:
****************************************
Matt �
Not sure what to make of it, but while we were using the chat tonight Rich Jake got the following hit on Norton�s personal firewall:

Confidential data "Bank Account" Blocked to site www.cbdent.com

You been infected, or???

Rich and I would really like to know along with a couple of others that were there�

Thanks,
steve

Before this gets blown way out let me try to provide everyone with a little known, factual information on viruses, firewalls and such.

All cbdent.com servers run Linux Red Hat 7.2, this for starters prevents my servers from EVER being infected by a virus. Viruses can only infect a Windows, or Mac box. Linux, Unix, any of the Sun OS's, Amiga and the others like them CAN NOT BE INFECTED by a virus, reason for this is these types of Operating Systems are based on a very tight security system, were as ONLY (ROOT) access can be gained with the proper Password, Without Root Access a virus can do nothing, in a Windows Box when you are on the computer You are ROOT, now before the question is asked, "What if someone gets the Root Password" it still cant happen, the File system for one is totally different, Windows computers run one of the following types of file systems, FAT, FAT32, NTFS, Linux has it own file system and a Windows Program can only be run on a Linux Box if you run a program such as "wine" and even then very limited use of the windows based program can be accomplished, now if any of you would like to learn more about this so that you can better understand how and why such things are "IMPOSSIBLE" here is a link http://neworder.box.sk now this link is to the REAL Internet Underground, here you will find out all the little tricks, secrets and such that will explain how why and answer most any question regarding Hacking, Security and Viruses. There is enough reading here that would keep a person busy for years but you can find anything that you want to know about the subjects, I strongly urge everyone to give it a look just to be better informed on this.

Now, I am not saying that the Message "BANK ACCOUNT" did not pop up, but I will say that in all the years that I have used and recommended Norton firewall I have NEVER seen a message such as this pop up, the reason for this is because Norton Firewall has absolutely NO IDEA what type of information is being accessed, it only knows that a request for information has come in from a port that was not authorized and in such a case it will BLOCK that request, write an entry in the log file and if you have alerts on , it will notify you of such, but the information that it will log is the IP address of the offending party, the port they tried to access, the time and date, that's about it. I have heard that in some versions of NF (Norton Firewall) that it was possible to send a message to a person using NF in the form of a Pop up Dialog box and send a text message in the pop up, but Norton quickly fixed this and if you keep your Symantec Products updated then this bug would have been fixed. This exploit was usually used to try and get someone to click a link or visit a website so that the offenders could get access to the persons computer though common ports that the web browser and server use. I have not heard of this in a long time though it cant be ruled out, because most of the "Want To Be Hackers" search and use old exploits that are published on the net in an attempt to "Hack a Computer" but it only shows that they are not real bright because once a Exploit has been published to the net it has usually been fixed by the creators of the software that had the exploit, A common misconception is that the Hacking underground is based on Chaos and Causing Chaos, this is more often than not untrue, most of the Underground Community finds, locates and reports possible Exploits to several organizations that cooperate with each other to remove the Exploit and prevent damage from accruing to begin with. Again as I always say "Knowledge is Power, Share It" and we do.........

I have reviewed All the logs from last night and have found nothing out of the ordinary in any way. All access to the servers was on port 80 and 88 these port are the normal ports for WEB access and though 88 is not used often it is used by some older UNIX systems i.e. Big Brother, and I find that they monitor SSF, GBO and every other Gun related site that I have ever seen the logs for, so again nothing strange about that. Now please understand that I am not saying that Rich did not get this message, I am simply saying that Rich you really should run a Live Update and make sure that you have all current updates a Patches installed to fix the "bug" NF has.

I believe that this was an attempt to cause panic and stir problems between the users of the chat program, but not by us or anyone of the people that uses it, I was not there so I have no idea of who was (by handle or nick name) , nor can I be sure that it was not some anti that just don't like us to begin with, I did find 4 IP address that I had never seen before and will be looking into them closer to figure out who they were, I will post my findings here and on SSF to just keep everyone informed, but I will say this to anyone that reads these forums and "LURKS" here in an attempt to cause "US as a Group" problems, "Mess around on my servers and I will catch your ass and when I do May GOD have mercy on your soul cause I wont on your ass." I take much offence to someone tampering with my servers in an attempt to cause "My Friends" problems and if you think you are good , You have no idea how good I am. Let me just explain to everyone, that I can see every thing that is sent to and from my servers, though this is not a practice that I implement I can do it, I will be reviewing the raw access logs today and though this will take hours for me to do I will find out if anyone sent any information through my servers to anyone that was chatting last night (causing the www.cbdent.com address to be shown to Rich), please understand that what this means is someone using my server as a gateway to gain access to someone that was chatting in the chat room last night, or at any other time for that matter. If I find anything such as this I will 1Post the IP address Here 2 Notify the CIAC 3 research and find the persons ISP and contact them with a request based on "Hack Attempt" gain that persons PERSONAL INFORMATION and post it here, then May God Really have mercy on your soul cause I know that the people here will not.

So if this is an attempt by someone to cause the users of SSF and AR problems then you have only caused yourself the problems.......

**** Tips from a Professional Networking and Internet Specialist to all readers of this forum.****
1) If you store any personal information on your computer and you are not behind a HARDWARE FIREWALL (router, dedicated Hardware Firewall, Proxy Server or such) Get a software Firewall / Port Monitor / Blocker. and make sure you keep it updated with any patches or bug fixes released by the manufactures of the software.

2) Get a good Anti-Virus Software, I strongly recommend Symantec Norton Anti-Virus 2002/2003 AND KEEP IT UPDATED DAILY !!!!!!!!!!!!!

3) READ READ READ, all the information that you can on current viruses, how they work, what they do and how to detect and prevent them, I will posts links below for this reading.

4) Never use or Post your ISP issued email address on these or ANY forum / Chat site. Get a free one from one of the many sites that offer them. Make sure that when you check your email for these free accounts you use Web Mail (email viewed in the web browser NOT Outlook, Outlook Express, Eudora, or any of the other email clients) and then NEVER read or open an email with an attachment even if you know the person sending the email unless you are expecting the attached file.

5) Outlook and Outlook Express users, Create a new contact in your contacts list with the name of !!!!!!!!!! and the email address of !!!!! (number of ! don't matter as long as there is more than one). The reason for this is most all viruses now days are email viruses, if you put this in your contacts list it will become the first contact on the list, if you are infected and when the virus attempts to send an email to this contact (thats how they work they send themselves to all of your contacts) your email server will kick it back with an error telling you that it is not a valid email address, well you did not send it so guess what, a virus tried to, and then you should take the steps to remove the virus from your computer. This may also work with Netscape Email and Eudora but I am not sure as I don't like or uses these programs.

6) Search for and download a Pop-Up Stopper, I have found that most websites that have a virus will attempt to send it to you in the form of a Pop up, please understand that ONLY WINDOWS BASED SERVERS as of now can contain a server based Virus that will infect you when you access the site due to the fact that only WINDOWS BASED SERVERS allow for Active X controls to be embedded in the server modules and run on the servers side, Apache will allow Active X but only Client Side i.e. (FrontPage Extensions) .......though steps are being taken to make it possible for Server Side Active X to be run on some versions of the Apache Server (I don't like it) but soon we will all have this problem.

7) Most email viruses now days send themselves as Images, so if you get any email from someone, that is a silly little button image or some off the wall image that makes no since to you, guess what it is most likely a virus. If your ISP does not offer Email Virus Scanning I suggest changing to one that does, but none the less make sure you have your own running and keep it updated.

I could go on for days on ways to protect yourself and keep these things from happening, but coming from me it may not sink in or you may not be able to understand what I am talking about, or you may think I am just full of shit, so again do not just take my word on this, READ, READ get informed and protect yourself and your computer equipment, it cost money to recover from these type of attacks, don't let it cost you money because you think I am full of shit.....After 18 years of being into computers and 12 years of being in the Computer / Networking / Internet business I have seen just about everything you can imagine, I have learned everything that I know from reading, and doing it. Research these issues and you to will learn as much as I have, I have decided to create a new forum on SSF dedicated to nothing but computer and internet security related issues, this way everyone can benefit from everyone's knowledge on the subject seeing how it seems to be a growing problem on gun, hunting, shooting and firearms related websites.

http://neworder.box.sk from this link you can find more knowledge than one could possible absorb in a lifetime

If anyone has any questions or comments please ask, and I will do my best to answer them or point you to a place where you can find the answer..

Knowledge Is Power, Share It.
Matt

Matt, I hope that I am not the only one to read this post as there is a lot of info here, most of it is "GREEK" to me, but am still learning about these 'puters. Heck I do good just to get the blasted thing turned on. If it wasn't for the two kids I would have shot a hole in this thing a long time ago.
Jeff

Matt
You lost me pretty fast in your explaination. All I know is while I was on the Chat with a couple of guys That is what happened. It was repeated attempts. There is a sign that came up from Norton Firewall that explained what was being done the type of risk & the time of the attempt. If you are checking what was done last night when I told these guys I have a problem that is when it started. It kept repeating & wouldn't stop until I disconnected the connnection to the chat. There is a type of Globe icon from the norton firewall program that you can click on & this is what it said, Confidential data "bank account" blocked to site "www.cbdent.com". Don't know who was behind it just know that it happened. I went back to your site after that & it did not continue. So that's when I disconnected from the chat & have not returned. I did update my Firewall after that as well.
you can be sure of one thing I have never seen this before & don't know what to think of it. Until I get an explaination of what was being done I'll be staying away from that Chat. Matt here is what really bothers me, if you are as good as you say you are & you can't find out what went on, maybe your not as good as who ever it was last night.
Not trying to cause problems only reacting to what went on.
Rich Jake

Matt, thanks for the reply. I sent you an email off list, we can talk there.

steve