| Author |
Hacker |
Jabberwocky
Chief Marshal
Pitch Black
Joined: September 01, 2002
Posts: 45
|  Posted: 2003-09-01 15:46
Over the last month everytime I log into a game server someone attempts to access my computer using an alta vista traversal. My firewall blocks the attempt, but at the same time disconnects me from the server. As this only ever happens when I'm playing DS, I feel the person who is doing this probably a player aswell. The details given to me by my firewall program are:
IP: 209.198.154.18
Node Name: Phobos.palestar.com
Route: PrismNet Inc.
I have informed prismnet of the intrusions, but any suggestions or help in this matter would be greatly appreciated.
_________________
|
Novacat
Grand Admiral
Joined: October 30, 2001
Posts: 2337
From: Starleague Cache
| Posted: 2003-09-01 15:50
If the Node name means origination, than, uhhh, that is DS accessing your system.
_________________
Ghostly Specter of an Ancient Past.
|
Josef
Marshal
Joined: February 15, 2002
Posts: 833
From: The Internet
| Posted: 2003-09-01 15:54
phobos.palestar.com is the address of the Fleet Admiral server
PrismNet is Darksapce's internet provider.
_________________
Fleet @0. Simply the best.
|
Jabberwocky
Chief Marshal
Pitch Black
Joined: September 01, 2002
Posts: 45
| Posted: 2003-09-01 15:58
I've been playing this game for nigh on a year and have not had this problem until now...if this is part of the server function why is it causing my firewall to have a nervous breakdown?
_________________
|
Josef
Marshal
Joined: February 15, 2002
Posts: 833
From: The Internet
| Posted: 2003-09-01 16:02
I dont know if it will be much help, but I found this about your alta vista traversal:
http://www.safermag.com/html/safer20/alerts/06.html
It says something about port 9000, one of the ports DS uses to connect to the game servers.
Unless you're running an Altavista search engine webserver from your computer, you probably dont have to worry...
_________________
Fleet @0. Simply the best.
|
Tael
2nd Rear Admiral
Palestar
Joined: July 03, 2002
Posts: 3697
From: San Francisco Bay Area
| Posted: 2003-09-01 16:13
Quote:
|
The AltaVista Search engine sets up a webserver at port 9000 to listen for search queries. The main search function will accept a single '../' string in the query, providing access to all documents in the 'http' directory one level up.
|
|
Darkspace chats on ports 9000 - 9004
The most likely culperate here is a poorly designed firewall that only looks at the port number and not the data packets coming through...
Black Ice is notorious for false alarms like this.
Your system is not being hacked, its simply a confused internet intrusion software package that doesnt know the difference between legit traffic and web data sent on port 9000
_________________
|
Chromix
Cadet
Joined: June 29, 2001
Posts: 3052
| Posted: 2003-09-01 16:15
Quote:
| I have informed prismnet of the intrusions |
|
Bad choice, before you take such a step as informing the ISP (and possibly getting palestar lots of trouble), you should verify you're 99% sure of what's going on... more on this later.
Quote:
| ...log into a game server someone attempts to access my computer ... My firewall blocks the attempt, but at the same time disconnects me from the server |
|
Get rid of your firewall and get a better one.
It seems to be a habit of common firewalls to "proove they're worth their money" by popping up on every occasion & displaying colorful warnings. Disconnecting really hurts. You may loose your ship because of that (1 minute timeout & someone kills you)
Quote:
| I feel the person who is doing this probably a player aswell |
|
Players have no way to see your IP, unless you connect to a playerran server.
Ok, now for the facts:
When connecting to FA your PC initiates a TCP connection to phobos.palestar.com port 9000. On it compressed game data & serverchat is transferred. Even if there was an "attack pattern" of what ever kind running through that stream, your firewall CAN NOT detect it, since its compressed.
What happens is: Your firewall does a dumb (more on that later) match against its intrusion pattern list, some compressed data may randomly look like some "attack pattern".
Still don't believe me ? Then we take a look at what your "alta vista traversal" attack is:
Prerequisites for the AltaVista Traversal attack: You need to run a Webserver and host a site there which uses an old altavista cgi as searchscript for it.
How it works: An external client initiates a connection to your webserver and sends a specially crafted string which exploits a weakness in the CGI script.
This allows a user to access files on the same drive your webserver is on, if he knows the exact path & name.
That's why I called it a dumb match, you are not running a webserver on your PC, you are not hosting an old altavista CGI, and the darkspace server initiated no connection to your PC.
If your firewall allows it: Browse the list of patterns the IDS of your firewall has and deactivate all those which'd never happen to you anyway.
If this isn't possible I suggest you get a better firewall.
_________________
|
Jabberwocky
Chief Marshal
Pitch Black
Joined: September 01, 2002
Posts: 45
| Posted: 2003-09-01 16:17
Thx Josef, i appreciate the effort. I'm not worried about it, really all I want to know is how to stop getting diconnected half way through a game...without losing the protection of my firewall.
NM...the games still playable, its just a bit irritating at times.
_________________
|
Jabberwocky
Chief Marshal
Pitch Black
Joined: September 01, 2002
Posts: 45
| Posted: 2003-09-01 16:22
Ok...my thanks to chromix and tealron for setting me straight...can someone recomend a good firewall i can get that will solve this problem?
_________________
|
Firekka
Fleet Admiral
Joined: October 27, 2002
Posts: 285
| Posted: 2003-09-01 17:01
I never have problems with zonealarm.. personally i use the pro version but i guess the free version is just as good (just little extras).
/me wonders why my name is in chromix' sig.. if you like me just say so 
_________________
// In space the Shadows are everywhere... //
|
Firekka
Fleet Admiral
Joined: October 27, 2002
Posts: 285
| Posted: 2003-09-01 17:02
hmm.. already got it.. must be some script or whatever
_________________
// In space the Shadows are everywhere... //
|
English
Deutsch
Nederlands
)
