Mirc [Sygate reports port scan attack while logging on]

Hi mailman....thanks for your support...

My mirc is latest.... still in trial version...I always use Undernet....don't know how to set invisible mode myself...sorry...am not an expert of MIRC


"If you regularly use several anti-malware applications and you are reasonably confident your computer is free of malware, then I expect you can ignore anti-malware application alerts regarding mIRC. "

I use F-prot, sygate, ewido and spybot...are these enough?

 

Charles, thanks!

Claudine, I connected to Undernet's Mesa, AZ server (mesa.az.us.undernet.org) with mIRC and got the following alerts in my ZoneAlarm Pro firewall as a result.

Code:

				Source			Dest.
Time		Source IP	Port	Destination IP	Port	Protocol
==========	==============	====	=============	=====	=============
9:16:10 PM	193.109.122.19	4678	My IP Address	63808	TCP (flags:S)
9:16:10 PM	193.109.122.45	4821	My IP Address	10777	TCP (flags:S)
9:16:08 PM	193.109.122.39	4533	My IP Address	559	TCP (flags:S)
9:16:08 PM	193.109.122.43	4385	My IP Address	23422	TCP (flags:S)
9:16:06 PM	193.109.122.29	4241	My IP Address	80	TCP (flags:S)
9:16:06 PM	193.109.122.8	4098	My IP Address	8080	TCP (flags:S)
9:16:04 PM	193.109.122.60	3954	My IP Address	8080	TCP (flags:S)
9:16:04 PM	193.109.122.47	3516	My IP Address	7040	TCP (flags:S)
9:16:04 PM	193.109.122.60	3808	My IP Address	3380	TCP (flags:S)
9:16:02 PM	193.109.122.21	3662	My IP Address	14321	TCP (flags:S)
9:16:00 PM	193.109.122.43	3370	My IP Address	28882	TCP (flags:S)
9:16:00 PM	193.109.122.36	3221	My IP Address	10099	TCP (flags:S)
9:15:58 PM	193.109.122.38	3071	My IP Address	19991	TCP (flags:S)
9:15:58 PM	193.109.122.42	2922	My IP Address	23	TCP (flags:S)
9:15:56 PM	193.109.122.52	2775	My IP Address	19086	TCP (flags:S)
9:15:56 PM	193.109.122.51	2632	My IP Address	1028	TCP (flags:S)
9:15:54 PM	193.109.122.6	2490	My IP Address	6588	TCP (flags:S)
9:15:54 PM	193.109.122.24	2347	My IP Address	8000	TCP (flags:S)
9:15:52 PM	193.109.122.33	2206	My IP Address	4471	TCP (flags:S)
9:15:52 PM	193.109.122.38	2066	My IP Address	1182	TCP (flags:S)
9:15:50 PM	193.109.122.19	1926	My IP Address	49871	TCP (flags:S)
9:15:50 PM	193.109.122.28	1789	My IP Address	3382	TCP (flags:S)
9:15:48 PM	193.109.122.20	1653	My IP Address	63000	TCP (flags:S)
9:15:48 PM	193.109.122.52	1516	My IP Address	30022	TCP (flags:S)
9:15:46 PM	193.109.122.20	1233	My IP Address	5181	TCP (flags:S)
9:15:46 PM	193.109.122.36	1377	My IP Address	4480	TCP (flags:S)
9:15:44 PM	193.109.122.35	1088	My IP Address	1031	TCP (flags:S)
9:15:44 PM	193.109.122.56	4920	My IP Address	12654	TCP (flags:S)
9:15:42 PM	193.109.122.9	4624	My IP Address	6588	TCP (flags:S)
9:15:42 PM	193.109.122.21	4773	My IP Address	1030	TCP (flags:S)
9:15:42 PM	193.109.122.44	4331	My IP Address	3127	TCP (flags:S)
9:15:40 PM	193.109.122.59	4476	My IP Address	8015	TCP (flags:S)
9:15:38 PM	193.109.122.35	4186	My IP Address	24972	TCP (flags:S)
9:15:38 PM	193.109.122.29	4041	My IP Address	1027	TCP (flags:S)
9:15:36 PM	193.109.122.39	3896	My IP Address	40053	TCP (flags:S)
9:15:36 PM	193.109.122.46	3753	My IP Address	8012	TCP (flags:S)
9:15:34 PM	193.109.122.18	3610	My IP Address	18844	TCP (flags:S)
9:15:34 PM	193.109.122.49	3466	My IP Address	24976	TCP (flags:S)
9:15:32 PM	193.109.122.37	3325	My IP Address	407	TCP (flags:S)
9:15:32 PM	193.109.122.32	3180	My IP Address	17771	TCP (flags:S)
9:15:30 PM	193.109.122.34	2894	My IP Address	8002	TCP (flags:S)
9:15:30 PM	193.109.122.7	3037	My IP Address	3128	TCP (flags:S)
9:15:28 PM	193.109.122.29	2755	My IP Address	3127	TCP (flags:S)
9:15:28 PM	193.109.122.48	2615	My IP Address	38883	TCP (flags:S)
9:15:26 PM	193.109.122.31	2476	My IP Address	24971	TCP (flags:S)
9:15:26 PM	193.109.122.56	2339	My IP Address	3124	TCP (flags:S)
9:15:24 PM	193.109.122.41	2202	My IP Address	3128	TCP (flags:S)
9:15:24 PM	193.109.122.8	2066	My IP Address	1098	TCP (flags:S)
9:15:22 PM	193.109.122.36	1930	My IP Address	1080	TCP (flags:S)
9:15:22 PM	193.109.122.23	1792	My IP Address	1029	TCP (flags:S)
9:15:20 PM	193.109.122.31	1656	My IP Address	24973	TCP (flags:S)
9:15:20 PM	193.109.122.14	1520	My IP Address	29992	TCP (flags:S)
9:15:18 PM	193.109.122.16	1385	My IP Address	4480	TCP (flags:S)
9:15:18 PM	193.109.122.16	1251	My IP Address	9000	TCP (flags:S)
9:15:16 PM	193.109.122.42	1116	My IP Address	63000	TCP (flags:S)
9:15:16 PM	193.109.122.39	4959	My IP Address	80	TCP (flags:S)
9:15:14 PM	193.109.122.51	4696	My IP Address	5556	TCP (flags:S)
9:15:14 PM	193.109.122.60	4826	My IP Address	3382	TCP (flags:S)
9:15:12 PM	193.109.122.40	4568	My IP Address	8000	TCP (flags:S)
9:15:12 PM	193.109.122.48	4436	My IP Address	32167	TCP (flags:S)
9:15:10 PM	193.109.122.43	4304	My IP Address	1978	TCP (flags:S)
9:15:10 PM	193.109.122.34	4170	My IP Address	9999	TCP (flags:S)
9:15:08 PM	193.109.122.21	4029	My IP Address	3124	TCP (flags:S)

This port scanning behavior is normal when you connect to Undernet IRC servers. Note the Source IPs (193.109.122.*) match the one you posted above...

The IP address 193.109.122.25 resolves to proxypool-25.undernet.org located in Netherlands according to Port Explorer's IP resolving utility. Therefore, I believe you have no reason to be concerned about that Sygate firewall alert. You can rest easy knowing your firewall did its job properly by blocking those port scan connections and informing you about the port scan.

The source IP you posted in your first message of this thread (207.182.243.125) resolves to scanner.vel.net. I expect that port scan is a normal result of connecting to a different IRC server (perhaps on a different IRC network). Since there are lots of IRC networks and multiple servers within those networks in mIRC's server list, I don't know which IRC network/server would use scanner.vel.net for its client port scans.

I suppose a "vel.net" IRC network might be used by malware. (I am not familiar with "vel.net ".) However, since all your anti-malware applications you listed above ( "F-prot, sygate, ewido and spybot ") are reputable and McAfee's SiteAdvisor report about vel.net does not indicate anything suspicious (as far as I can tell), I expect you do not need to be concerned about that port scan from scanner.vel.net (207.182.243.125).

 

Ohhh God It seems you've done some great research....I really thank you for our patience mailman and all of you out there

 

You're very welcome, Claudine.

Charles suggested PC Flank (http://www.pcflank.com/index.htm) for testing your firewall's ability to block port connection attempts. I tried to go to that site but my firewall (Zone Alarm Pro) blocked it as a "Spy Site ". However, McAfee's SiteAdvisor report about pcflank.com does not flag anything bad about the site located in Russia.

An alternative location I have used several times for testing my firewall is Steve Gibson's ShieldsUP! page.

Steve Gibson provides a few other small, handy tools (UnPlug n' Pray, DCOMbobulator, Shoot The Messenger) at http://www.grc.com/default.htm that you may be interested in for enhancing your computer's security. I have used all those utilities I listed with no ill effects (as far as I can tell) on my machine.

Also, to be on the safe side, you may want to download HijackThis! (HJT), create a folder on your hard drive (such as C:\HJT), extract the contents of hijackthis.zip to that folder, run the extracted (unzipped) hijackthis.exe, and paste your HJT log in this forum thread for us to see if we recognize any signs of malware. If you choose to run HJT, do not have HJT "fix" anything without carefully following guidance from an anti-malware expert (such as TeMerc).

Regarding mIRC's "invisible mode" that I mentioned earlier in this thread, click on mIRC's Tools > Options (also accessible using the Alt-O keyboard combination) and enable "Invisible mode" as outlined in red in the attached image below. (Click on the thumbnail image to view the full-size image.) That should do the trick. After you enable "Invisible mode" and connect to Undernet's IRC network, you should see "(your nickname) sets mode: +i" in mIRC's Status window after your connection is complete.

 

invisible mode done...thanks for the info

 

You're welcome.

BTW, I was reading through my posts above and realized the following statement I made may not be entirely true:

I think someone can still see if you're online if they can guess the nickname ( "nick ") you are using even if you are "invisible" and they are not in the same channel.

I don't mean to scare you out of using IRC. I just wanted to give you this info since IRC is not a very private way to be online (which may or may not be important to you). I used mIRC for years without much difficulty except for an occasional jerk that joined a channel I was in.

To see if a certain nick is on the IRC network, you can type [FONT= "Courier New"][SIZE= "3"]/whois nick[/SIZE][/FONT] (with the appropriate nickname in place of "nick ") in an mIRC window. The user's information will be displayed in mIRC's Status window (including the channels the user is joined to). For example, you can type [FONT= "Courier New"][SIZE= "3"]/whois mailman[/SIZE][/FONT] on Undernet and you will probably come up with a hit (and it will not be me ). You can even /whois your own nick to see what information about you is displayed.

Therefore, if you ever happen to be "stalked" by someone, then change your nick in mIRC's "Connect" Options (displayed in my attached image in post #24 above) before connecting to the IRC network. However, if the stalker knows what channel(s) you frequent, the stalker can still /join that channel and wait for you to /join the same channel. The stalker can then determine it is you even if you have changed your nick.

If you ever want to change your nick while connected to the IRC network, type [FONT= "Courier New"][SIZE= "3"]/nick[/SIZE][/FONT] followed by a space and the new nick you want to use (in any mIRC window). If that nick is not in use by someone else on the IRC network, your nick will be changed and you will be notified in mIRC's Status window with "Your nick is now (your new nick) ". Your new nick will also be displayed in the title bar of mIRC's Status window.

An additional measure for your online IRC privacy is to use a fake "Full Name" (Any text string or sentence will do.) and fake "Email Address" in mIRC's "Connect" Options. The most important part of the "Email Address" to change is the part before the @ symbol. You don't have any control over the part after the @ symbol. (The IRC network uses your IP address/resolved hostname for that part regardless of what you have typed in mIRC's "Connect" Options.) I don't know if spammers use that information but I put fake information there to be on the safer side.

Changing the "Full Name" and "Email Address" fields in mIRC's "Connect" options before connecting to the IRC network might also help you remain more anonymous to a stalker waiting in the channel(s) you frequent. For example, the "Email Address" info is displayed to all users currently in the channel you join when you join the channel. (The "Email Address" and "Full Name" info is also displayed to any user who types /whois followed by your nick.)

mIRC 6.21 seems to have beefed up its defenses since earlier mIRC versions with its default configuration against attacks from other IRC clients. For example, I downloaded a few files from other clients on Undernet and, each time, mIRC popped up a window asking me if I am expecting the file and if I really want to download the file. I then had to click the "OK" button. Then I had to click the "Accept" button on the next window that popped up to initiate the download. This seems to be a good defense against malicious clients trying to push malicious mIRC scripts or malware onto your computer without your knowledge or consent.

Have fun chatting. IRC is a different world.

 

thanks once again however I sill find difficulty to send files through irc....I don't know why they don't get them....thanks....however people will know I've changed my nick as it shoes through the main window am I right?

 

Yes, the people that are in the same channel will know you changed your nick if they happen to be watching the channel window at that time or shortly after. That information will display in the channel window until the ongoing chat conversations cause it to scroll off-screen. One can also scroll back up several (a few hundred?) lines in the channel (in mIRC anyway) to review channel traffic if one has been away from the keyboard (commonly referred to as "AFK" in IRC lingo) to go to the restroom or something like that. In addition, one can enable channel logging in mIRC and use it to monitor channel traffic and chat conversations. (That's useful if you want to stay joined to the channel and monitor it while you go to bed, for example.)

When you change your nick, your new nick will then display in the "nick list" in the channel window. (I think the nick list is located on the right side of the channel window with mIRC's default configuration.)

File transfers historically have been troublesome for some people on IRC. I'm sorry my memory is fuzzy about how I helped people troubleshoot those problems though.

 

How can I do this please?

and what about changing the colours of the text?

 

Logging can be configured via mIRC's Tools > Options (also accessible via the Alt-O key combination) > IRC > Logging.

Please see the attached image below for configuring mIRC's logging. The "Help" button (outlined in red in my image) will provide some descriptions about the settings.

After you have enabled/configured logging, click mIRC's Tools > Log Files... and use the "View" button for the log file you want to view. These log files can also be opened with Notepad while you are not running mIRC.

You can also play with channel logging settings that I think will override your default settings in mIRC's "Logging" Options by clicking on the icon in the upper left corner of the channel window in mIRC and using the "Logging" menu item to turn on/off logging for that window.

Which text do you want to change the color of?

To change colors of your typed text so others in the channel will see that color (if their IRC client is configured to display mIRC Ctrl-K colors), you can start experimenting with that by using the Ctrl-K key combination in the channel window. Hit Ctrl-K and type the digit associated with the color you want to use (or click on the color swatch) and then type your text.