Preface: PCAnywhere pingLogo -Internet Security Systems

PCAnywhere ping
advICE :Intrusions : 2001507
 FAQ
Oh my gosh, I'm being HACKED!!!
How do I report the hacker to my ISP?
I'm seeing lots of attacks, is this normal?
Summary

Someone has pinged the system in order to see if PCAnywhere is running. This may be an attack, but is likely to be accidental.

Details

PCAnywhere is a product from Symantec that allows remote control of a computer. It is very popular on the Internet for this legitimate purpose, allowing administrators to remotely control servers.

Hackers frequently scan the Internet looking for machines supporting this product. Many users use empty passwords or passwords that are easy to guess (like the word "password"). This will provide easy-entry for the hacker. If hackers gain control over the machine, not only can they steal information on that machine, they can use it to attack yet other machines on the Internet.

False Positives

Accidental scans from PCAnywhere clients are commonly seen from your neighbors. This is due to the default configuration of PCanywhere. It installs an icon called "NETWORK" that scans the local area for agents. While there may be no hostile intent behind this scan, it is still a little rude.

The animated picture shows what the PCanywhere user sees. Rather than using a setting for the computer, the user instead clicks on the "NETWORK" icon which scans the local area for agents. In the sample, three agents are found; one of which is the agent the user is looking for, and two others that are from other people.

To verify that this is the case, examine the IP address of the intruder. If the IP address is from the local segment (i.e. is similar to your own IP address), then this is a likely cause. If the IP addresses are not similar, then this is a clear attack against the system.

PCanywhere scans what is known as the "Class C" range, which are all the IP addresses with the first three numbers the same. In pictured example, all the machines in the range 192.0.2.0 - 192.0.2.255 were scanned.

Defense

If you are not running PCAnywhere, then this won't be a problem. If you are running PCAnywhere, then see PCAnywhere Server for some tips on securing it.

Notes

If you run PCAnywhere, then you should turn off this feature. Not only will it make your "network neighbors" unhappy, it will also broadcast to the world that you are using PCAnywhere. If you any of your neighbors are themselves hackers, this may encourage them to go after your system in order to gain control of it. See PCAnywhere Server.

 more information
CNN: Difficult to become a hacker? It's easier than you think  
An article from CNN that describes the problem how you can accidentally hack into other machines using PCAnywhere.  
PCAnywhere Service  
How to configure the PCAnywhere service to ward off attackers.  
PCAnywhere grind  
When a PCAnywhere-ping finds a machine, the attacker will then try guessing passwords in order to break into the machine.  
Port 5632  
Scans for PCanywhere consist mainly of UDP packets sent to port 5632.  
Port 22  
If PCanywhere doesn't find anybody responding to port 5632, it will also try port 22 for backwards compatibility with older versions of PCanywhere.  
Symantec: PCAnywhere Support Services  
The vendors web page.   
 
Version appeared: 1.7
Privacy Policy |  Copyright Info