Maximum PC

Admittedly I havn't monitored the routers log up till now but that's something I plan on rectifying.

I set it up to email me a report and got this today: http://lbi.250free.com/attack.txt

Look at all those freakin requests on odd ports. Anyone know off hand what prog they might think was running that they could exploit?

Alright, now that I think of it maybe its bit torrent and some idiots client sucks and is attempting the new range people are using these days. Thats my best guess, any other ideas?

heh.. Could be someone running a program like YAP - just to see if they can find a port to exploit and they came up on your IP address in their IP scheme..

More than likely its nothing more than that - unless you see this continue over more then one day... I'd not worry too much...
Tuathal

usually its pretty random. somedays i'll have the same port attacked 20 times and some times i can go a day without being pinged at at all. whats scarey is i looked at my log after i got back from vacation and someone tried to get on my wifi....my house is on 40 acres in the middle of nowhere. and the road is a good 200 feet away.

w0w
That is shocking...

I'd be a little paranoid that I even knew the person lol
Tuathal

Starting from 22 hours ago here is the log (may overlap a bit from before)

http://lbi.250free.com/newattack.txt

Look at all those frigin drops This file is frikin 130k!!

man that 232 number really has a hard-on for you...

Hope your Firewall software is up to day lol
Tuathal

Have you posted any of this in Network Neighborhood? or PM Dalan and ask him to take a look at it - If anyone had any suggestions that were viable - it would be Dalantech
Tuathal

I was just about to do that.

It looks like a script that's checking to see if you have any Trojans on your network.

Due to the volume of traffic I'd say it's automated or an amateur -a pro wouldn't throw that many packets at you. Another possibility is someone using "zombie" PCs (machines that listen for commands posted to an IRC chat channel) and the attacker is using multiple zombies to scan you to generate a lot of "noise" in your logs -so you can't see where the "real" attack is coming from. Look for a few hits here and there that are outside the pattern -just ignoring all of the port scans higher than port 60,000 causes a few addresses to stand out in those logs...

----------------------------------
Network News and Reviews

Thats about what I assumed.

I know you can't just up and "block" this kind of traffic from ever getting to you and can't sick the FBI on them because you have to be able to prove you've lost something like $500 in profits/damages. Maybe I should ask my ISP to start blocking it? Probably not a good idea since I'm not being DOS'ed per-se, but this does need to stop. Any ideas on what I should do?

Makes me wish I had learned more about networking and hacking.. I'd probably be able to take over this bastards army and scare the shit out of him or just set them to DOS him >_<

EDIT: thanks btw.

Not much you can do, other than complain to the point of contact for the address...

inetnum: 213.232.80.0 - 213.232.83.255
netname: BANDX-PRODIGY
descr: Band-X Customer Subnet
country: GB
admin-c: NL88-RIPE
tech-c: NL88-RIPE
status: ASSIGNED PA
mnt-by: AS12885-MNT
notify: nick@prodigynet.co.uk
notify: ripe-notify@band-x.net
changed: flemming@band-x.net 20020429
source: RIPE


inetnum: 83.31.0.0 - 83.31.255.255
netname: NEOSTRADA-ADSL
descr: Neostrada Plus
descr: Warszawa
country: PL
remarks: ! - ! - ! - ! - ! - !
remarks: Contact to ABUSE TP S.A. :
remarks: abuse@tpnet.pl
remarks: ! - ! - ! - ! - ! - !
admin-c: TPHT
tech-c: HT2189-RIPE
status: ASSIGNED PA
mnt-by: TPNET
changed: hostmaster@tpnet.pl 20031211
source: RIPE

NetRange: 69.105.0.0 - 69.105.1.255
CIDR: 69.105.0.0/23
NetName: SBC069105000000031215
NetHandle: NET-69-105-0-0-1
Parent: NET-69-104-0-0-1
NetType: Reassigned
Comment: For Policy Abuse issues, contact: abuse@swbell.net
Comment: For Technical issues, contact: noc@swbell.net
RegDate: 2003-12-16
Updated: 2003-12-16

NetRange: 38.112.0.0 - 38.119.255.255
CIDR: 38.112.0.0/13
NetName: COGENT-NB-0002
NetHandle: NET-38-112-0-0-1
Parent: NET-38-0-0-0-1
NetType: Reallocated
NameServer: AUTH1.DNS.COGENTCO.COM
NameServer: AUTH2.DNS.COGENTCO.COM
Comment: ReferralServer: rwhois://rwhois.cogentco.com:4321/
RegDate: 2003-08-20
Updated: 2004-03-11
OrgAbuseHandle: COGEN-ARIN
OrgAbuseName: Cogent Abuse
OrgAbusePhone: +1-877-875-4311
OrgAbuseEmail: abuse@cogentco.com

NetRange: 67.85.32.0 - 67.85.63.255
CIDR: 67.85.32.0/19
NetName: OOL-65PSWYNJ6-0821
CustName: Optimum Online (Cablevision Systems)
Address: 111 New South Road
City: Hicksville
StateProv: NY
PostalCode: 11801
Country: US
RegDate: 2004-01-14
Updated: 2004-01-14
OrgAbuseHandle: OOLAB-ARIN
OrgAbuseName: OOL Hostmaster
OrgAbusePhone: +1-516-803-2400
OrgAbuseEmail: abuse@cv.net

That should get you started

----------------------------------
Network News and Reviews

Ahhhhg!! I don't wanna go through all those IP's and perform DNS lookups and hope that my message gets through that some customers machines have been jacked

Oh well, guess Ive gotta. Thanks for the start.

Sorry

These days a lot of ISPs are a lot more willing to listen to you and take action -if you are polite and provide them with sections of your logs showing the activity...


----------------------------------
Network News and Reviews

Does this happen to you often?

I connect to Telcom Italia here in Naples, Italy -it's like surfing from the wild west. Lots of script kiddies who have nothing better to do with their time but crawl all over Telecom's networks. Then I go to the day job were I'm basically running an ISP for the military -and having .mil in your domain name id like having a bulls eye on your back. So yes, it happens to me quite often...

----------------------------------
Network News and Reviews

What do you do to the little buggers?

Ignore them, but I don't ignore the logs and what they are doing. If it got out of hand, like a DoS attack then I'd complain. The problem is getting anyone at Telecom Italia to do anything...

The important thing is to keep an eye on what the little idiots are doing and maintain a good firewall.

----------------------------------
Network News and Reviews

Any recomended reading? Ive skimmed through a big honkin yellow TCP/IP book but that doesn't do much for attacks.

How about you kindly ask me to stop?

Attacks and Defenses -some things that you can do

----------------------------------
Network News and Reviews