Quantcast

Maximum PC

It is currently Wed Apr 23, 2014 11:59 pm

All times are UTC - 8 hours




Post new topic Reply to topic  [ 24 posts ]  Go to page 1, 2  Next
Author Message
 Post subject: I think I'm being attacked.
PostPosted: Sun Nov 07, 2004 4:42 pm 
Smithfield
Smithfield
User avatar

Joined: Sun Sep 05, 2004 9:01 am
Posts: 8091
Admittedly I havn't monitored the routers log up till now but that's something I plan on rectifying.

I set it up to email me a report and got this today: http://lbi.250free.com/attack.txt

Look at all those freakin requests on odd ports. Anyone know off hand what prog they might think was running that they could exploit?

Alright, now that I think of it maybe its bit torrent and some idiots client sucks and is attempting the new range people are using these days. Thats my best guess, any other ideas?


Top
  Profile  
 
 Post subject:
PostPosted: Sun Nov 07, 2004 6:58 pm 
Notched on both sides
Notched on both sides
User avatar

Joined: Fri Oct 15, 2004 12:42 pm
Posts: 2765
Location: GTW d- s+:+ a C++++ K+++ w++++
heh.. Could be someone running a program like YAP - just to see if they can find a port to exploit and they came up on your IP address in their IP scheme..

More than likely its nothing more than that - unless you see this continue over more then one day... I'd not worry too much... :P
Tuathal


Top
  Profile  
 
 Post subject:
PostPosted: Sun Nov 07, 2004 7:21 pm 
Smithfield*
Smithfield*
User avatar

Joined: Fri Jul 09, 2004 9:17 am
Posts: 7159
Location: In HyperTransport
usually its pretty random. somedays i'll have the same port attacked 20 times and some times i can go a day without being pinged at at all. whats scarey is i looked at my log after i got back from vacation and someone tried to get on my wifi....my house is on 40 acres in the middle of nowhere. and the road is a good 200 feet away. :roll:


Top
  Profile  
 
 Post subject:
PostPosted: Sun Nov 07, 2004 7:24 pm 
Notched on both sides
Notched on both sides
User avatar

Joined: Fri Oct 15, 2004 12:42 pm
Posts: 2765
Location: GTW d- s+:+ a C++++ K+++ w++++
w0w
That is shocking...

I'd be a little paranoid that I even knew the person lol
Tuathal


Top
  Profile  
 
 Post subject:
PostPosted: Mon Nov 08, 2004 4:19 pm 
Smithfield
Smithfield
User avatar

Joined: Sun Sep 05, 2004 9:01 am
Posts: 8091
Starting from 22 hours ago here is the log (may overlap a bit from before)

http://lbi.250free.com/newattack.txt

Look at all those frigin drops :shock: This file is frikin 130k!!


Top
  Profile  
 
 Post subject:
PostPosted: Mon Nov 08, 2004 6:13 pm 
Notched on both sides
Notched on both sides
User avatar

Joined: Fri Oct 15, 2004 12:42 pm
Posts: 2765
Location: GTW d- s+:+ a C++++ K+++ w++++
man that 232 number really has a hard-on for you...

Hope your Firewall software is up to day lol
Tuathal

Have you posted any of this in Network Neighborhood? or PM Dalan and ask him to take a look at it - If anyone had any suggestions that were viable - it would be Dalantech
Tuathal


Top
  Profile  
 
 Post subject:
PostPosted: Tue Nov 09, 2004 2:14 am 
Smithfield
Smithfield
User avatar

Joined: Sun Sep 05, 2004 9:01 am
Posts: 8091
I was just about to do that.


Top
  Profile  
 
 Post subject:
PostPosted: Tue Nov 09, 2004 2:33 am 
Networking with a passion!
Networking with a passion!
User avatar

Joined: Wed Jun 16, 2004 3:27 am
Posts: 232
Location: Naples, Italy
It looks like a script that's checking to see if you have any Trojans on your network.

Due to the volume of traffic I'd say it's automated or an amateur -a pro wouldn't throw that many packets at you. Another possibility is someone using "zombie" PCs (machines that listen for commands posted to an IRC chat channel) and the attacker is using multiple zombies to scan you to generate a lot of "noise" in your logs -so you can't see where the "real" attack is coming from. Look for a few hits here and there that are outside the pattern -just ignoring all of the port scans higher than port 60,000 causes a few addresses to stand out in those logs...

----------------------------------
Network News and Reviews


Top
  Profile  
 
 Post subject:
PostPosted: Tue Nov 09, 2004 2:49 am 
Smithfield
Smithfield
User avatar

Joined: Sun Sep 05, 2004 9:01 am
Posts: 8091
Thats about what I assumed.

I know you can't just up and "block" this kind of traffic from ever getting to you and can't sick the FBI on them because you have to be able to prove you've lost something like $500 in profits/damages. Maybe I should ask my ISP to start blocking it? Probably not a good idea since I'm not being DOS'ed per-se, but this does need to stop. Any ideas on what I should do?

Makes me wish I had learned more about networking and hacking.. I'd probably be able to take over this bastards army and scare the shit out of him or just set them to DOS him >_<

EDIT: thanks btw.


Top
  Profile  
 
 Post subject:
PostPosted: Tue Nov 09, 2004 10:16 am 
Networking with a passion!
Networking with a passion!
User avatar

Joined: Wed Jun 16, 2004 3:27 am
Posts: 232
Location: Naples, Italy
Not much you can do, other than complain to the point of contact for the address...

inetnum: 213.232.80.0 - 213.232.83.255
netname: BANDX-PRODIGY
descr: Band-X Customer Subnet
country: GB
admin-c: NL88-RIPE
tech-c: NL88-RIPE
status: ASSIGNED PA
mnt-by: AS12885-MNT
notify: nick@prodigynet.co.uk
notify: ripe-notify@band-x.net
changed: flemming@band-x.net 20020429
source: RIPE


inetnum: 83.31.0.0 - 83.31.255.255
netname: NEOSTRADA-ADSL
descr: Neostrada Plus
descr: Warszawa
country: PL
remarks: ! - ! - ! - ! - ! - !
remarks: Contact to ABUSE TP S.A. :
remarks: abuse@tpnet.pl
remarks: ! - ! - ! - ! - ! - !
admin-c: TPHT
tech-c: HT2189-RIPE
status: ASSIGNED PA
mnt-by: TPNET
changed: hostmaster@tpnet.pl 20031211
source: RIPE

NetRange: 69.105.0.0 - 69.105.1.255
CIDR: 69.105.0.0/23
NetName: SBC069105000000031215
NetHandle: NET-69-105-0-0-1
Parent: NET-69-104-0-0-1
NetType: Reassigned
Comment: For Policy Abuse issues, contact: abuse@swbell.net
Comment: For Technical issues, contact: noc@swbell.net
RegDate: 2003-12-16
Updated: 2003-12-16

NetRange: 38.112.0.0 - 38.119.255.255
CIDR: 38.112.0.0/13
NetName: COGENT-NB-0002
NetHandle: NET-38-112-0-0-1
Parent: NET-38-0-0-0-1
NetType: Reallocated
NameServer: AUTH1.DNS.COGENTCO.COM
NameServer: AUTH2.DNS.COGENTCO.COM
Comment: ReferralServer: rwhois://rwhois.cogentco.com:4321/
RegDate: 2003-08-20
Updated: 2004-03-11
OrgAbuseHandle: COGEN-ARIN
OrgAbuseName: Cogent Abuse
OrgAbusePhone: +1-877-875-4311
OrgAbuseEmail: abuse@cogentco.com

NetRange: 67.85.32.0 - 67.85.63.255
CIDR: 67.85.32.0/19
NetName: OOL-65PSWYNJ6-0821
CustName: Optimum Online (Cablevision Systems)
Address: 111 New South Road
City: Hicksville
StateProv: NY
PostalCode: 11801
Country: US
RegDate: 2004-01-14
Updated: 2004-01-14
OrgAbuseHandle: OOLAB-ARIN
OrgAbuseName: OOL Hostmaster
OrgAbusePhone: +1-516-803-2400
OrgAbuseEmail: abuse@cv.net

That should get you started :)

----------------------------------
Network News and Reviews


Top
  Profile  
 
 Post subject:
PostPosted: Tue Nov 09, 2004 10:27 am 
Smithfield
Smithfield
User avatar

Joined: Sun Sep 05, 2004 9:01 am
Posts: 8091
Ahhhhg!! I don't wanna go through all those IP's and perform DNS lookups and hope that my message gets through that some customers machines have been jacked :cry:

Oh well, guess Ive gotta. Thanks for the start.


Top
  Profile  
 
 Post subject:
PostPosted: Tue Nov 09, 2004 10:36 am 
Networking with a passion!
Networking with a passion!
User avatar

Joined: Wed Jun 16, 2004 3:27 am
Posts: 232
Location: Naples, Italy
Sorry :(

These days a lot of ISPs are a lot more willing to listen to you and take action -if you are polite and provide them with sections of your logs showing the activity...


----------------------------------
Network News and Reviews


Top
  Profile  
 
 Post subject:
PostPosted: Tue Nov 09, 2004 11:18 am 
Smithfield
Smithfield
User avatar

Joined: Sun Sep 05, 2004 9:01 am
Posts: 8091
Does this happen to you often?


Top
  Profile  
 
 Post subject:
PostPosted: Tue Nov 09, 2004 11:06 pm 
Networking with a passion!
Networking with a passion!
User avatar

Joined: Wed Jun 16, 2004 3:27 am
Posts: 232
Location: Naples, Italy
I connect to Telcom Italia here in Naples, Italy -it's like surfing from the wild west. Lots of script kiddies who have nothing better to do with their time but crawl all over Telecom's networks. Then I go to the day job were I'm basically running an ISP for the military -and having .mil in your domain name id like having a bulls eye on your back. So yes, it happens to me quite often... :P

----------------------------------
Network News and Reviews


Top
  Profile  
 
 Post subject:
PostPosted: Wed Nov 10, 2004 4:31 am 
Smithfield
Smithfield
User avatar

Joined: Sun Sep 05, 2004 9:01 am
Posts: 8091
What do you do to the little buggers?


Top
  Profile  
 
 Post subject:
PostPosted: Wed Nov 10, 2004 5:27 am 
Networking with a passion!
Networking with a passion!
User avatar

Joined: Wed Jun 16, 2004 3:27 am
Posts: 232
Location: Naples, Italy
urmumsacow wrote:
What do you do to the little buggers?


Ignore them, but I don't ignore the logs and what they are doing. If it got out of hand, like a DoS attack then I'd complain. The problem is getting anyone at Telecom Italia to do anything...

The important thing is to keep an eye on what the little idiots are doing and maintain a good firewall.

----------------------------------
Network News and Reviews


Top
  Profile  
 
 Post subject:
PostPosted: Wed Nov 10, 2004 5:29 am 
Smithfield
Smithfield
User avatar

Joined: Sun Sep 05, 2004 9:01 am
Posts: 8091
Any recomended reading? Ive skimmed through a big honkin yellow TCP/IP book but that doesn't do much for attacks.


Top
  Profile  
 
 Post subject:
PostPosted: Wed Nov 10, 2004 9:34 am 
Monkey Federation (Top 10)*
Monkey Federation (Top 10)*
User avatar

Joined: Thu Jun 24, 2004 1:22 pm
Posts: 27348
Location: In a cage, dumbass.
How about you kindly ask me to stop?


Top
  Profile  
 
 Post subject:
PostPosted: Wed Nov 10, 2004 9:40 am 
Smithfield
Smithfield
User avatar

Joined: Sun Sep 05, 2004 9:01 am
Posts: 8091
Image


Top
  Profile  
 
 Post subject:
PostPosted: Wed Nov 10, 2004 9:53 am 
Networking with a passion!
Networking with a passion!
User avatar

Joined: Wed Jun 16, 2004 3:27 am
Posts: 232
Location: Naples, Italy
urmumsacow wrote:
Any recomended reading? Ive skimmed through a big honkin yellow TCP/IP book but that doesn't do much for attacks.



Attacks and Defenses -some things that you can do :)

----------------------------------
Network News and Reviews


Top
  Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 24 posts ]  Go to page 1, 2  Next

All times are UTC - 8 hours


Who is online

Users browsing this forum: No registered users and 2 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group