IP Attacks

Printable View

18-11-2003, 10:31 PM
shiato storm

IP Attacks

I have been recently getting many attacks from various IP addresses - thankfully caught by my Norton Anti-Virus - but I have run a visual tracking progrm on it and discovered its origins...what do I do?
apparently it was a trojan horse (i.e. not very nice) virus that I stopped and it came all the way from philadelphia courtesy of a company called Comcast Corporation...or at least someone within it...

any advice on what to do when I get something like this through? teach them a lesson or something...
18-11-2003, 10:43 PM
Steve

It is unlikely that it was actually an attack, but Norton just likes to vent off about stuff like that so that you think it's doing something.

My gateway's intrustion detection software compiles a list of suspected attempts to hack in etc, many are not valid.

Perhaps a website you're visiting is triggering something to make Norton think you're being attacked. Track when the "attacks" happen and see if you're doing anything specific at the time. This will help you assertain if there is indeed something sinister going on.
18-11-2003, 10:45 PM
shiato storm

nope attacks originate at a company i'v never heard of let alone gone to their website...
18-11-2003, 10:54 PM
Steve

Interesting, I've heared of comcast, possibly a US ISP. You say the IP's change?
18-11-2003, 11:02 PM
evildoc614

comcast is a isp in the US. who ever is doing it is using comcast, i would try and contact them and let them know that some one using there ip is trying to "hack" your computer
18-11-2003, 11:06 PM
Steve

It could just be a trojan that somebody is infected with that's trying to spread. For example, I keep getting a virus in my mail from somebody (don't know who - spoofed address.) That person isn't doing it intentionally, they're just infected with the worm that's spreading it.

Still, if it really is something trying to get at you, it needs to be stopped.
19-11-2003, 02:05 AM
shiato storm

hmm...valid points. as mentioned it could either be an unwitting person with said virus thats released themselves upon the web and infected countless others but it could also be a targeted attack...
I shall let the company have the details I got from my IP track...see what they do.
19-11-2003, 09:56 AM
Moby-Dick

what makes you think it is a targetted attack ? - It just sounds like a port scan to me. I pick up loas of port scans whenever I get round to looking at firewall / gateway logs and it doesn't worry me as I know that nothing is actually getting in.

Just think of the cisco ad.

"whats happening? "

"nothing............."

If you really want to progress it, mail a copy of your firewall log to abuse@isp you might even get a reply , but dont expect SWAT teams to be on peoples doorsteps for it.
19-11-2003, 10:41 AM
Blub2k

What piece of software is reporting the attack exactly? Is it the IDS that is telling you that there is an attack on? What type of attack is it reporting? Can you post an extract from the logs here?
19-11-2003, 11:02 AM
Ferral

NTL here in the North East used to be called Comcast. I got something similar on Norton a few weeks back but it couldn't locate the host at all.

At the bottom of the screen on the tracking there should be everything you need to report it, apparently as I've never seen it !
19-11-2003, 11:05 AM
Ferral

Details: Intrusion: Invalid TCP Options
Intruder: 66.103.241.212
Risk Level: Medium
Source IP address: 66.103.241.212
Destination IP address: iain(192.168.0.3)
TCP Source Port: 6699
TCP Destination Port: 3956
Invalid TCP Option: 0x491f491f

Click on the address to trace the attacker
You can get detailed information about this attack at Symantec Security Response

This is the report I got from mine, you get it by opening Norton Internet Security > Statistics (Left Side) > View Logs >Intrusion Detection. Then click on the intrusion and all the details appear at the bottom of the screen. I had to use CTRL + C to copy it as the right click to copy doesn't work on it.

Just actually managed to do a full trace !!!

Nortons full log etc :

OrgName: ISP Management inc.
OrgID: ISPMAN-1
Address: 319 E. Superior St.
City: Alma
StateProv: MI
PostalCode: 48801
Country: US

NetRange: 66.103.240.0 - 66.103.243.255
CIDR: 66.103.240.0/22
NetName: I123-66103240-23
NetHandle: NET-66-103-240-0-1
Parent: NET-66-103-224-0-1
NetType: Reassigned
NameServer: DNS.ISPMGT.COM
NameServer: HOSTING.ISPMGT.COM
Comment:
RegDate: 2003-02-21
Updated: 2003-02-21

# ARIN WHOIS database, last updated 2003-09-11 19:15
# Enter ? for additional hints on searching ARIN's WHOIS database.

OrgName: ISP Management inc.
OrgID: ISPMAN-1
Address: 319 E. Superior St.
City: Alma
StateProv: MI
PostalCode: 48801
Country: US
Comment:
RegDate: 2002-03-12
Updated: 2002-07-17

# ARIN WHOIS database, last updated 2003-09-11 19:15
# Enter ? for additional hints on searching ARIN's WHOIS database.
19-11-2003, 11:36 AM
Blub2k

Do you know how to use tcpdump to get a more detailed log of what is going on at a tcp level? Ethereal could do it too, Personally I would just blackhole the address and block all communications from them and then see does the IDS report anything more, am checking here if there is a known attack but so far it looks like someone may be trying to contact a trojan on your network. The destination IP address in your IDS logs suggests that it is trying to contact an internal address and that is strange unless the info came from inside your network to start with, have you had a look at 192.168.0.3 to see if there is a trojan onboard it?
19-11-2003, 11:42 AM
Ferral

Yeah,

Thats my PC itself, Its fully clean. Gets checked every few days by NAV. At the time of the attack I was actually browsing the boards here.

Bizarre thing for me is that whoever it was managed to get through the Broadband Routers Firewall and localise the attack on my machine only. I'm thinking I was hit due to having sensetive data on my PC (logs, member databases and things like that for my website)

I just mailed all the relevant stuff that I put on here to abuse@ntlworld.com, hopefully they will be able to do something about it as the info is quite specific.
19-11-2003, 12:04 PM
Blub2k

there is also a possibility that you have a firewall in front of your IDS that is doing a port redirect. This report says nothing really and is pretty useless. You can send off a mail to abuse@ but personally I stick with the blackhole option.
19-11-2003, 12:06 PM
Blub2k

detailed yes but useful....not really as these are high ports and it is not possible to say just like that what is running on them.
19-11-2003, 12:08 PM
Blub2k

If it is to do with the forums here then I would suggest that you maybe try some better more extensive IDS software as NIS is really only a home-user solution and I would not recommend it to protect sensitive business data as you are already a target as a webfacing business.
19-11-2003, 12:19 PM
Ferral

I was just browsing here when the attack came through, Its not HEXUS whatsoever.

I have the routers firewall fully configured, think I will start looking into what you said about a possible business solution. I am also now burning the info onto CD's and deleting things off my hard drive afterwards for extra security.

Also have to try and find what may be using the ports, any ideas how you go about doing that at all as I have only have minimal knowledge when it comes to networks and that side of things.
19-11-2003, 12:46 PM
Blub2k

Packet capture with a tool such as tcpdump or Ethereal would be the next step, I would advise ethereal as it is gui based and better for a beginner.
19-11-2003, 12:47 PM
Blub2k

Does the firewall have any service redirects on it?
19-11-2003, 12:47 PM
0iD

Try this for port listing:
http://www.uponelevel.com/ports/
19-11-2003, 12:57 PM
Blub2k

Do you have Napster or WinMX installed? Did someone start a winMX download from you and you wont let them finish?