Page 1 of 2 12 LastLast
Results 1 to 16 of 21

Thread: IP Attacks

  1. #1
    Photographer; for hire!! shiato storm's Avatar
    Join Date
    Aug 2003
    Location
    next door
    Posts
    6,977
    Thanks
    4
    Thanked
    6 times in 5 posts

    IP Attacks

    I have been recently getting many attacks from various IP addresses - thankfully caught by my Norton Anti-Virus - but I have run a visual tracking progrm on it and discovered its origins...what do I do?
    apparently it was a trojan horse (i.e. not very nice) virus that I stopped and it came all the way from philadelphia courtesy of a company called Comcast Corporation...or at least someone within it...

    any advice on what to do when I get something like this through? teach them a lesson or something...
    Powered by Marmite and Wet Dog
    Light Over Water Photography

  2. #2
    HEXUS webmaster Steve's Avatar
    Join Date
    Nov 2003
    Posts
    14,283
    Thanks
    293
    Thanked
    841 times in 476 posts
    It is unlikely that it was actually an attack, but Norton just likes to vent off about stuff like that so that you think it's doing something.

    My gateway's intrustion detection software compiles a list of suspected attempts to hack in etc, many are not valid.

    Perhaps a website you're visiting is triggering something to make Norton think you're being attacked. Track when the "attacks" happen and see if you're doing anything specific at the time. This will help you assertain if there is indeed something sinister going on.
    PHP Code:
    $s = new signature();
    $s->sarcasm()->intellect()->font('Courier New')->display(); 

  3. #3
    Photographer; for hire!! shiato storm's Avatar
    Join Date
    Aug 2003
    Location
    next door
    Posts
    6,977
    Thanks
    4
    Thanked
    6 times in 5 posts
    nope attacks originate at a company i'v never heard of let alone gone to their website...
    Powered by Marmite and Wet Dog
    Light Over Water Photography

  4. #4
    HEXUS webmaster Steve's Avatar
    Join Date
    Nov 2003
    Posts
    14,283
    Thanks
    293
    Thanked
    841 times in 476 posts
    Interesting, I've heared of comcast, possibly a US ISP. You say the IP's change?
    PHP Code:
    $s = new signature();
    $s->sarcasm()->intellect()->font('Courier New')->display(); 

  5. #5
    Senior Member
    Join Date
    Sep 2003
    Location
    [U.S.A] Say somthing!
    Posts
    361
    Thanks
    0
    Thanked
    0 times in 0 posts
    comcast is a isp in the US. who ever is doing it is using comcast, i would try and contact them and let them know that some one using there ip is trying to "hack" your computer

  6. #6
    HEXUS webmaster Steve's Avatar
    Join Date
    Nov 2003
    Posts
    14,283
    Thanks
    293
    Thanked
    841 times in 476 posts
    It could just be a trojan that somebody is infected with that's trying to spread. For example, I keep getting a virus in my mail from somebody (don't know who - spoofed address.) That person isn't doing it intentionally, they're just infected with the worm that's spreading it.

    Still, if it really is something trying to get at you, it needs to be stopped.
    PHP Code:
    $s = new signature();
    $s->sarcasm()->intellect()->font('Courier New')->display(); 

  7. #7
    Photographer; for hire!! shiato storm's Avatar
    Join Date
    Aug 2003
    Location
    next door
    Posts
    6,977
    Thanks
    4
    Thanked
    6 times in 5 posts
    hmm...valid points. as mentioned it could either be an unwitting person with said virus thats released themselves upon the web and infected countless others but it could also be a targeted attack...
    I shall let the company have the details I got from my IP track...see what they do.
    Powered by Marmite and Wet Dog
    Light Over Water Photography

  8. #8
    Administrator Moby-Dick's Avatar
    Join Date
    Jul 2003
    Location
    There's no place like ::1 (IPv6 version)
    Posts
    10,665
    Thanks
    53
    Thanked
    384 times in 313 posts
    what makes you think it is a targetted attack ? - It just sounds like a port scan to me. I pick up loas of port scans whenever I get round to looking at firewall / gateway logs and it doesn't worry me as I know that nothing is actually getting in.

    Just think of the cisco ad.


    "whats happening? "



    "nothing............."


    If you really want to progress it, mail a copy of your firewall log to abuse@isp you might even get a reply , but dont expect SWAT teams to be on peoples doorsteps for it.
    my Virtualisation Blog http://jfvi.co.uk Virtualisation Podcast http://vsoup.net

  9. #9
    Ex-PC enthusiast
    Join Date
    Sep 2003
    Location
    Dublin, Ireland
    Posts
    1,089
    Thanks
    0
    Thanked
    0 times in 0 posts
    What piece of software is reporting the attack exactly? Is it the IDS that is telling you that there is an attack on? What type of attack is it reporting? Can you post an extract from the logs here?
    The Cow by Ogden Nash
    The cow is of the bovine ilk;
    One end is moo, the other, milk.

  10. #10
    Going Retro!!! Ferral's Avatar
    Join Date
    Jul 2003
    Location
    North East
    Posts
    7,860
    Thanks
    561
    Thanked
    1,438 times in 876 posts
    • Ferral's system
      • Motherboard:
      • ASUS Z97-P
      • CPU:
      • Intel i7 4790K Haswell
      • Memory:
      • 12Gb Corsair XMS3 DDR3 1600 Mhz
      • Storage:
      • 120Gb Kingston SSD & 2 Tb Toshiba
      • Graphics card(s):
      • Sapphire Radeon R9 380 Nitro 4Gb
      • PSU:
      • Antec Truepower 750 Watt Modular
      • Case:
      • Fractal Design Focus G Mid Tower
      • Operating System:
      • Windows 10 64 bit
      • Monitor(s):
      • 28" iiyama Prolite 4K
      • Internet:
      • 80Mb BT Fiber
    NTL here in the North East used to be called Comcast. I got something similar on Norton a few weeks back but it couldn't locate the host at all.

    At the bottom of the screen on the tracking there should be everything you need to report it, apparently as I've never seen it !

  11. #11
    Going Retro!!! Ferral's Avatar
    Join Date
    Jul 2003
    Location
    North East
    Posts
    7,860
    Thanks
    561
    Thanked
    1,438 times in 876 posts
    • Ferral's system
      • Motherboard:
      • ASUS Z97-P
      • CPU:
      • Intel i7 4790K Haswell
      • Memory:
      • 12Gb Corsair XMS3 DDR3 1600 Mhz
      • Storage:
      • 120Gb Kingston SSD & 2 Tb Toshiba
      • Graphics card(s):
      • Sapphire Radeon R9 380 Nitro 4Gb
      • PSU:
      • Antec Truepower 750 Watt Modular
      • Case:
      • Fractal Design Focus G Mid Tower
      • Operating System:
      • Windows 10 64 bit
      • Monitor(s):
      • 28" iiyama Prolite 4K
      • Internet:
      • 80Mb BT Fiber
    Details: Intrusion: Invalid TCP Options
    Intruder: 66.103.241.212
    Risk Level: Medium
    Source IP address: 66.103.241.212
    Destination IP address: iain(192.168.0.3)
    TCP Source Port: 6699
    TCP Destination Port: 3956
    Invalid TCP Option: 0x491f491f

    Click on the address to trace the attacker
    You can get detailed information about this attack at Symantec Security Response


    This is the report I got from mine, you get it by opening Norton Internet Security > Statistics (Left Side) > View Logs >Intrusion Detection. Then click on the intrusion and all the details appear at the bottom of the screen. I had to use CTRL + C to copy it as the right click to copy doesn't work on it.

    Just actually managed to do a full trace !!!

    Nortons full log etc :


    OrgName: ISP Management inc.
    OrgID: ISPMAN-1
    Address: 319 E. Superior St.
    City: Alma
    StateProv: MI
    PostalCode: 48801
    Country: US

    NetRange: 66.103.240.0 - 66.103.243.255
    CIDR: 66.103.240.0/22
    NetName: I123-66103240-23
    NetHandle: NET-66-103-240-0-1
    Parent: NET-66-103-224-0-1
    NetType: Reassigned
    NameServer: DNS.ISPMGT.COM
    NameServer: HOSTING.ISPMGT.COM
    Comment:
    RegDate: 2003-02-21
    Updated: 2003-02-21

    # ARIN WHOIS database, last updated 2003-09-11 19:15
    # Enter ? for additional hints on searching ARIN's WHOIS database.

    OrgName: ISP Management inc.
    OrgID: ISPMAN-1
    Address: 319 E. Superior St.
    City: Alma
    StateProv: MI
    PostalCode: 48801
    Country: US
    Comment:
    RegDate: 2002-03-12
    Updated: 2002-07-17

    # ARIN WHOIS database, last updated 2003-09-11 19:15
    # Enter ? for additional hints on searching ARIN's WHOIS database.

  12. #12
    Ex-PC enthusiast
    Join Date
    Sep 2003
    Location
    Dublin, Ireland
    Posts
    1,089
    Thanks
    0
    Thanked
    0 times in 0 posts
    Do you know how to use tcpdump to get a more detailed log of what is going on at a tcp level? Ethereal could do it too, Personally I would just blackhole the address and block all communications from them and then see does the IDS report anything more, am checking here if there is a known attack but so far it looks like someone may be trying to contact a trojan on your network. The destination IP address in your IDS logs suggests that it is trying to contact an internal address and that is strange unless the info came from inside your network to start with, have you had a look at 192.168.0.3 to see if there is a trojan onboard it?

  13. #13
    Going Retro!!! Ferral's Avatar
    Join Date
    Jul 2003
    Location
    North East
    Posts
    7,860
    Thanks
    561
    Thanked
    1,438 times in 876 posts
    • Ferral's system
      • Motherboard:
      • ASUS Z97-P
      • CPU:
      • Intel i7 4790K Haswell
      • Memory:
      • 12Gb Corsair XMS3 DDR3 1600 Mhz
      • Storage:
      • 120Gb Kingston SSD & 2 Tb Toshiba
      • Graphics card(s):
      • Sapphire Radeon R9 380 Nitro 4Gb
      • PSU:
      • Antec Truepower 750 Watt Modular
      • Case:
      • Fractal Design Focus G Mid Tower
      • Operating System:
      • Windows 10 64 bit
      • Monitor(s):
      • 28" iiyama Prolite 4K
      • Internet:
      • 80Mb BT Fiber
    Yeah,

    Thats my PC itself, Its fully clean. Gets checked every few days by NAV. At the time of the attack I was actually browsing the boards here.

    Bizarre thing for me is that whoever it was managed to get through the Broadband Routers Firewall and localise the attack on my machine only. I'm thinking I was hit due to having sensetive data on my PC (logs, member databases and things like that for my website)

    I just mailed all the relevant stuff that I put on here to abuse@ntlworld.com, hopefully they will be able to do something about it as the info is quite specific.

  14. #14
    Ex-PC enthusiast
    Join Date
    Sep 2003
    Location
    Dublin, Ireland
    Posts
    1,089
    Thanks
    0
    Thanked
    0 times in 0 posts
    there is also a possibility that you have a firewall in front of your IDS that is doing a port redirect. This report says nothing really and is pretty useless. You can send off a mail to abuse@ but personally I stick with the blackhole option.
    The Cow by Ogden Nash
    The cow is of the bovine ilk;
    One end is moo, the other, milk.

  15. #15
    Ex-PC enthusiast
    Join Date
    Sep 2003
    Location
    Dublin, Ireland
    Posts
    1,089
    Thanks
    0
    Thanked
    0 times in 0 posts
    detailed yes but useful....not really as these are high ports and it is not possible to say just like that what is running on them.
    The Cow by Ogden Nash
    The cow is of the bovine ilk;
    One end is moo, the other, milk.

  16. #16
    Ex-PC enthusiast
    Join Date
    Sep 2003
    Location
    Dublin, Ireland
    Posts
    1,089
    Thanks
    0
    Thanked
    0 times in 0 posts
    If it is to do with the forums here then I would suggest that you maybe try some better more extensive IDS software as NIS is really only a home-user solution and I would not recommend it to protect sensitive business data as you are already a target as a webfacing business.
    The Cow by Ogden Nash
    The cow is of the bovine ilk;
    One end is moo, the other, milk.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •