IP Attacks

[shiato storm]

I have been recently getting many attacks from various IP addresses - thankfully caught by my Norton Anti-Virus - but I have run a visual tracking progrm on it and discovered its origins...what do I do?
apparently it was a trojan horse (i.e. not very nice) virus that I stopped and it came all the way from philadelphia courtesy of a company called Comcast Corporation...or at least someone within it...

any advice on what to do when I get something like this through? teach them a lesson or something...

[Steve]

It is unlikely that it was actually an attack, but Norton just likes to vent off about stuff like that so that you think it's doing something.

My gateway's intrustion detection software compiles a list of suspected attempts to hack in etc, many are not valid.

Perhaps a website you're visiting is triggering something to make Norton think you're being attacked. Track when the "attacks" happen and see if you're doing anything specific at the time. This will help you assertain if there is indeed something sinister going on.

[shiato storm]

nope attacks originate at a company i'v never heard of let alone gone to their website...

[Steve]

Interesting, I've heared of comcast, possibly a US ISP. You say the IP's change?

[evildoc614]

comcast is a isp in the US. who ever is doing it is using comcast, i would try and contact them and let them know that some one using there ip is trying to "hack" your computer

[Steve]

It could just be a trojan that somebody is infected with that's trying to spread. For example, I keep getting a virus in my mail from somebody (don't know who - spoofed address.) That person isn't doing it intentionally, they're just infected with the worm that's spreading it.

Still, if it really is something trying to get at you, it needs to be stopped.

[shiato storm]

hmm...valid points. as mentioned it could either be an unwitting person with said virus thats released themselves upon the web and infected countless others but it could also be a targeted attack...
I shall let the company have the details I got from my IP track...see what they do.

[Moby-Dick]

what makes you think it is a targetted attack ? - It just sounds like a port scan to me. I pick up loas of port scans whenever I get round to looking at firewall / gateway logs and it doesn't worry me as I know that nothing is actually getting in.

Just think of the cisco ad.


"whats happening? "



"nothing............."


If you really want to progress it, mail a copy of your firewall log to abuse@isp you might even get a reply , but dont expect SWAT teams to be on peoples doorsteps for it.

[Blub2k]

What piece of software is reporting the attack exactly? Is it the IDS that is telling you that there is an attack on? What type of attack is it reporting? Can you post an extract from the logs here?

[Ferral]

NTL here in the North East used to be called Comcast. I got something similar on Norton a few weeks back but it couldn't locate the host at all.

At the bottom of the screen on the tracking there should be everything you need to report it, apparently as I've never seen it !

[Ferral]

Details: Intrusion: Invalid TCP Options
Intruder: 66.103.241.212
Risk Level: Medium
Source IP address: 66.103.241.212
Destination IP address: iain(192.168.0.3)
TCP Source Port: 6699
TCP Destination Port: 3956
Invalid TCP Option: 0x491f491f

Click on the address to trace the attacker
You can get detailed information about this attack at Symantec Security Response


This is the report I got from mine, you get it by opening Norton Internet Security > Statistics (Left Side) > View Logs >Intrusion Detection. Then click on the intrusion and all the details appear at the bottom of the screen. I had to use CTRL + C to copy it as the right click to copy doesn't work on it.

Just actually managed to do a full trace !!!

Nortons full log etc :


OrgName: ISP Management inc.
OrgID: ISPMAN-1
Address: 319 E. Superior St.
City: Alma
StateProv: MI
PostalCode: 48801
Country: US

NetRange: 66.103.240.0 - 66.103.243.255
CIDR: 66.103.240.0/22
NetName: I123-66103240-23
NetHandle: NET-66-103-240-0-1
Parent: NET-66-103-224-0-1
NetType: Reassigned
NameServer: DNS.ISPMGT.COM
NameServer: HOSTING.ISPMGT.COM
Comment:
RegDate: 2003-02-21
Updated: 2003-02-21

# ARIN WHOIS database, last updated 2003-09-11 19:15
# Enter ? for additional hints on searching ARIN's WHOIS database.

OrgName: ISP Management inc.
OrgID: ISPMAN-1
Address: 319 E. Superior St.
City: Alma
StateProv: MI
PostalCode: 48801
Country: US
Comment:
RegDate: 2002-03-12
Updated: 2002-07-17

# ARIN WHOIS database, last updated 2003-09-11 19:15
# Enter ? for additional hints on searching ARIN's WHOIS database.

[Blub2k]

Do you know how to use tcpdump to get a more detailed log of what is going on at a tcp level? Ethereal could do it too, Personally I would just blackhole the address and block all communications from them and then see does the IDS report anything more, am checking here if there is a known attack but so far it looks like someone may be trying to contact a trojan on your network. The destination IP address in your IDS logs suggests that it is trying to contact an internal address and that is strange unless the info came from inside your network to start with, have you had a look at 192.168.0.3 to see if there is a trojan onboard it?

[Ferral]

Yeah,

Thats my PC itself, Its fully clean. Gets checked every few days by NAV. At the time of the attack I was actually browsing the boards here.

Bizarre thing for me is that whoever it was managed to get through the Broadband Routers Firewall and localise the attack on my machine only. I'm thinking I was hit due to having sensetive data on my PC (logs, member databases and things like that for my website)

I just mailed all the relevant stuff that I put on here to abuse@ntlworld.com, hopefully they will be able to do something about it as the info is quite specific.

[Blub2k]

there is also a possibility that you have a firewall in front of your IDS that is doing a port redirect. This report says nothing really and is pretty useless. You can send off a mail to abuse@ but personally I stick with the blackhole option.

[Blub2k]

detailed yes but useful....not really as these are high ports and it is not possible to say just like that what is running on them.

[Blub2k]

If it is to do with the forums here then I would suggest that you maybe try some better more extensive IDS software as NIS is really only a home-user solution and I would not recommend it to protect sensitive business data as you are already a target as a webfacing business.