Page 1 of 2 12 LastLast
Results 1 to 10 of 18

Thread: Chasing down an intruder

  1. #1
    Junior Member
    Join Date
    Mar 2002

    Exclamation Chasing down an intruder

    My small home network is hidden behind an RT314 firewall. I'm getting a common message (every couple days) from the firewall, telling me that a particular IP address is trying to access the firewall's public IP address. I have the IP of the machine trying to get in; how do I find out who it belongs to and what do you suggest I do about it? I suppose I could call them, or...

    I don't want to escalate a fight, but I'm afraid they're going to keep trying until they get through. I'm not sure how they even found it; I'm running in stealth mode on the address and all ports. I had it tested through the Gibson Research Corporation here:

    I'm open to all suggestions, but keep in mind I don't have the time to constantly watch my back either...
    Right now it's simply a security issue, and not yet a threat.


  2. #2
    Hi mom!
    Join Date
    Aug 2001
    Well, as long as your firewall is blocking the attempts, you're safe. What I would do is tracerouting the IP, and report it to it's ISP ( abuse@<isp> ) together with a copy of your logs. That should do the trick.
    I wish to express my gratitude to the people of Italy. Thank you for inventing pizza.

  3. #3
    Senior Member Ouroboros's Avatar
    Join Date
    Nov 2001
    Superior, WI USA
    yep...like Guus said, just report it...abuse@whateverISP...those guys are never offline, and should take care of the problem very quickly...

    As far as yourself, it sounds like you(personally) are safe...but think of the unsuspecting users that aren't...

    If you are really interested in finding out who this violating user is, try NTX, although if said abuser is skilled enough, you won't find out anything useful.

    "entia non sunt multiplicanda praeter necessitatem"

    "entities should not be multiplied beyond necessity."

    -Occam's Razor

  4. #4
    Junior Member
    Join Date
    Mar 2002
    i would do it like guus.
    but you can go a lto further than that. once you have the ip you can start ip-queries, lookin up on whois, x-whois and so on. trying to get the name of the person and contact it yourself should be pretty hard, cuz hte provider isn't allowed to tell you stuff like that. but if you somehow manage to do it, tell me, i would be interested in it. if you still want to do more, go to a public library and look into books like hacking exposed, or check out their website. there they tell you the kind of attack, and how to react. there are tons of stuff bout that **** out there, so you should be able to do some stuff. but whatever you do, don't try to kick 'em or chrash their computer. in that case you would be just as "bad" as they are. and it will jsut cause you more problems. but on the other side you defenitely shouldn't ignore 'em.
    but maybe the whole thing is just some stupid advertsing **** trying to connect to you, from some stupid page you once visited and they can't get behind your firewall (runs pretty much over cookies). in that case its useless anyway, cuz they know what is legal and what not. (for further information on that cookie-advertising **** look in the last issue of 2600 "behind the scenes of a wab page", then will know what i'm talkin bout)
    from what you said your small network seems pretty safe anyway, so you shouldn't think bout it too much, just check out who it is, and if it is a major company, forget bout it, that stuff happens all the time, if not, then you just call the provider and tell them to stop that idiot from messing round with you, that should be enough
    who contorls the past now, controls the future,
    who controls the present now, controls the past,
    who contorls the past now, controls the future,
    who controls the present now?

  5. #5
    Junior Member
    Join Date
    Mar 2002
    NTX worked great, thanks. In the last 24 hours, I used quite a few tracer programs, and that one definitely provided the most information.

  6. #6

    Question More info

    In order to answer the question well, I think I'm going to need a little more info. Most importantly, what port are they scanning you on?

    For example, is it 1214? I constantly see people trying to connect to 1214 on my firewall. That's because every day, more and more people are trying out the kazaa filesharing software. And their machines are constantly searching for other kazaa machines to communicate with. It doesn't really qualify a scan, it just means that whoever coded kazaa made it very active in searching for computers to talk to.

    Another example is port 113. A lot of times when you connect to an FTP server, the server is configured to connect back to your machine to try to figure out who you are. This is left over from the good old days of the internet when no one really paid attention to security and everyone trusted everyone.

    These are just two examples... if you're not comfortable telling everyone what port you're being scanned on, you can always go to a place like www.snort.org and use their online port database tool to find out more about what they are scanning.

    With a little more detail, I could give you a more definitive answer, but if it is indeed a scan, then the other answers you're already received are a great start at tracking your attacker.

  7. #7
    Junior Member
    Join Date
    Mar 2002
    Here is the message I'm receiving from the firewall:

    03/21/2002 18:13:18.608 - Sub Seven Attack Dropped - Source:, 2812, WAN - Destination: **.***.**.***, 1243, WAN - -

    I traced it to the east coast, but the domain belongs to AT&T. It's possible that the person is using AT&T as an ISP, and running a cable modem with a router. On the other hand, maybe it's actually AT&T trying to see us (it's our ISP too). Here is the the trace info:

    3 2.975 ms DNS error [AS2914] Verio
    4 2.821 ms ge-6-0-0.r02.lsanca01.us.bb.verio.net [AS2914] Verio
    5 2.974 ms p4-0.att.lsanca01.us.bb.verio.net [AS2914] Verio
    6 3.34 ms gbr3-p50.la2ca.ip.att.net (DNS error) [AS7018] AT&T WorldNet Service Backbone
    7 16.157 ms gbr4-p20.sffca.ip.att.net (DNS error) [AS7018] AT&T WorldNet Service Backbone
    8 28.670 ms gbr3-p30.st6wa.ip.att.net (DNS error) [AS7018] AT&T WorldNet Service Backbone
    9 29.190 ms gbr2-p10.st6wa.ip.att.net (DNS error) [AS7018] AT&T WorldNet Service Backbone
    10 28.801 ms gar2-p370.st6wa.ip.att.net (DNS error) [AS7018] AT&T WorldNet Service Backbone
    11 30.569 ms DNS error [AS7018] AT&T WorldNet Service Backbone
    12 30.275 ms DNS error [AS7018] AT&T WorldNet Service Backbone
    13 32.52 ms DNS error [AS7018] AT&T WorldNet Service Backbone
    14 33.440 ms DNS error [AS7018] AT&T WorldNet Service Backbone
    15 56.467 ms 12-230-12-53.client.attbi.com [AS7018] AT&T WorldNet Service Backbone

  8. #8
    Join Date
    Mar 2002
    sometimes with cable modems the provider sends out brodcast packets that the firewall may misinterprit..I've seen this before using a Sonic Wall and also with Microsoft ISA server. The logs on both the ISA box and the firewall showed that IP's were being spoofed. In reality they turned out to be Broadcast packets from the ISP..

  9. #9
    Senior Member cwk9's Avatar
    Join Date
    Feb 2002
    Firewalls have a bad habit of reporting hacking attempts if your isp tends to send lots of broadcast messages. If some one is trying to hack your system traceroute is a good start, you can always use neotrace if you like fancy maps and buttons.
    Its not software piracy. I’m just making multiple off site backups.

  10. #10
    Senior Member
    Join Date
    Nov 2001
    if you've scanned your system for trojans and didn't find any, i wouldn't worry about it. probably just a kiddie with a new scanner and a sub7 client looking for someone to play with.

    the next time it happens, stop whatever you doing, scan his/her ports. That should let the lammer know your on to him and that he may be in danger of getting in trouble with the law. unless shes stupid enough to try breaking into boxs without having her oun machine protected.
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts