March 24th, 2002, 12:27 AM
March 24th, 2002, 12:59 AM
Well, as long as your firewall is blocking the attempts, you're safe. What I would do is tracerouting the IP, and report it to it's ISP ( abuse@<isp> ) together with a copy of your logs. That should do the trick.
I wish to express my gratitude to the people of Italy. Thank you for inventing pizza.
March 24th, 2002, 01:05 AM
yep...like Guus said, just report it...abuse@whateverISP...those guys are never offline, and should take care of the problem very quickly...
As far as yourself, it sounds like you(personally) are safe...but think of the unsuspecting users that aren't...
If you are really interested in finding out who this violating user is, try NTX, although if said abuser is skilled enough, you won't find out anything useful.
"entia non sunt multiplicanda praeter necessitatem"
"entities should not be multiplied beyond necessity."
March 24th, 2002, 01:13 AM
i would do it like guus.
but you can go a lto further than that. once you have the ip you can start ip-queries, lookin up on whois, x-whois and so on. trying to get the name of the person and contact it yourself should be pretty hard, cuz hte provider isn't allowed to tell you stuff like that. but if you somehow manage to do it, tell me, i would be interested in it. if you still want to do more, go to a public library and look into books like hacking exposed, or check out their website. there they tell you the kind of attack, and how to react. there are tons of stuff bout that **** out there, so you should be able to do some stuff. but whatever you do, don't try to kick 'em or chrash their computer. in that case you would be just as "bad" as they are. and it will jsut cause you more problems. but on the other side you defenitely shouldn't ignore 'em.
but maybe the whole thing is just some stupid advertsing **** trying to connect to you, from some stupid page you once visited and they can't get behind your firewall (runs pretty much over cookies). in that case its useless anyway, cuz they know what is legal and what not. (for further information on that cookie-advertising **** look in the last issue of 2600 "behind the scenes of a wab page", then will know what i'm talkin bout)
from what you said your small network seems pretty safe anyway, so you shouldn't think bout it too much, just check out who it is, and if it is a major company, forget bout it, that stuff happens all the time, if not, then you just call the provider and tell them to stop that idiot from messing round with you, that should be enough
who contorls the past now, controls the future,
who controls the present now, controls the past,
who contorls the past now, controls the future,
who controls the present now?
March 24th, 2002, 09:04 PM
NTX worked great, thanks. In the last 24 hours, I used quite a few tracer programs, and that one definitely provided the most information.
March 24th, 2002, 09:13 PM
In order to answer the question well, I think I'm going to need a little more info. Most importantly, what port are they scanning you on?
For example, is it 1214? I constantly see people trying to connect to 1214 on my firewall. That's because every day, more and more people are trying out the kazaa filesharing software. And their machines are constantly searching for other kazaa machines to communicate with. It doesn't really qualify a scan, it just means that whoever coded kazaa made it very active in searching for computers to talk to.
Another example is port 113. A lot of times when you connect to an FTP server, the server is configured to connect back to your machine to try to figure out who you are. This is left over from the good old days of the internet when no one really paid attention to security and everyone trusted everyone.
These are just two examples... if you're not comfortable telling everyone what port you're being scanned on, you can always go to a place like www.snort.org and use their online port database tool to find out more about what they are scanning.
With a little more detail, I could give you a more definitive answer, but if it is indeed a scan, then the other answers you're already received are a great start at tracking your attacker.
March 24th, 2002, 09:39 PM
Here is the message I'm receiving from the firewall:
03/21/2002 18:13:18.608 - Sub Seven Attack Dropped - Source:184.108.40.206, 2812, WAN - Destination: **.***.**.***, 1243, WAN - -
I traced it to the east coast, but the domain belongs to AT&T. It's possible that the person is using AT&T as an ISP, and running a cable modem with a router. On the other hand, maybe it's actually AT&T trying to see us (it's our ISP too). Here is the the trace info:
3 220.127.116.11 2.975 ms DNS error [AS2914] Verio
4 18.104.22.168 2.821 ms ge-6-0-0.r02.lsanca01.us.bb.verio.net [AS2914] Verio
5 22.214.171.124 2.974 ms p4-0.att.lsanca01.us.bb.verio.net [AS2914] Verio
6 126.96.36.199 3.34 ms gbr3-p50.la2ca.ip.att.net (DNS error) [AS7018] AT&T WorldNet Service Backbone
7 188.8.131.52 16.157 ms gbr4-p20.sffca.ip.att.net (DNS error) [AS7018] AT&T WorldNet Service Backbone
8 184.108.40.206 28.670 ms gbr3-p30.st6wa.ip.att.net (DNS error) [AS7018] AT&T WorldNet Service Backbone
9 220.127.116.11 29.190 ms gbr2-p10.st6wa.ip.att.net (DNS error) [AS7018] AT&T WorldNet Service Backbone
10 18.104.22.168 28.801 ms gar2-p370.st6wa.ip.att.net (DNS error) [AS7018] AT&T WorldNet Service Backbone
11 22.214.171.124 30.569 ms DNS error [AS7018] AT&T WorldNet Service Backbone
12 126.96.36.199 30.275 ms DNS error [AS7018] AT&T WorldNet Service Backbone
13 188.8.131.52 32.52 ms DNS error [AS7018] AT&T WorldNet Service Backbone
14 184.108.40.206 33.440 ms DNS error [AS7018] AT&T WorldNet Service Backbone
15 220.127.116.11 56.467 ms 12-230-12-53.client.attbi.com [AS7018] AT&T WorldNet Service Backbone
March 24th, 2002, 10:27 PM
sometimes with cable modems the provider sends out brodcast packets that the firewall may misinterprit..I've seen this before using a Sonic Wall and also with Microsoft ISA server. The logs on both the ISA box and the firewall showed that IP's were being spoofed. In reality they turned out to be Broadcast packets from the ISP..
March 24th, 2002, 11:17 PM
Firewalls have a bad habit of reporting hacking attempts if your isp tends to send lots of broadcast messages. If some one is trying to hack your system traceroute is a good start, you can always use neotrace if you like fancy maps and buttons.
Its not software piracy. I’m just making multiple off site backups.
March 24th, 2002, 11:48 PM
if you've scanned your system for trojans and didn't find any, i wouldn't worry about it. probably just a kiddie with a new scanner and a sub7 client looking for someone to play with.
the next time it happens, stop whatever you doing, scan his/her ports. That should let the lammer know your on to him and that he may be in danger of getting in trouble with the law. unless shes stupid enough to try breaking into boxs without having her oun machine protected.
Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”