Results 1 to 5 of 5

Thread: cracker still attacking

  1. January 27th, 2003, 08:50 PM #1
    kiowa-mike
    kiowa-mike is offline
    Junior Member
    Join Date
    Oct 2002
    Posts
    20

    cracker still attacking

    I have previously attempted to stop the IP listed below in my fw log including a trace and e-mail to the admin tech and abuse e-mail address but nothing has halted or slowed down the attempts to gain access to my computer. does any one have ideas

    Event Date Source IP TargetPort
    1/27/2003 7:20:05 PM 199.181.135.149 1785 D
    1/27/2003 7:19:42 PM 199.181.135.149 1754 D
    1/27/2003 7:19:41 PM 199.181.135.149 1736 D
    1/27/2003 7:19:35 PM 199.181.135.149 1708 D
    1/27/2003 7:19:13 PM 199.181.135.149 1698 D
    1/27/2003 7:18:52 PM 199.181.135.149 1691 D
    1/27/2003 7:17:56 PM 199.181.135.149 1680 D
    1/27/2003 7:17:35 PM 199.181.135.149 1675 D
    1/27/2003 7:08:48 PM 199.181.135.149 0
    1/27/2003 7:07:58 PM 199.181.135.149 0
    1/27/2003 7:07:33 PM 199.181.135.149 1386 D
    1/27/2003 6:57:52 PM 199.181.135.149 1278 D
    1/27/2003 6:57:31 PM 199.181.135.149 1275 D
    1/27/2003 6:47:28 PM 199.181.135.149 1241 D
    1/27/2003 6:37:46 PM 199.181.135.149 1217 D
    1/27/2003 6:37:25 PM 199.181.135.149 1214 D
    1/27/2003 6:27:22 PM 199.181.135.149 1188 D
    1/27/2003 6:17:40 PM 199.181.135.149 1166 D
    1/27/2003 6:17:19 PM 199.181.135.149 1161 D
    1/27/2003 6:07:16 PM 199.181.135.149 1137 D
    1/27/2003 5:57:36 PM 199.181.135.149 1112 D
    1/27/2003 5:57:16 PM 199.181.135.149 1107 D
    1/27/2003 5:47:35 PM 199.181.135.149 1077 D
    1/27/2003 5:47:12 PM 199.181.135.149 1072 D
    1/27/2003 5:37:09 PM 199.181.135.149 1042 D
    1/27/2003 5:27:06 PM 199.181.135.149 4952 D
    1/27/2003 5:17:05 PM 199.181.135.149 4836 D
    1/27/2003 5:07:03 PM 199.181.135.149 4437 D
    1/27/2003 4:57:00 PM 199.181.135.149 4373 D
    1/27/2003 4:48:40 PM 199.181.135.149 4025 D
    1/27/2003 4:46:58 PM 199.181.135.149 3882 D
    1/27/2003 4:36:55 PM 199.181.135.149 3592 D
    1/27/2003 4:26:54 PM 199.181.135.149 3138 D
    1/27/2003 4:16:52 PM 199.181.135.149 2830 D
    1/27/2003 4:06:49 PM 199.181.135.149 2387 D
    1/27/2003 3:56:46 PM 199.181.135.149 2239 D
    1/27/2003 3:46:43 PM 199.181.135.149 2039 D
    1/27/2003 3:36:41 PM 199.181.135.149 1580 D
    1/27/2003 3:26:37 PM 199.181.135.149 1554 D
    1/27/2003 3:16:34 PM 199.181.135.149 1530 D
    1/27/2003 3:06:30 PM 199.181.135.149 1506 D
    1/27/2003 2:56:23 PM 199.181.135.149 1482 D
    1/27/2003 2:46:20 PM 199.181.135.149 1448 D
    1/27/2003 2:36:16 PM 199.181.135.149 1384 D
    1/27/2003 2:26:13 PM 199.181.135.149 1147 D
    Reply With Quote Reply With Quote
  2. January 27th, 2003, 09:31 PM #2
    Spawn46
    Spawn46 is offline
    Junior Member
    Join Date
    Nov 2002
    Posts
    4
    You should get an IDS (Intrusion Detection System).This will let you know each time the attacker tries to connect to your box.Here's a list of IDS:
    http://www.snort.org
    http://www.nswc.navy.mil/ISSEC/CID/index.html
    http://ciac.llnl.gov/ciac/ToolsUnixNetMon.html
    Reply With Quote Reply With Quote
  3. January 27th, 2003, 09:44 PM #3
    kiowa-mike
    kiowa-mike is offline
    Junior Member
    Join Date
    Oct 2002
    Posts
    20
    thx Spawn46
    Reply With Quote Reply With Quote
  4. January 27th, 2003, 09:48 PM #4
    nebulus200
    nebulus200 is offline
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    OrgName: The Disney Channel
    OrgID: THEDIS-1

    NetRange: 199.181.129.0 - 199.181.135.255
    CIDR: 199.181.129.0/24, 199.181.130.0/23, 199.181.132.0/22


    Are you sure you don't have any software installed that would be going to the Disney Channel? Are you sure that your browser or windows multimedia player isn't downloading content?

    It would be helpful if you could provide more information in the log. Sanitize your IP out of it, but leave the port there, this would help me determine a little bit better. I am assuming the number mentioned after the IP is a port number, but there is no mention of whether or not that is a source port or a destination port (the information I just asked for would help answer that question).

    I suspect you are using a personal firewall and many personal firewalls can get confused about the 'state' of the connection and will start dropping legitimate sessions, or through the configuration (for example if you disabled windows media player from going to the internet) will drop the connection.

    An IDS log or a sniff of the session would be most helpful, but the rest of your logs would probably be sufficient. In the meantime, I would recommend checking your existing installed software and try to determine if there is any possible legitimate reason that your PC might be going to the disney channel...

    Happy hunting,

    /nebulus
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)
    Reply With Quote Reply With Quote
  5. January 27th, 2003, 10:00 PM #5
    kiowa-mike
    kiowa-mike is offline
    Junior Member
    Join Date
    Oct 2002
    Posts
    20
    I have used both cleaner and spybot to clean up my act but I believe there has to be something left on my computer that commuynicates since it manages to get through my router. thanks nebulus200 for reminding me
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules