Help Me Please. Unsure if hoax!!

[Ouroboros]

Frankly, my 'crap detector' is sounding off like mad. Something just doesn't fit with the story.

"Aeseroth Galanodel: im goiung to shgow my parents now brb
Aeseroth Galanodel: may be a while
Grand Master of the Knights Militant: Very well. If I am not here when you get back I wish you good luck.
Aeseroth Galanodel: ok mums reading it now
Aeseroth Galanodel: i also asked mundy to take a look"

TpM - "and i run nod32 av but its outdated and i hav no $$ for updates i was also running black ice IDS on the proxy but when i reformatted i forgot to put it back on. "

TpM - "it was my real ip address, but thanks anyway. mmm... commindico. i got no idea if my isp serves me off to commindico i beleive you that the ip is owned by them but i dont think we go through their proxy.

well i have scanned ports 1-10,000 and this is what ive found
Port Found On: 21
Port Found On: 23
Port Found On: 25
Port Found On: 53
Port Found On: 80
Port Found On: 110
Port Found On: 139
Port Found On: 1080
Port Found On: 1090
Port Found On: 5376
Port Found On: 5888
Port Found On: 6400"

I find this story hard to accept...not to say that it isn't true, but hard to accept nonetheless. It seems to be lacking some key elements that would put the story together.
I hope that TpM isn't just jerking the chain...

Ouroboros

[THEprophetMOSES]

Well one of the admins from my my isp just rang and discussed it wit me. He says that they do get their ip addresses from comindico, "maria" is probably who she says she is. but even if she is american computer crime laws have no juristiction in aus so they cant do anything about it. he says that because our ips are dynamically provided, she probably was getting attacked by someone using the same ip previously. she probly just thought "mmm... ip adress" and traced it to me while i was using it. "probly just an overzealous sysadmin taking their job a bit too seriously." he told me.

anyway he told me that if she hassles me again i can tell her that if she keeps it up i can go to her employers with a complaint and get her off my back because it is harrassment. so im pretty happy with the result of that thanks alot you guys! also keep the comments coming about the ports i had open and stuff and how to fix it.

cheers all!

[slick_shoes]

Prophet, i did a little bit of research, and i found something that seems to fit into your scenario pretty snuggly... it is an ICQ trojan called"The Thing" and operates by default on port 6400, one of your open ports. It seems quite plausible that somebody used this trojan to remotely attack somebody, therefor pissing this Maria character off...

For more information on The Thing, goto:
http://www.glocksoft.com/trojan_list/The_Thing.htm

For a complete list of common trojan ports:
http://www.glocksoft.com/trojan_port.htm

You really need to be more careful about your ports!
slick_shoes

[MrLinus]

You know, people might want to stop scanning the IP address. I don't think that TpM gave permission for it and given that his IP changes regularly (wow! a DHCP that works!) you might be scanning someone else. Just out of consideration of the other person. It will be TpM's responsibility to look after his ports and what ones are open/closed.

[THEprophetMOSES]

yeah thanks msmittens. i just want advice on how to close them, and that trojan info was a help thanks

[MrLinus]

First off, get rid of services you are not running. Remark out of the services file and/or the inetd file. You should be running things off of xinet.d ideally.

2nd, put a firewall up in front of the machine and limit traffic to the ports that need activity.

If you are not sure if a port needs to stay open, go research it on Google.com . Ports like 6000 (XWindows) need only a minor change in a .xserverrc file.

BTW, to lock down Xwindows put into the .xserverrc file the following:

X -nolisten tcp :0

If you have cash, I'd highly recommend Real World Linux Security as a good reference book to lock down your system.

Edit: d'oh! You look like you're running Windows! I should have checked. Same applies generally. Although I don't know what you need to shut off the XWindows port on Windows (other service perhaps). With Windows you need to stop services from starting at boot up. Messenger service is definately one to stop. Is it Win2K?

[imported_nathanb33]

THEprophetMOSES please don't take this the wrong way but may I make a suggestion?

In the future you may want to avoid posting such information as your IP and a list of open ports on your system in a Public Forum. You could really end up inviting a lot of trouble your way. You never know who is looking at this thread. If I were you I might consider editing my posts a bit.

Cheers.

[THEprophetMOSES]

mmm... i should (embarrased smiley) thanks nathan! ill try to remember!

mmm... i should (embarrased smiley) thanks nathan! ill try to remember!

msmittens i am running win98SE wityh 602 prolan suite lite as my proxy. i hav only one other comp running off the proxy. and i now have zone alarm pro 3! YAY!

[mosborn]

SirDice said, "It's not uncommon for an ISP to rent IP ranges from bigger ISP's." Is that why an IP address from one country would be shown by some IP locators to be in another country? For instance, the IP 203.210.221.235 is an ISP from Viet Nam, but IP2Location says that the physical location is Scottsdale, Arizona.

In my job as a fraud investigator for an online payment processor I frequently need to determine the physical location from which orders are placed. I'd like to understand more about how it is that some country's IP addresses sometimes appear to be physically located in another country.

Matthew

[Tiger Shark]

You should probably have started a new thread with this topic rather than burying it at the bottom of an age old thread.....

The best way to determine the physical location of an ip is to tracert it thus:

tracert xxx.xxx.xxx.xxx

and then watch the right side of the screen for the resolved IP's of the routers in between. It is usually quite apparent where the endpoint is close to regardless of where the address whois' to. The following is a tracert to www.yahoo.com with the first few hops removed for my own sanity....

6 144.232.188.157 20ms 20ms 40ms TTL: 0 (sl-gw21-chi-6-1-1.sprintlink.net ok)
7 144.232.26.235 50ms 20ms 20ms TTL: 0 (sl-bb21-chi-1-0.sprintlink.net ok)
8 144.232.20.82 40ms 20ms 60ms TTL: 0 (sl-st21-chi-15-1.sprintlink.net ok)
9 208.174.226.65 30ms 30ms 30ms TTL: 0 (bpr1-so-4-0-0.chicagoequinix.cw.net ok)
10 208.175.10.237 30ms 40ms 31ms TTL: 0 (dcr2-so-4-3-0.chicago.cw.net ok)
11 206.24.226.99 60ms 50ms 50ms TTL: 0 (dcr1-loopback.washington.cw.net ok)
12 206.24.238.38 50ms 90ms 50ms TTL: 0 (bhr1-pos-10-0.sterling2dc3.cw.net ok)
13 216.109.66.98 61ms 61ms 50ms TTL: 0 (csr12-ve242.sterling2dc3.cw.net ok)
14 216.109.84.166 60ms 50ms 60ms TTL: 0 (No rDNS)
15 216.109.120.150 60ms 50ms 50ms TTL: 0 (vl32.bas1-m.dcn.yahoo.com ok)

You will notice that hops 6-10 are in Chicago, 11 is in Washington, 12 and 13 are in Sterling Virginia. The last hop is a Yahoo router... So, at the absolute minimum we know that Yahoo's web server is somewhere in DC or Northern Va. Some other digging would confirm this for you.

Now there are some riders on this. You will be doing your investigation a long time after the dirty deed too place so the IP Address may now have been picked by someone else. Furthermore, the IP address may have had an open proxy at the time of the order that may or may not be there now - thus the order might have been physically placed from the other side of the world. While I'm sure that in many cases your investigations would lead to a genuine culprit you need to be aware of the other trickery that takes place out there before you use IP address information as a major part of your case.