March 26th, 2003, 10:52 PM
March 26th, 2003, 10:53 PM
Are you behind a firewall? If not, disconnect NOW
March 27th, 2003, 12:10 AM
Looks to me that someone may have mapped a drive to your machine. I would promptly disconnect of the Internet, as previously advised...
[glowpurple]There were so many fewer questions when the stars where still just the holes to heaven - JJ[/glowpurple] [gloworange]I sure could use a vacation from this bull$hit, three ringed circus side show of freaks. - Tool. [/gloworange]
March 27th, 2003, 01:44 AM
Well, since your on dial-up do the following.
Disconnect, then reconnect, and see if the connection is still there. If it is, then that means there is something on your computer causing the connection. When using dial up your ip changes each time you connect to the internet (dynamic IP). So this means that the attacker would need to know which ip your on at any given time.
If you find that your computer is still establishing this connection, then get a trojan cleaner (www.moosoft.com 's the cleaner works well), and see if you have any trojans on your box. Then get an updated virus program and run that just in case. If that doesn't help, then get a firewall and block that port completely. I'm sure by following these steps you may be able to narrow down exactly what is going on.
March 27th, 2003, 08:17 AM
My "snort" logs keep getting like 20-30 "ICMP PING ALERTS" from "wanadoo" domain too: here is the IP ADDRESS
And a traceroute gives me:
3 126.96.36.199 7.107 ms isi-1-lngw2-atm.ln.net [AS226] Los Nettos origin AS
4 188.8.131.52 9.232 ms ge-2-3-0.a02.lsanca02.us.ra.verio.net [AS2914] Verio
5 184.108.40.206 7.408 ms xe-1-0-0.r20.lsanca01.us.bb.verio.net [AS2914] Verio
6 220.127.116.11 14.004 ms p16-1-1-2.r21.mlpsca01.us.bb.verio.net [AS2914] Verio
7 18.104.22.168 16.072 ms p16-0-1-1.r20.plalca01.us.bb.verio.net [AS2914] Verio
8 22.214.171.124 15.053 ms p16-0-0-0.r00.plalca01.us.bb.verio.net [AS2914] Verio
9 126.96.36.199 14.508 ms p4-0.francetelecom.plalca01.us.bb.verio.net [AS2914] Verio
10 188.8.131.52 23.804 ms P10-0.SJOCR1.San-jose.opentransit.net [AS5511] Worldwide IP Backbone
11 184.108.40.206 94.871 ms P14-0.NYKCR2.New-york.opentransit.net [AS5511] Worldwide IP Backbone
12 220.127.116.11 170.930 ms P4-0.PASCR1.Pastourelle.opentransit.net [AS5511] Worldwide IP Backbone
13 18.104.22.168 174.430 ms P15-0.ntaub201.Aubervilliers.francetelecom.net [AS3215] Domestic IP Backbone
14 22.214.171.124 170.655 ms P6-0.ntaub301.Aubervilliers.francetelecom.net [AS3215] Domestic IP Backbone
15 126.96.36.199 174.511 ms P9-0.nrlil101.VilleneuveDAscq.francetelecom.net [AS3215] Domestic IP Backbone
16 188.8.131.52 182.657 ms P6-0.nclil301.VilleneuveDAscq.francetelecom.net [AS3215] Domestic IP Backbone
17 184.108.40.206 177.809 ms DNS error
18 220.127.116.11 261.034 ms ALille-107-1-13-166.abo.wanadoo.fr [AS3215] Domestic IP Backbone
March 27th, 2003, 01:24 PM
Maybe my mind has not completely disintegrated.... I recalled the Wanadoo name from a previous thread but a search didn't turn it up. With a bit more digging I found the thread here
You might find some info in that thread that will convince you to firewall yourself if you aren't already.....<s>
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
March 27th, 2003, 01:33 PM
Hi guys maybe a frenchy could be helpful.
Wannadoo is a french ISP it is owned by France-Telecom-Orange.
I've heard there are massive hacking activities over here!
abo. means personnal computer
=> Maybe the attacker is stupid enough to use its own PC (a stupid kid)
ADijon. means that the ISP switch is located in Bourgogne in Dijon city.
Hope this will be harmless to your system
[shadow] SHARING KNOWLEDGE[/shadow]
March 27th, 2003, 03:46 PM
Like xmaddness said. Do a virus/trojan check, enable a firewall, and forget about it. Also, I'm pretty sure it wasn't a DoS attack - if it was, your dialup connection wouldn't have lasted long.
I wish to express my gratitude to the people of Italy. Thank you for inventing pizza.
March 27th, 2003, 09:56 PM
Looks like you'v been rooted, some one might be using you machine as a packet bot...a dial up doesn't really packa punch so I don't think it's a Server....how ever...200 dial up connections can quickly kill of a fast connection...get a port blocker or a firewall and kill that port...I would also search your hard-drive for unknown files....try looking for mIRC type files...since packet bot's are often commanded through mIRC, there was a thread not long ago that dealt with some one who got rooted, and it was from the same host area. if you don't want to install a firewall, then I suggest using foundstone attacker...it can be configd to block one or many ports, and alert you if a connection is made to them.....a dummy server would also work
With all the subtlety of an artillery barrage / Follow blindly, for the true path is sketchy at best. .:Bring OS X to x86!
Og ingen kan minnast dei linne drag i dronningas andlet den fagre dag Då landet her kvilte i heilag fred og alle hadde kjærleik å elske med.
March 28th, 2003, 06:54 PM
I would also highly suggest right-clicking on 'My Computer' and selecting Manage and goto the 'Local Users and Groups > Users' area and check if there are any unusual accounts (besides administrator, your login name, guest, etc. and delete any suspicious ones and set passwords for BOTH the administrator and your account since they are both administrative accounts and from what I know about XP are usually left un-passworded by default (BAD BAD BAD, you just gotta love m$ and their *ahem* security) otherwise, a hacker can just waltz straight into your computer and take over. I know of too many 2000/XP home users that leave their accounts un passworded.
-Those are my principles. If you don\'t like them, I have others.