|
-
September 5th, 2003, 12:44 AM
#11
Senior Member
I downloaded 'the cleaner' trail and just ran it. No trojons. It just must have been a try to put one in. I sent all the info. I got to my provider. I don't know what they can do. By the way the IP Locator locates were your provider is not were your computer is.
I got another hit by a sub7. This time its from a place called roadrunner-southwest. The Visual Tracking from Norton gave me this address: 13241 Woodland Park Rd. Herndon, Va. 20171, but the map shows a location on the West Coast in Sunnyvale. Well, the Cleaner says there is no trojons in the system, so I will not worry about it. I have to worry about getting another $3500 for my new place, but I have no more money for a downpayment. Oh well, I guess I'll just have to keep renting.
Freddy
-
September 5th, 2003, 11:56 AM
#12
port 27374 is the default sub7 port (used to be 1243 i think) its prolly just someone scanning for infected computers - also the ip you traced the scan back to prolly is not the person doing it - sub7 has a built in port scanner on the servers so once the person found one infected computer he could make it do the scans for him/her remotely reducing the chance of it being traced back to them - well they would if they had any sense!! I wouldn't worry about it - I get hit by things like that maybe 4/5 times a day at least - people just take ip blocks and scan each one for the default port to see if they can get anyone who is infected to connect to
v_Ln
-
September 5th, 2003, 02:35 PM
#13
The IP you gave returned this:
Rogers Cable Inc. Bloor ON-ROG-4-BLOOR-5 (NET-65-49-44-0-1)
65.49.44.0 - 65.49.47.255
# ARIN WHOIS database, last updated 2003-09-04 19:15
A traceroute revealed this:
1 1.11.1.1 3ms 3ms 3ms TTL: 0 (No rDNS)
2 170.1.11.6 35ms 31ms 28ms TTL: 0 (me.at.somewhere.net ok)
3 170.21.11.5 29ms 30ms 29ms TTL: 0 (No rDNS)
4 207.173.144.57 37ms 47ms 41ms TTL: 0 (a5-1-0--133.gw01.mcln.eli.net ok)
5 208.186.20.145 41ms 52ms 37ms TTL: 0 (srp2-0.cr01.mcln.eli.net ok)
6 207.173.114.130 41ms 46ms 38ms TTL: 0 (so-1-0-0--0.er01.asbn.eli.net ok)
7 208.173.50.241 39ms 38ms 36ms TTL: 0 (bpr2-ge-5-0-0.VirginiaEquinix.cw.net ok)
8 206.24.179.49 38ms 37ms 38ms TTL: 0 (acr2-as0-0.Restonrst.cw.net ok)
9 208.173.52.114 38ms 37ms 65ms TTL: 0 (dcr1-so-4-3-0.Washington.cw.net ok)
10 208.175.10.9 80ms 67ms 66ms TTL: 0 (dcr1-so-0-2-0.Chicago.cw.net ok)
11 208.175.10.86 71ms 77ms 71ms TTL: 0 (telus-rogers.Chicago.cw.net ok)
12 66.185.83.166 98ms 75ms 127ms TTL: 0 (gw03.bloor.phub.net.cable.rogers.com fraudulent rDNS)
13 65.49.44.1 96ms 116ms 84ms TTL: 0 (No rDNS)
14 No Response * * *
You'll never know who did this but this will give you a sense of where the connection originated from.
As others have said, this type of connection attempt is common. I see about 30 - 60 a day via my external IDS.
regards,
--TH13
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
-
September 5th, 2003, 07:09 PM
#14
thehorse13 :: tracing back the ip the scan came from 99% of the time is off little/no use - as I mentioned above the vast majority of scan attempts will be from people who are already infected themselvves and are being used unwittingly by the kiddie to do the scans for them making actually tracing them back more difficult - not only would you have to trace the ip of the scanner back but then you would have to contact their ip to find out every ip that connected to them - as the kiddie doesn't need to stay connected throughout the scan b8ut can set it going then disconnect and connect again later to pick up results it could be very difficult to pin-point the correct ip(s) of the kiddie - so I wouldn't even bother trying to trace back scan attempts as there is very little you can do with the information - except perhaps alert the person who is being used to do the scans that they are infected
v_Ln
-
September 5th, 2003, 07:14 PM
#15
Fred, getting a warning from Norton saying someone tried to connect to your computer with a trojan is really a part of life.
I get these about 3 times a day alon with the Blaster worm tring to connect to my computer about 30 times a day. Its a part of life getting scanned for trojans. As long as your running a firewall you will be pretty safe. Even if you did have a trojan on your computer, it would have to make a outbound connection. What would happen then is your Norton Firewall would pop a message up saying something like this. "Sub7.exe is attempting to access the internet" You then have a option to permit or refuse.
All in All, you should be pretty safe.
-
September 5th, 2003, 09:38 PM
#16
Senior Member
Thanks everybody for the insight. I feel better, and I got a trial trojan cleaner to boot.
Freddy
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote
