Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 24

Thread: I've been hit!

  1. #11
    The Doctor Und3ertak3r's Avatar
    Join Date
    Apr 2002
    Posts
    2,744
    ok see how visual route goes on this one..

    203.51.230.138
    best of luck.. I have a beer that says you don't even get the correct state in australia..

    cheers
    "Consumer technology now exceeds the average persons ability to comprehend how to use it..give up hope of them being able to understand how it works." - Me http://www.cybercrypt.co.nr

  2. #12
    Senior Member
    Join Date
    Sep 2003
    Posts
    126
    brisbane somewhere near a place called bigpond??? am I even close?
    [Shadow] have you ever noticed work is like a tree full of monkeys you look down and all you see is monkeys below you then you look up and all you see is a bunch of *******s above[/shadow]

  3. #13
    Senior Member
    Join Date
    Sep 2003
    Posts
    126
    sitting back sipping my beer
    can anyone get close to me I would like to know 68.224.227.57
    [Shadow] have you ever noticed work is like a tree full of monkeys you look down and all you see is monkeys below you then you look up and all you see is a bunch of *******s above[/shadow]

  4. #14
    Junior Member
    Join Date
    Sep 2003
    Posts
    27
    PoSer: Nevada NV 89191-7073, or NV 89496-5000? Just a guess, worth a try

  5. #15
    Senior Member
    Join Date
    Sep 2003
    Posts
    126
    close but still about 150 miles out?
    thanks for trying though.
    [Shadow] have you ever noticed work is like a tree full of monkeys you look down and all you see is monkeys below you then you look up and all you see is a bunch of *******s above[/shadow]

  6. #16
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Aze:

    Just a side note, Juridian if you did suffer a real break in and you needed to collect forensic evidence you would not pull the plug on your box. The power down could have undesired effects.
    I, and the general consensus of the computer forensics community, would disagree with you there. The intent is to preserve the system as it stands once all non-invasive investigation is complete. Thus you do not even disconnect it from the network. If it is being destructive you forego the non-invasive investigation and, literally, pull the plug. If you disconnect it you may trigger an event that alters the state of the box.

    Then you remove the drive, place it in another computer with a different drive that you boot from and you make 2 images, one for investigation - thus it will be changed - and one as a backup of the original state should you need to create another image later. The original disk is then protected and secured with a log of what has happened to it and another log of it's "travels" should it be required to be moved. Then you can begin the real investigation.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  7. #17
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Hi rmcgoo

    Welcome to AO

    You are getting connection attempts from "someone" apparently a long way away.

    1. Is the IP address always the same EXACTLY? that is, are all four sets of numbers identical?
    2. Do you know anyone you can trust, and find out if they are having the same experience?
    3. Are the first 2/3 blocks of the IP address the same as your ISP?

    The reason that I ask is that there are a number of malwares (virii/worms) that are "network aware" and look for "sub-nets" to spread along. At one time I was getting 500 hits/hour because of this. All from machines in the same ISP address block as myself.

    What I am asking is, have we established that this is a deliberate attempt to attack you or is it just some "girl's blouse" with an unpatched NT/2k/XP box who has become infected and does not even know it? In that case question #2 and #3 above are relevant.

    Question #1 is not conclusive unless the answer is "yes"..........in that case you are the target and they are probably using cable (I don't know anything about satellite I am afraid).

    If you are using 56.6 or DSL and disconnect regularly, you will get a different IP addy each time, but I would expect the first 2 blocks to be the same, certainly the first one (I am going by my English experience here). This would be inconclusive. If there is no change in the attackers addy over (say) 30 minutes then I would say it is an attack on you. If there is a slight change (last 2 blocks) then I suspect a net worm.

    "250 lb jock knocking on their door"..........hmmmmmmmmmm......Tiger Shark and I have done some behind the scenes trading......he gets the ticket sales and I get the hot dog franchise

    Good luck

  8. #18
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    And I'd like to add some other advice:

    Please do not publish IP addresses of yourself or those who are bothering you as not everyone that visits AO is ...errr.. shall we say ethical?
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  9. #19
    Ninja Code Monkey
    Join Date
    Nov 2001
    Location
    Washington State
    Posts
    1,027
    Originally posted here by aze
    Just a side note, Juridian if you did suffer a real break in and you needed to collect forensic evidence you would not pull the plug on your box. The power down could have undesired effects. You would disconnect from the network, note any running processes, and what may have been going on. Then when your local network guru or whomever you call for help arrives they can take the appropriate measures, i.e. complete disk to disk dump etc.

    Just my spare change
    AZE
    Well, actually there are a couple of recommended methods according to all my reading, training, etc. It really all depends on if you are going for live acquisition or if you want to capture the hard drive in a single state.

    Pulling the power cord is recommended by many agencies (such as SANS/GIAC, ISS, etc) because you never know what may be set off on the drive if you try an actual power down or if you pull the netcable. There is the possibility that there will be a piece of malware looking for the connection with the intent of wiping out the data you need (also why it's recommended that incident handlers carry a hub with them).

    It's just the old 'pull the plug' dilemma rearing it's ugly head....
    "When I get a little money I buy books; and if any is left I buy food and clothes." - Erasmus
    "There is no programming language, no matter how structured, that will prevent programmers from writing bad programs." - L. Flon
    "Mischief my ass, you are an unethical moron." - chsh
    Blog of X

  10. #20
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Juridian: Ok.... I can agree with that. Since Aze was talking about plug pulling I stayed on that subject. But yes, you are right if you are looking to capture live data on the wire.... That was my point about the non-invasive evidence gathering/if it is doing harm with regard to pulling the plug.

    It is a dilemma, but I tend to fall on the "Pull and be damned side" simply because a proper shutdown does alter the registry hives and also I have no idea at this point what logic bombs the little devil might have planted..... I would leave it until I see no drive activity though if at all possible to minimize the chance of damaging the disk myself.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •