-
March 15th, 2004, 07:10 PM
#11
Ummm...........Whenever I get a port scan I usually just block the whole range, Unless I know where it's comming from like Kazaa, Anti-Online....ect
-
March 15th, 2004, 07:38 PM
#12
Since they own the IP segment, they are probably scanning for infected machines on their segment so they can notfiy infected users that their machines have been compromised.
-Maestr0
\"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier
-
March 16th, 2004, 01:07 AM
#13
Senior Member
I just lost all hope in cox....
Ok I'll shorten it a great deal, but I got this in response from cox.....
Cox.net/CoxCom, your cable Internet service provider, has
received complaints from other users within the Internet
community that your computer has been used to send
unauthorized probes against their systems. These complaints
contained logs of the network traffic showing the use of
your CoxCom account to scan other computers via the
Internet.
"blah blah blah tells you what a system probe is, tells you to not do it again"
The complete AUP can be found here:
http://support.cox.net/custsup/polic...tableuse.shtml
Thank you,
Abuse and AUP Management
Cox Communications Inc.
*** NOTE TO SUBSCRIBER ***
If you are not aware of this activity by anyone with direct access to your
computer(s), then one or more of your computers may be compromised with one or
more Trojan Viruses. There are a number of malicious 'remote access trojans'
(RAT) that are frequently used to relay malicious activity through a victim's
machine. We recommend you check any systems connected through your cable modem
for such compromises. Update and run any Anti-virus program(s) you might
have.
Please note that common Anti-virus products may have considerable difficulty
detecting and/or removing trojans because they often use legitimate software
packages such as mIRC or Wingate. Please make efforts to ensure that any
systems attached to the Cox HSI network are free of any viruses, worms, or
trojans. In the event that you are running a wireless network, please be
certain that it is secure and neighbors and/or strangers are not using your
service without your knowledge. If necessary, please remove any suspect
machines from the Cox network until the problems can be located and fixed. If
you are unable to locate the source of this email, please have a professional
investigate and clean the compromised system. We appreciate your help in
resolving this matter.
Please review the Cox HSI Acceptable Use Policy located at the following
address:
http://support.cox.net/custsup/polic...tableuse.shtml
Some ways to protect yourself against future unauthorized access:
1) Use a broadband gateway
2) Manually run Windows Updates and Enable automatic Windows Updates by visiting http://windowsupdate.microsoft.com. (critical OS security patches)
3) If MS Office suite is installed, regularly run MS Office updates by visiting http://office.microsoft.com/OfficeUpdate/default.aspx (Critical office security patches)
4) Disable unnecessary services (web, ftp, mail servers)
5) Consider using an additional software firewall with application protection
to ensure only programs with permission speak on the network
6) Disable automatic saving of attachments in Outlook express or Outlook
7) Disable html in email
8) Keep Instant messengers and other always-on services updated and patched
9) Never run files from untrusted sources (peer-to-peer networks, Usenet, IRC,
Web)
10) Limit and monitor activity by minors using systems in household
Sincerely,
The Cox Customer Security Department
--- The following material was provided to us as evidence ---
[Part 0 (plain text)]
I have attached the security logs from my firewall from what is no doubt an
abusive user. My immediate reaction was to scan them in return, however I
decided to cancel this route as it would not be preferred. Please let me know
what can be done.
X
03/12/2004 02:43:32 Port Scan Minor Incoming TCP X.X.X.X 00-50-57-00-EF-5F
my ip addy my mac addy thadbme PEREGRIN Normal 1 03/12/2004 02:43:32
03/12/2004 02:43:32
03/12/2004 02:43:26 Port Scan Minor Incoming TCP X.X.X.X 00-50-57-00-EF-5F
my ip addy my mac addy thadbme PEREGRIN Normal 1 03/12/2004 02:43:26
03/12/2004 02:43:26
03/12/2004 02:43:23 Port Scan Minor Incoming TCP X.X.X.X 00-50-57-00-EF-5F
my ip addy my mac addy thadbme PEREGRIN Normal 1 03/12/2004 02:43:23
03/12/2004 02:43:23
Ok sorry for the long post... but they use MY OWN EVIDENCE to say that I was the one attacking, not to mention I have the original logs. Opinions on this? This has almost upset me to the point of wanting another ISP, but unfortunately at this time I cannot switch. Thoughts??
-
March 16th, 2004, 01:14 AM
#14
Junior Member
It's quite possible that they have a program that reads the abuse mailbox, attempts to parse it and sends out notifications without ever having an actual human intervene. Maybe the auto abuse-mail-reader misinterpreted your logs, thinking that you were were complaining about yourself. I've had this scenario happen several times with different ISP's and backbone providers. If you submit your request again, with some language indicating that you've already tried to submit it once, but it was mis-interpreted they may read the log entries for what they actually are. Failing all that, you could give them a call.
--Ben
-
March 16th, 2004, 01:19 AM
#15
Call them and get a technical support 'specialist' or whatever the **** (I know those call centers are a nightmare) they are and try to be very nice and explain they made a boo-boo. As far as the scans from your ISP go, you can eat it or switch, its their network and they are trying to keep it clean. If you cant take a portscan stay outta the internet.
-Maestr0
\"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier
-
March 16th, 2004, 01:39 AM
#16
Senior Member
I can handle the port scan's I'll assure you. The main reason I posted was to ask the question why the sudden increase. I think that I might have to call cox and complain or something.
I think the autoparse response is probably correct. Anyways thanks for listening.
-
March 16th, 2004, 02:12 AM
#17
If I'm not mistaken, port 5000 is the Universal Plug and Play port address....there is a tool at grc.com that can close it permanently if you don't need it.
Ouroboros
"entia non sunt multiplicanda praeter necessitatem"
"entities should not be multiplied beyond necessity."
-Occam's Razor
-
March 16th, 2004, 02:12 AM
#18
thadbme, when I file complaints with my cable provider I usually get a copy of the email. It strikes me that they've sent you a copy of the note they've sent to the "attacker". Before making an assumption, check to see if you were BCC'd. The fact that it's your own evidence would lead me to think that more than them accusing you of an "attack".
-
March 16th, 2004, 02:35 AM
#19
Senior Member
negative MsM. I'm in the To: category, on top of that they sanitized the other IP which was the real attacker, I only sanitized my IP and mac address. I'm thinking its going back to the auto parse theory. It doesn't appear to be a personalized email, rather just my information had been inserted.
-
March 16th, 2004, 04:06 AM
#20
Ethics?
Are there ethics here? I believe you should saet your firewall to block those ports and attempt to trace,as illegal hacks can be reported.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|