April 1st, 2004, 05:20 PM
Attacked please help
I have been recently attacked by someone my system was rebooted. then i installed "zone alaram pro with web filters"
it told me that i was scanned by someone with some IP (i have the IP address in logs) Zone Alaram told me about 5 or 6 unknown connection to ports 135 137 6459 and 4476 . Can some help me how to know who tried to scan me. Please kindly help me.
April 1st, 2004, 05:25 PM
Given the ports you have listed, this looks more like a worm than a hack attack. Most likely Mydoom or one of it's variants. If Zonealarm is blocking it, I wouldn't worry about it.
April 2nd, 2004, 01:02 AM
You could use tracert to gather some info on the ip address that the attempted connection came from then do a whois lookup for some more info. Then you could send a copy of your firewall log to abuse@whoever is shown in the info.
If this is beyond your abilities then if you post the affending ip address here i'm sure someone would do a trace and whois for you and post the info.
Given what DJM has said about the possiblity of this being a worm, it maybe a good idea to download some of the virus removal tools from the main antivirus vendors, Symantec, Macafee etc. (This you can do for free) Just to be on the safe side should your firewall let you down.
What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry
April 2nd, 2004, 02:12 AM
as you are a new user of zone alarm please use their help which you will find in a corner how to configure all the feature however you want them to be.
you can set it to show you all trafic to your pc or just to advise yu when is potential hack attack.
once you configure this when somone tries to access your pc red alert will come in your lower right hand corner(as you said in your post) and tell you zone alarm has blocked access to your pc from port so and so etc.when this message comes up you can press More detail in that red square alerting you of such an attack.then you will be directed to zone alarm site which will explain you where its comming from and if is is legimite traffic.quite usefull think to read before jumping to conclusions.
if you set up to record all your loggs which probably shows at times last 50 you can see where they come from and how many attempts they made.so if you have many numbars of this you can take thinks further.
on this site you can find antionline IP locator so you can always quickly check where this ip is comming from and as previous guys said just post more info if you dont know what to do next and somone here will take it from there.
pm if you want to know more about
April 2nd, 2004, 02:34 PM
I used zone alarm for a bit and recall several posts addressing it's logs.
I couldn't find the specific thread I recall...but I found several others that may be informative.
If you want to make God laugh....make plans.
April 2nd, 2004, 06:34 PM
why trace it back?
99% of the time it will just be a zombie PC with the owner unaware that they are actually being used to scan. Also what really can you do?
report them to their isp? like they'll care....and thats really about it
April 2nd, 2004, 07:52 PM
You could always use nslookup on the ip all you have to do is open a command prompt type nslookup and put the ip in there and it should tell you what domain it came from although that wouldnt really help much cause like valhallen said what really can you do? Report them to their isp? like they'll care.
April 3rd, 2004, 03:11 PM
Check out the zonealaram website for more help. Try to read the documentation for help. Also lok for any tutorial .
April 3rd, 2004, 09:04 PM
if your are really worried about it trace them back. when you trace them back find the network info. they should give a range of ip adresses block the entire range from being able to acsess your system. thats what i have done in the past and it seems to work for me so far..
April 3rd, 2004, 11:33 PM
I can show you 6+ megs daily of incoming connections in a text file that are blocked at my firewall at work.
Being "attacked" is a fact of life if you are connected to the internet. If you don't like it then disconnecting entirely from it will help.
Being scanned is _not_ being attacked..... Scanning is recon.... they are looking for potential targets.... with emphasis on the "potential".... Don't worry about it..... Look for the things that are actual attacks..... That implies that he found a vulnerability.... That means you need to look at the service attacked and determine what your mitigation technique should be. Of course, if they already "squirted" the code at you then they probably succeeded because they had already determined that you were vulnerable.... but that's a whole other issue.....
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides