July 31st, 2004, 08:05 PM
Urgent Help Required. Please Help.
I use Norton Internet Security suit professional version 2004. today is the first time my IDS is showing me that a computer with ip 184.108.40.206 (detail's in the attached file). Although I have blocked the computer's IP still the number of times it has attacked me has gone up to 1726 times. In the attached file I have included DNS and other important information. I am new to Security please help me in what should be my next step. I feel its a scan mostly a Nmap because the connection on certain service ports were scanned with a SYN stealth scan signature but i am not sure at all like i said i am new to this field and my knowledge is near to nil.
This is an update that total number of attempts have increased to 1790. i have also included information from the last post. Please reply as soon as possible.
July 31st, 2004, 08:06 PM
If it's stoping the attack, why the worry Just keep the software updated, you should be fine !
July 31st, 2004, 08:11 PM
Yes i agree with that but i would certainly like to know more about the attack. i request you you to please help me by looking at the log. the host seems down now to me.
July 31st, 2004, 08:18 PM
Man you got 4 threads about thinking you're being hacked. You're too paranoid...if the firewall is stopping it, leave it at that...no need to worry. They're not even attacks aimed directly at you...probably just simple scans over the network.
July 31st, 2004, 08:51 PM
My boxes at the university get hit all the time by scans, if I looked into everyone I would have time for nothing else. I’d say unless it’s a local LAN attack don’t worry too much about it.
July 31st, 2004, 09:20 PM
you say your being attacked but all i see is a whois of a dial-up account in japan. this doesn't say anything. do a 'find "220.127.116.11 " YourFireWallLog >ao.txt' and post the ao.txt.
the first issue is "what are they doing?" then find out who they are. if it turns out to be something with malicious intent you have the abuse address in your whois. keep in mind scanning is not against the law
Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”
August 1st, 2004, 08:39 AM
thank you to all of you for replying. I checked my windows internet connection firewall log and there is no sighn for any entry for the IP 18.104.22.168 . although my norton firewall shows the same IP with an attempt of a XMAS_NULL scan.
August 1st, 2004, 08:41 AM
Yeh Cybr1d you did bring up a good point. You got a few thread's about virtually the same paranoia around your firewall. You need to have a little more trust my friend?
August 1st, 2004, 11:53 AM
HI FRIEND,I READ YOUR MESSAGE ABOUT SOMEONE PORTSCANNING YOUR SYSTEM.THE TOOL IS NMAP. AS AHACKER MYSELF, I AM FEARING THAT THE IP ADDRESS YOU MENTIONED MAY OR MAY NOT BE RIGHTAS NMAP SUPPORTS IP SCANS WITH BOGUSSCANS TO HIDE REAL ONES.DONOT WORRY I HAVE THE PERPECT REMEMDY FOR THAT DISEASE THAT YOU CAN'T STOP PEOPLE PORTSCANNING YOUR SYSTEM.THE FIREWALL WHICH YOU ARE USING IS GOOD BUT USE ZONEALARM FROM WWW.ZONELABS.COM OR USE NETWORKICE DEFENDER FROM BLACKNETWORK.COM OR ICF .I DON'T KNOW WHETHER YOU ARE RUNNING WIN 98 OR 2000.IF YOU ARE RUNNING WIN XP (HE) THEN YOU GET A FREE FIREWALL.OR USE SOME GOOD IDS LIKE SNORT WWW.SNORT.ORG,REALSEACURE FROM ISS.NET ETC.KEEP ACLOSE EYE.IF YOU COULD GUIDE ME BY MAILING YOUR ENTIRE PROBLEM TO ME THEN I WILL SURELY HELP YOU WANT.EVEN FIREWALLS CAN BE BROKEN INTOUSING MY SPECIAL TECHNIQUES.IF YOU HAVEN'T CONFIGURED YOUR FIREWALL WELL THEN YOU ARE TOAST. USE GOOD BIOS PASSWORDS AND PLEASE VISIT THESE SITE TO SEE WHETHER YOU HAVEV CONFIGURED YOUR FIREWALL WELL OR NOT WWW.IANA.ORG/ASSIGNMENTS/PORT-NUMBERS .THERE ARE PORT NUMBERS FROM 0 TO65535 OF THEM .HOW MANY HAVE YOU BLOCKED ? CONTACT ME AT: ATTACKER4202000@YAHOO.CO.IN. I WILL BE WAITING TO HELP YOU BECAUSE I AM A WHITE HAT HACKER AND NOT A BLACK HAT CRACKER.
August 1st, 2004, 02:25 PM
Umm.. Darkhand, might want to consider not posting entirely in caps and putting in some paragraphs. Does make it easier to read what advice, if any, you are giving.
There's no guarantee that it is nmap. We can assume it's nmap because the user said the packets were "SYN Stealth" but then again it could be a homemade tool or another tool.
Your firewall advice is ok but keep this in mind, given that his existing producted detected it and blocked it, why would he get another product?
I'd also suggest to parth_scores to NOT contact this user. Help is better given in the open. Right now I'd be very paranoid as to what darkhand intends to do with any information you provide him/her (particularly from email headers).