-
January 24th, 2008, 05:20 PM
#1
Member
somebody really annoying me
I wasnt sure where to post this, anyway for the past 3 days someone keeps trying to attack my computer, my norton internet security keeps detecting them and as you can from the log entry below they keep trying to connect to the same port. does anyone know what this could be, spyware, botnet program? also, ive been trying to teach him a lesson by getting into his computer, and ive tried the usual, netbios, telnet, ftp, with no avail. can anybody suggest anything, or least direct me to a good tutorial.
heres the log entry:
24/01/2008 16:02:28,Intrusion detected and blocked. All communication with 62.68.76.210 will be blocked for 30 minutes.,Intrusion detected and blocked. All communication with 62.68.76.210 will be blocked for 30 minutes.
24/01/2008 16:02:28,Intrusion: NMap Null Scan.,"Intrusion: NMap Null Scan. Intruder: 62.68.76.210(4865). Risk Level: Medium. Protocol: TCP. Attacked IP: SN049309320171(192.168.1.65). Attacked Port: 9472."
4/01/2008 15:26:28,Intrusion: NMap Null Scan.,"Intrusion: NMap Null Scan. Intruder: 62.68.76.210(3112). Risk Level: Medium. Protocol: TCP. Attacked IP: SN049309320171(192.168.1.65). Attacked Port: 9472."
24/01/2008 15:26:28,Intrusion detected and blocked. All communication with 62.68.76.210 will be blocked for 30 minutes.,Intrusion detected and blocked. All communication with 62.68.76.210 will be blocked for 30 minutes.
24/01/2008 14:55:18,Intrusion detected and blocked. All communication with 62.68.76.210 will be blocked for 30 minutes.,Intrusion detected and blocked. All communication with 62.68.76.210 will be blocked for 30 minutes.
24/01/2008 14:55:18,Intrusion: NMap Null Scan.,"Intrusion: NMap Null Scan. Intruder: 62.68.76.210(nsvt-stream(1570)). Risk Level: Medium. Protocol: TCP. Attacked IP: SN049309320171(192.168.1.65). Attacked Port: 9472."
24/01/2008 14:19:16,Intrusion detected and blocked. All communication with 62.68.76.210 will be blocked for 30 minutes.,Intrusion detected and blocked. All communication with 62.68.76.210 will be blocked for 30 minutes.
-
January 24th, 2008, 05:44 PM
#2
Well looks like the IP range is from Amsterdam if you go to Arin.net and search the IP it points you to Ripe.net and if you search there it gives you this info:
http://www.ripe.net/whois?form_type=..._search=Search
not sure you can do much about it other than just block them, there doesn't look to be an abuse address but there is another one on the page. probably the company/maybe isp who has the block of IP's
there address is below
http://www.com-tonet.com/
I would recommend finding an email on the above site and emailing your logs there... aside from that the only thing you can do is block any connection from their IP in norton.
have fun
LOGIN: yes
PASSWORD: I dont have one
"Login Failed"
-
January 24th, 2008, 06:02 PM
#3
Seems like someone or something is probing your computer for open ports. From the log results, your firewall is working as it should which is good.
ive been trying to teach him a lesson by getting into his computer, and ive tried the usual, netbios, telnet, ftp, with no avail
Don't waste your time. god only knows who or what is triggering the scan on the other end. Even more important, who knows where the other end even is.
I agree with Moxquito. Just block it and be done with it.
The object of war is not to die for your country but to make the other bastard die for his - George Patton
-
January 24th, 2008, 06:30 PM
#4
Member
yeah i noticed that the IP was from amsterdam, but this could be a proxy, so youre probably right ill just have to ignore them
-
January 24th, 2008, 07:43 PM
#5
Don't get me wrong though; I know it's aggravating to sit back and do nothing. I'm just trying to save you some frustration.
I mean, imagine this:
Some guy spoofs his laptop's MAC (using SMAC), then daisy-chains through various non-logging proxies (google "free proxies") from his car where he's leeching off of random unsecured hot spots (easily found with NetStumbler). Now even if you managed to somehow find the actual originating IP that tunneled through the proxies, you'd be going after the wrong (possibly unknowing) person whose router logs will yield nothing more than a fake MAC and some other trivial information. Still want to try and find this guy?
And this is just one situation of many possible situations. Chalk it up to experience and be happy your firewall works the way it's supposed to.
The object of war is not to die for your country but to make the other bastard die for his - George Patton
-
January 25th, 2008, 09:19 AM
#6
You're behind a NAT router.. There's no way someone from the Internet is then able to "attack" your computer unless you've opened up all your ports.
So it's probably self induced traffic which norton thinks is'nt proper and flags it as an attack..
And it's not from Amsterdam.. I don't know how moxquito came to that conclusion but 62.68.76.210 originates in Greece. Last time I checked Amsterdam was still the capital of my country.
Oliver's Law:
Experience is something you don't get until just after you need it.
-
January 25th, 2008, 02:38 PM
#7
Hi there SirDice,
I come up as Amsterdam sometimes
I think that moxquito is using a search tool that is using outdated reference tables?
I find this one is pretty good:
http://www.dnsstuff.com/
And it says that IP resolves to Greece as well
-
January 25th, 2008, 02:57 PM
#8
Originally Posted by nihil
Hi there SirDice,
I think that moxquito is using a search tool that is using outdated reference tables?
The links mox posted show Greece as well
Oliver's Law:
Experience is something you don't get until just after you need it.
-
January 25th, 2008, 04:48 PM
#9
OK so in my defense I got amsterdam from Arin.net , which doesn't realy make any since either so I'm not sure what I was thinking yesterday and now that I look more closely at the RIPE page I see that the country is GR. So with that being said after work tonight im going to go home and get drunk
LOGIN: yes
PASSWORD: I dont have one
"Login Failed"
-
January 25th, 2008, 06:32 PM
#10
don't know how moxquito came to that conclusion but 62.68.76.210 originates in Greece. Last time I checked Amsterdam was still the capital of my country
Last time I checked, there's no reason to be a pri-ck towards someone whose trying to be helpful.
The object of war is not to die for your country but to make the other bastard die for his - George Patton
Similar Threads
-
By .:front2back:. in forum Tech Humor
Replies: 0
Last Post: March 17th, 2006, 01:52 AM
-
By Egaladeist in forum AntiOnline's General Chit Chat
Replies: 24
Last Post: September 12th, 2005, 11:54 PM
-
By DerekK in forum Firewall & Honeypot Discussions
Replies: 2
Last Post: July 14th, 2004, 03:30 PM
-
By Propaganda in forum Web Security
Replies: 12
Last Post: June 21st, 2004, 10:42 PM
-
By Scimitar in forum Microsoft Security Discussions
Replies: 6
Last Post: September 30th, 2003, 03:57 AM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|