Was it a DOS attack?
Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: Was it a DOS attack?

  1. #1
    Member
    Join Date
    Feb 2003
    Posts
    32

    Was it a DOS attack?

    Hi All,

    It first happened two days ago, I logged on the net and can't able to go to any site. I've checked the modem and 'receiving' led was blinking at a very high rate.
    The I ran the netstat and found that IP 121.11.90.56:4005 had flodded me.
    Today again I've found the similar thing but from different IP.
    I've taken the screenshot of the output that I'm attaching (doc1.doc) with this message.
    Could anyone please confirm that was it a DOS attack?
    and how to stop it?

    Cheers
    The more one comes to know a man the more one admires a dog.

  2. #2
    Senior Member t34b4g5's Avatar
    Join Date
    Sep 2003
    Location
    Australia.
    Posts
    2,391
    Greetings.

    i think you forgot the attachement.

    Also have you tried ipconfig /release then do a ipconfig /renew and you should get a fresh IP.

    If it continues then just contact your ISP and they should be able to do something about it.

  3. #3
    0_o Mastermind keezel's Avatar
    Join Date
    Jun 2003
    Posts
    1,024
    For kicks you could try and configure your firewall to stealth port 4005 so that it will not respond to traffic.

  4. #4
    Member
    Join Date
    Feb 2003
    Posts
    32

    Here's the attachment

    Sorry, here's the attachment.
    Attached Files Attached Files
    The more one comes to know a man the more one admires a dog.

  5. #5
    Senior Member mungyun's Avatar
    Join Date
    Apr 2004
    Location
    Illinois
    Posts
    172
    hmm, do you have any sort of servers on your network? or any reason someone would do that? Im not saying its not possible for a random home network to get hit but it seems rare.

    Also after a little googling i found the wireshark website (a network protocol analyzer, used to be ethereal).. Could this be it?
    I believe in making the world safe for our children, but not our childrenís children, because I donít think children should be having sex. -- Jack Handey

  6. #6
    Member
    Join Date
    Feb 2003
    Posts
    32
    just sutfing net from my home using cable broadband on my laptop.
    The more one comes to know a man the more one admires a dog.

  7. #7
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Quote Originally Posted by darknite View Post
    The I ran the netstat and found that IP 121.11.90.56:4005 had flodded me.
    Errr, no. YOU are sending connection requests to 121.11.90.56 port 4005.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  8. #8
    Senior Member mungyun's Avatar
    Join Date
    Apr 2004
    Location
    Illinois
    Posts
    172
    Quote Originally Posted by SirDice View Post
    Errr, no. YOU are sending connection requests to 121.11.90.56 port 4005.
    ..Wow i feel dense... didnt even see the SYN_SENT and jumped to a guess.. Guess i should stick to programming and not networking. SirDice is 100%, you are seeing all those syn_sent messages because your computer is trying to open a connection to another system that is ignoring the connection request.

    For reference, here is a site that lists the statuses and what they mean from netstat.

    http://mikewilliamson.wordpress.com/2006/08/30/netstat/
    Last edited by mungyun; December 14th, 2008 at 02:51 PM.
    I believe in making the world safe for our children, but not our childrenís children, because I donít think children should be having sex. -- Jack Handey

  9. #9
    Member
    Join Date
    Feb 2003
    Posts
    32
    Thanks SirDice.
    You meant to say some program from my machine trying to make connection to the other machine at port 4005. If that's the case then, what I can't able to understand which program is it? and why it is using different ports on my system to connect to other.
    Please look at the second page of the attachment. I ran netstat -bv the other day when I've got the same issue. I can't able to understand in detail what's happening. You might able to explain it to me.

    Cheers
    The more one comes to know a man the more one admires a dog.

  10. #10
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,401
    Quote Originally Posted by darknite View Post
    and why it is using different ports on my system to connect to other.
    That's just how tcp/ip works.

    Please look at the second page of the attachment.
    Didn't notice that one. First line shows something from Norton anti-virus. The http connections are to a default IIS installation somewhere in china.

    Code:
    dice@williscorto:~>whois 59.60.150.182
    
    OrgName:    Asia Pacific Network Information Centre
    OrgID:      APNIC
    Address:    PO Box 2131
    City:       Milton
    StateProv:  QLD
    PostalCode: 4064
    Country:    AU
    
    ReferralServer: whois://whois.apnic.net
    
    NetRange:   59.0.0.0 - 59.255.255.255
    CIDR:       59.0.0.0/8
    NetName:    APNIC-59
    NetHandle:  NET-59-0-0-0-1
    Parent:
    NetType:    Allocated to APNIC
    NameServer: NS1.APNIC.NET
    NameServer: NS3.APNIC.NET
    NameServer: NS4.APNIC.NET
    NameServer: TINNIE.ARIN.NET
    NameServer: NS.LACNIC.NET
    NameServer: NS-SEC.RIPE.NET
    Comment:    This IP address range is not registered in the ARIN database.
    Comment:    For details, refer to the APNIC Whois Database via
    Comment:    WHOIS.APNIC.NET or http://www.apnic.net/apnic-bin/whois2.pl
    Comment:    ** IMPORTANT NOTE: APNIC is the Regional Internet Registry
    Comment:    for the Asia Pacific region. APNIC does not operate networks
    Comment:    using this IP address range and is not able to investigate
    Comment:    spam or abuse reports relating to these addresses. For more
    Comment:    help, refer to http://www.apnic.net/info/faq/abuse
    RegDate:    2004-05-04
    Updated:    2005-05-20
    
    OrgTechHandle: AWC12-ARIN
    OrgTechName:   APNIC Whois Contact
    OrgTechPhone:  +61 7 3858 3188
    OrgTechEmail:  search-apnic-not-arin@apnic.net
    
    # ARIN WHOIS database, last updated 2008-12-14 19:10
    # Enter ? for additional hints on searching ARIN's WHOIS database.
    % [whois.apnic.net node-2]
    % Whois data copyright terms    http://www.apnic.net/db/dbcopyright.html
    
    inetnum:      59.56.0.0 - 59.61.255.255
    netname:      CHINANET-FJ
    descr:        CHINANET fujian province network
    descr:        China Telecom
    descr:        No1,jin-rong Street
    descr:        Beijing 100032
    country:      CN
    admin-c:      CH93-AP
    tech-c:       CA67-AP
    mnt-by:       APNIC-HM
    mnt-lower:    MAINT-CHINANET-FJ
    mnt-routes:   MAINT-CHINANET-FJ
    status:       ALLOCATED PORTABLE
    remarks:      -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    remarks:      This object can only be updated by APNIC hostmasters.
    remarks:      To update this object, please contact APNIC
    remarks:      hostmasters and include your organisation's account
    remarks:      name in the subject line.
    remarks:      -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
    changed:      hm-changed@apnic.net 20041118
    source:       APNIC
    
    role:         CHINANETFJ IP ADMIN
    address:      7,East Street,Fuzhou,Fujian,PRC
    country:      CN
    phone:        +86-591-3333169-293
    fax-no:       +86-591-3371954
    e-mail:       fjnic@fjdcb.fz.fj.cn
    trouble:      send spam reports  and abuse reports
    trouble:      to abuse@fjdcb.fz.fj.cn
    trouble:      Please include detailed information and
    trouble:      times in UTC
    admin-c:      FH71-AP
    tech-c:       FH71-AP
    nic-hdl:      CA67-AP
    mnt-by:       MAINT-CHINANET-FJ
    changed:      fjnic@fjdcb.fz.fj.cn 20020719
    source:       APNIC
    
    person:       Chinanet Hostmaster
    nic-hdl:      CH93-AP
    e-mail:       anti-spam@ns.chinanet.cn.net
    address:      No.31 ,jingrong street,beijing
    address:      100032
    phone:        +86-10-58501724
    fax-no:       +86-10-58501724
    country:      CN
    changed:      dingsy@cndata.com 20070416
    mnt-by:       MAINT-CHINANET
    source:       APNIC
    
    
    dice@williscorto:~>HEAD  59.60.150.182
    200 OK
    Date: Mon, 15 Dec 2008 08:42:28 GMT
    Accept-Ranges: bytes
    ETag: "0ce1f9a2d9c21:1f5"
    Server: Microsoft-IIS/6.0
    Content-Length: 1193
    Content-Location: http://59.60.150.182/iisstart.htm
    Content-Type: text/html
    Last-Modified: Fri, 21 Feb 2003 12:15:52 GMT
    Client-Date: Mon, 15 Dec 2008 08:43:18 GMT
    Client-Peer: 59.60.150.182:80
    Client-Response-Num: 1
    X-Powered-By: ASP.NET
    
    dice@williscorto:~>
    I seriously suggest scanning your machine for malware as I'm most certain you're infected with something.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

Similar Threads

  1. Terrorism
    By Tedob1 in forum Cosmos
    Replies: 9
    Last Post: May 7th, 2006, 06:06 AM
  2. A look into IDS/Snort Whole thing by QoD
    By qod in forum The Security Tutorials Forum
    Replies: 6
    Last Post: February 27th, 2004, 03:03 AM
  3. Understanding DoS
    By NullDevice in forum The Security Tutorials Forum
    Replies: 21
    Last Post: December 17th, 2003, 10:03 PM
  4. Classic Social Engineering Attacks
    By Striek in forum The Security Tutorials Forum
    Replies: 10
    Last Post: December 16th, 2003, 09:30 PM
  5. 50 Java Attack
    By VLaD tHEiMpALeR in forum Programming Security
    Replies: 0
    Last Post: July 18th, 2002, 04:51 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •