Results 1 to 9 of 9

Thread: Unauthorised access from an IP

  1. #1
    Only african to own a PC! Cider's Avatar
    Join Date
    Jun 2003
    Location
    Israel
    Posts
    1,683

    Unauthorised access from an IP

    Hi Guys,

    Our internal Ip ran is 192.168.X.X.

    Now our UTM has blocked traffic from inside our network. How this got in I dont know. This is the IP below.

    77.68.44.170

    It resolves to somewhere in the UK ...
    Anyone had anything similar, we dont know where it came in. .. Everything is locked down.

    Unauthorized extensions cmd32.exe 30/03/2010 16:57:51 Moved to quarantine HTTP


    77.68.44.170 Unauthorized extensions cmd32.exe 30/03/2010 16:57:51 Moved to quarantine HTTP


    77.68.44.170 Unauthorized extensions convert.bas 30/03/2010 16:57:51 Moved to quarantine HTTP


    77.68.44.170 Unauthorized extensions convert.bas 30/03/2010 16:57:51 Moved to quarantine HTTP


    77.68.44.170 Unauthorized extensions cmd32.exe 30/03/2010 16:57:50 Moved to quarantine HTTP


    77.68.44.170 Unauthorized extensions cmd32.exe 30/03/2010 16:57:50 Moved to quarantine HTTP


    77.68.44.170 Unauthorized extensions CGImail.exe 30/03/2010 16:57:49 Moved to quarantine HTTP


    77.68.44.170 Unauthorized extensions CGImail.exe 30/03/2010 16:57:49 Moved to quarantine HTTP


    77.68.44.170 Unauthorized extensions cmd.exe 30/03/2010 16:57:49 Moved to quarantine HTTP


    77.68.44.170 Unauthorized extensions cmd.exe 30/03/2010 16:57:49 Moved to quarantine HTTP


    77.68.44.170 Unauthorized extensions cmd.exe 30/03/2010 16:57:49 Moved to quarantine HTTP


    77.68.44.170 Unauthorized extensions cmd.exe 30/03/2010 16:57:49 Moved to quarantine HTTP


    77.68.44.170 Unauthorized extensions cmd.exe 30/03/2010 16:57:48 Moved to quarantine HTTP


    77.68.44.170
    The world is a dangerous place to live; not because of the people who are evil, but because of the people who don't do anything about it.
    Albert Einstein

  2. #2
    rebmeM roineS enilnOitnA steve.milner's Avatar
    Join Date
    Jul 2003
    Posts
    1,021
    Cider.

    Malware or a dodgy user could set up an IP address on an internal machine to anything it likes.

    Would that be a possible explanation?

    Steve
    IT, e-commerce, Retail, Programme & Project Management, EPoS, Supply Chain and Logistic Services. Yorkshire. http://www.bigi.uk.com

  3. #3
    Only african to own a PC! Cider's Avatar
    Join Date
    Jun 2003
    Location
    Israel
    Posts
    1,683
    Hmm not buying that.
    The world is a dangerous place to live; not because of the people who are evil, but because of the people who don't do anything about it.
    Albert Einstein

  4. #4
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Project Honeypot has this:

    http://www.projecthoneypot.org/ip_77...b597k9cc97gsr6



    EDIT:

    http://www.ip-adress.com/reverse_ip/77.68.44.170

    And the plot thickens:

    from Kenneth Peterson <kenneth.peterson@infantry-marines.com>
    reply-to [kenneth.peterson@infantry-marines.com]
    date Tue, Jan 5, 2010
    subject MISSION!

    Hi there,

    How are you doing today? I am Kenneth Peterson, a US Marine currently serving in Iraq. I am actually one of the few Marines remaining in Iraq. We are waiting for executive order for our next deployment to Afghanistan this new year.

    I got your email from a business directory and I believe that you will maintain the level of confidence and trust that this mission I am about to inform you of require. Several months ago, my unit discovered some abandoned cash in the mansion of a militant ruler during a covert military raid. The total cash we discovered was $11.5 Million

    USD. We stashed all the funds in one trunk box and moved it secretly out of Iraq to Kuwait for safekeeping. We waited for several months to ensure that nobody is on our trail. Now, we need to move the money out of Kuwait. I am contacting you because we need your assistance in receiving the box for us on our behalf, and securing the cash until we return home from service. Please note that we cannot use any of our known relative or friend for this mission because they are listed as acquaintance on our military file and this will compromise the covertness of this mission. In order to proceed with this mission, we need the following details from you.

    1. Your Full name
    2. The address where you want the box to be delivered
    3. Your private telephone number where you can be reached 24 hours

    If for some reasons you don't want to or can't help us, I want you to delete this message immediately and assume we never had this conversation.

    However, if you are going to fully cooperate with us in this transaction, we will compensate you with 25&#37; of the total cash after the mission is accomplished. Like I said earlier, we are a GO and waiting for your response. This is a very serious deal and I wouldn't be asking for your help if I am not convinced that this is not going to bring any harm to you or your family, or put you in a risky position. We have worked the kinks out and am very convinced this is gonna be successful.

    Once we get a positive response from you with the info requested, we will proceed into the next step and I will give you further instructions. I hope I can rely on your sense of discretion. Write back soon buddy. Wishing you a prosperous new year.

    In God we trust,

    Ken
    [kenneth.peterson@infantry-marines.com]
    Quote:
    Return-Path: <kenneth.peterson@infantry-marines.com>
    Received: from server77-68-44-170.live-servers.net [77.68.44.170] by mail.buildingcareers.sg
    And it isn't "In God we trust" it's "Semper Fi"

    Or even:

    http://spam.bubble.ro/237338-please-read-carefully/
    Last edited by nihil; April 1st, 2010 at 02:12 PM.

  5. #5
    Gonzo District BOFH westin's Avatar
    Join Date
    Jan 2006
    Location
    SW MO
    Posts
    1,187
    Have you seen any other suspicious traffic of that nature since the original post? That IP is not pinging. What are you using for your UTM? Are there other logs that could give you an idea of what you are looking at? [By the way, I am assuming that UTM is 'Unified Threat Management'. If I am wrong, please correct me.]
    \"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"

    -HST

  6. #6
    Only african to own a PC! Cider's Avatar
    Join Date
    Jun 2003
    Location
    Israel
    Posts
    1,683
    Traffic has died down, nothing of that nature happening.

    You are on the right track with the UTM.

    We are using a Gatedefender Performa from Panda.

    Its very strange as it got into our network one way or another.
    The world is a dangerous place to live; not because of the people who are evil, but because of the people who don't do anything about it.
    Albert Einstein

  7. #7
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Given the apparent nature of the site I would guess that it got in through e-mail initially.

  8. #8
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    My guess is rogue laptop.....have had consultants come in with crap on their machines or users bringing in machines from home.

    MLF
    How people treat you is their karma- how you react is yours-Wayne Dyer

  9. #9
    AntiOnline Senior Member souleman's Avatar
    Join Date
    Oct 2001
    Location
    Flint, MI
    Posts
    2,883
    Are you running an internal server that has a view from the outside world? (either port forwarding or DMZ'd)? If so, clean out any CGI scripts you don't use.

    If this was a few years ago, I'd guess that you have a Novell server that was exploited through one of the CGI attacks and is being used to look for other servers.
    \"Ignorance is bliss....
    but only for your enemy\"
    -- souleman

Similar Threads

  1. Windows Error Messages
    By cheyenne1212 in forum Miscellaneous Security Discussions
    Replies: 7
    Last Post: February 1st, 2012, 02:51 PM
  2. Port List
    By ThePreacher in forum Miscellaneous Security Discussions
    Replies: 17
    Last Post: December 14th, 2006, 09:37 PM
  3. Newbies, list of many words definitions.
    By -DaRK-RaiDeR- in forum Newbie Security Questions
    Replies: 9
    Last Post: December 14th, 2002, 08:38 PM
  4. cant istall dsl softwr installshield access denied
    By collis113 in forum Site Feedback/Questions/Suggestions
    Replies: 2
    Last Post: November 9th, 2002, 09:57 AM
  5. The Worlds Longest Thread!
    By Noble Hamlet in forum AntiOnline's General Chit Chat
    Replies: 1100
    Last Post: March 17th, 2002, 09:38 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •