Help ... and Advice Me Please !!!

[HYPERXXX]

This are just some of 204 attempts on my log . Same IP address ... Whats the best thing to do ... I need Help Please !!!!!

He do it everynow and then ...

A computer in your Banned IP list at 112.a.005.syd.iprimus.net.au has attempted

***to access TCP port 31337 on your machine.
TCP port 31337 is commonly used by the Baron Night / Back Orifice Client / Back Orifice 2 / Bo Facil / BackFire / Deep BO service or program.

***to access TCP port 6000 on your machine.
TCP port 6000 is commonly used by the X Window System service or program.

*** to access TCP port 50766 on your machine.
TCP port 50766 is commonly used by the Schwindler 1.82 service or program. The Source computer has scanned your machine for this trojan, but this has been blocked by our security filters.

***to access TCP port 777 on your machine.
TCP port 777 is commonly used by the Multiling HTTP service or program.

*** to access TCP port 54321 on your machine.
TCP port 54321 is commonly used by the School Bus / Back Orifice 2000 service or program. The Source computer has scanned your machine for this trojan

***to access TCP port 6670 on your machine.
TCP port 6670 is commonly used by the Vocaltec Global Online Directory / Deep Throat Trojan service or program

***to access TCP port 27374 on your machine.
TCP port 27374 is commonly used by the Sub 7 Trojan Scan service or program. The Sub 7 Trojan.

***to access TCP port 8080 on your machine.
TCP port 8080 is commonly used by the RingZero Trojan / HTTP Alternate (see port 80) service or program

This are just some of 204 attempts on my log . Same IP address ... Whats the best thing to do ... I need Help Please !!!!!

Thanks

P.S.

Sorry if my post is too long ... This is my first time to post ... i dont know if there is a limit ... anyway THANKS !!!

[Wizeman]

'ello!

I would imagine that if it logged the attempts, it also blocks the attempt, which means that those are the ports you don't have to worry about. Basically, it seems whoever it is, is just trying to find a quick easy way to take over your desktop without doing too much work. You can send your log to the abuse e-mail address at this person's ISP, but nothing normally comes of that. Primarily, you should be worried about making sure you have no trojans, and no exploitable services, cause that is what that person is trolling for.

Maybe if you give us some more information on your system, and we can let you know how to specifically lock down your system, but in general it seems like your firewall is doing its job.

Regards,
Wizeman

P.S. The webpage for that ISP is: http://www.iprimus.com.au/
I'd suggest calling them if you care enough, or just e-mail the addresses that you feel are pertinent with a well thought out complaint, and make sure you attach the log.

[TheProphet]

Hyperxxx,

What firewall are you using?
There are numerous programs that allow you to scan open ports on your PC, am doing one right now.

As Wizeman says, if these are just logging attempts you should be ok.

[dcongram]

Every ISP has an 'abuse' department that handles hack attempts, spammers, etc.

It is usually 'abuse@xxx.xxx' You're ISP probably has the same.

Send them copies of your log, with an email. They will contact jprimus.

Most people are unaware that when they sign up for an internet account they sign an 'Acceptable Internet Usage Policy' agreement forbidding them to interfere with any other internet user, or computer. By violating that agreement, they lose their account.

[Rewandythal]

1) Make sure that IP is added to your Blocked or Restricted list
2) Update your anti-virus
3) Scan for viruses
4) go to www.grc.com and scan for open ports to check that your firewall is working
5) If there are ports open that shouldn't be, manually block access to them in your firewall options, then scan again
6) Repeat process until you're happy that the system is secure
7) Try to report the abuse to the ISP, as stated in the above posts
8) Apart from that, if it's blocking it you have nothing to worry about, so just ignore it.

[zepherin]

were you on IRC? there are some scripts that log ip addresses and run a scan on an the addresses looking for trojans.

[HYPERXXX]

yeah i am using an MIRC ... there is where my friends are... how can i secure my entire pc and yet still using mIRC .. Thanks Guys for the help !

[Rewandythal]

Allow access to Port 6667 and NOTHING ELSE (Although that way Internet Explorer etc. won't work, but you get the idea, make sure that everything is blocked apart from 6667 and the ports used by IE etc.)

[Terr]

Originally posted by Rewandythal
Allow access to Port 6667 and NOTHING ELSE (Although that way Internet Explorer etc. won't work, but you get the idea, make sure that everything is blocked apart from 6667 and the ports used by IE etc.)

Just to emphasize (I know you meant it, Rew), but that is remote TCP port 6667. This doesn't stop someone from doin weird stuff by using 6667 as their source port, but that would be very rare unless you were being specifically targeted by a determined intruder.

Common remote ports you might want to keep open:
80 (HTTP)
443 (HTTPS, secure credit-card-y stuff)
110 (POP3, Checking email via Eudora or Outlook Express, most likely)
6667 (IRC, there may be variations like 7000, for some servers.)

As for ICQ/AIM/MSN, well, that's a whole new can of worms.

[Rewandythal]

Yeah, sorry, I didn't make that clear.
Allow access to those remote ports only, and if you use ZoneAlarm or something similar it will only allow access to ports your software is connecting on locally anyway (in other words, whichever port IE chooses to communicate through, ZA will allow access to that *if* IE is in your allowed programs list, that is as long as your internet zone setting is on High security... ports not in use by an authorised program are stealthed.)