Have ?able hacker's IP now what?

[Nuke8771]

Hello all. New to this so forgive me. This may have been discussed but I searched and didn't come up with anything useful for someone as comp illiterate as I. hehe So I am looking for some hand holding?!
OK I am runnig windows XP, w/ Notron antivirus+internet security which I have set up to notify my of porential attacks. So when allert goes off and logs : You were attacked on, recent intrusion attemts, and most frequent attacker 68.162.31.158 (this one is from today)
Ok it's catching it, But now what? My brother showed me comand promt to "ping " this IP to possibly scare this user that your on to there behavior, but does this really do any good? If you want to trace then, How? What do these numbers mean, and how do you determine where they are coming from or if they are hostile? And so now say you do trace it you get what there ISP? You can report them, how do you do that? With the numbers you get back from the trace? And then what if this person has no idea his/her machine is doing this?
Now let me give you some background, reciently I was supposedly infected with virus, sorry forget name tell you symptoms, I recieved an email form myself. Aparently this virus scans names from contact lists and names from incomming +outgoing email copies itself and sends itself as an attachment, so when you think your getting mail from your buddy, you guessed it!
Anyway my norton didn't find it on my machine , nor did Stinger or FxNetsky. Could my ISP be infected and sending out Email in my name scaning my email? Sorry of topic! Would really just like to know whether to worry or not, And If retaliation isn't the answer what is?
Thank you for your time. Nuke


The dumber people think you are,
The more supprised they'll be when you KILL them!

[Soda_Popinsky]

When you get a warning in NIS, there is a alert, plus an option to trace its location. It will give you information about the network, and should include an abuse email. From there, you can report the IP.

Don't forget, not every alert necessarily means you are being targeted by some evil hacker in a fortress. Some are false alarms, routine network scans, or zombies. I would recommend not trying to scare off anyone through tactics of any sort. A simple phone call to the network admin is enough. You don't want to get in trouble or stir up any extra attention to a malicous person, just as a rule of thumb.


http://www.arin.net/whois/index.html

edit:
Your signature is weird.

[moxnix]

Sam Spade returns this:

04/02/04 20:37:09 IP block 68.162.31.158
Trying 68.162.31.158 at ARIN
Trying 68.162.31 at ARIN

OrgName: Verizon Internet Services
OrgID: VRIS
Address: 1880 Campus Commons Dr
City: Reston
StateProv: VA
PostalCode: 20191
Country: US

NetRange: 68.160.0.0 - 68.163.255.255
CIDR: 68.160.0.0/14
NetName: VIS-68-160
NetHandle: NET-68-160-0-0-1
Parent: NET-68-0-0-0-0
NetType: Direct Allocation
NameServer: NSDC.BA-DSG.NET
NameServer: GTEPH.BA-DSG.NET
Comment:
RegDate: 2002-08-30
Updated: 2003-07-18

NOCHandle: ZV20-ARIN
NOCName: Verizon Internet Services
NOCPhone: +1-703-295-4583
NOCEmail: noc@gnilink.net

OrgAbuseHandle: VISAB-ARIN
OrgAbuseName: VIS Abuse
OrgAbusePhone: +1-703-295-4583
OrgAbuseEmail: abuse@verizon.net

OrgTechHandle: ZV20-ARIN
OrgTechName: Verizon Internet Services
OrgTechPhone: +1-703-295-4583
OrgTechEmail: noc@gnilink.net

# ARIN WHOIS database, last updated 2004-04-02 19:15
# Enter ? for additional hints on searching ARIN's WHOIS database.

So any way, if you wish to file a complaint then there you are:
OrgAbuseHandle: VISAB-ARIN
OrgAbuseName: VIS Abuse
OrgAbusePhone: +1-703-295-4583
OrgAbuseEmail: abuse@verizon.net

[phishphreek]

Ok it's catching it, But now what? My brother showed me comand promt to "ping " this IP to possibly scare this user that your on to there behavior, but does this really do any good?

This will probably not "scare" them. ping is used to show connectivity between hosts...

Take Soda_Popinsky's advise. Trace them back to their ISP and send them an email letting them know about the activity. You can also include some logs for "proof". Just be sure to sanitize them a bit. They only need the activity of the "attacker" not everything your PC does.

It is good that NIS caught it. Enable autoblock and forget them. Just make sure to update the client frequently to make sure you have up2date virus protection and IDS rules.

You'll see this type of activity all the time. It can be a pain to trace down ever kiddie out there.
It most likely won't even do any good. Just waste your time. Just be happy you're protected and go on with you life.

[Tedob1]

its someone in the newark nj area on verison dsl. do yourself a favor, unless you plan to report them to verison abuse (for what i dont know) turn off norton's alerts. the ones it doesnt catch are the ones you need to worry about. the ones it reports are really off the wall and are designed to make the user think "sure am glad i got norton!", besides theirs no law against scanning any port in newark except the port of newark itself. if your talking revenge ' wudah ya focken kidden me? fahgetaboudit!' they even shoot the witnesses in newark. j/k..well kinda

[Nuke8771]

Thanks for your replies.
I guess my first thought is how do you know when this is meant to cause harm? If someone is trying to connect to your comp. with out your permission this activity IS illegal right? I see the point of not reporting everyone or you will be doing it all the time, however what happens to the people you report? they get dropped by there current ISP? big deal find another.

I will take the advise and not ping people. Thanks: soda_popinsky+phishphreek80

Moxnix: Thanks for doing that. But how'd you do it? I've never reported anyone not sure that I should that's why I am asking for advise. Let's say I did want to . I would contact? abuse@verison.net ? and give them the offenders IP? or how does that work?

I'm not sure if my NIS actually gives me the opertunity to trace IP. It pops up with alert but can't remember what else..... Next time it happens I will pay more attention!
It seems to happen alot more when running Kazaa lite. Does this make a diffrence? Somehow opening me up for more attempts?

Ultimatly, I will probally take the advise and move on, but would like to know what to do and how to do it. Incase I get fed up with it in the future.

Thanks for putting up with my stupid ?'s everyone.

Nuke ( a true NEWBIE)
If you can't dazzle them with brilliance,
Riddle them with HOLES! Muhaha

Edited: Just figured out that sam spade is not a person!! nuknuk

[gn0min0mic0n]

/QUOTE from Nuke8771:
Edited: Just figured out that sam spade is not a person!! nuknuk
/ENDQUOTE

Actually, he's a semi-real person

/QUOTED from samspade website:
Sam Spade is a hard-boiled Film-Noir detective, famously played by Humphrey Bogart in The Maltese Falcon

The film detective investigates, discovers clues, deduces implications and works to discover the truth. A number of people have contrasted that to the classic film caricature of a cop, more likely to beat the story they want to hear out of a suspect or jail the wrong guy.
/ENDQUOTE

If the scans happen a lot while running KazaaLite, you might simply be receiving requests for the shared files on your hard drive...

[moxnix]

Sam Spade http://www.samspade.org/ssw/ if you are interested (freeware by the way)
Actually, gn0min0mic0n probably nailed it for you:

If the scans happen a lot while running KazaaLite, you might simply be receiving requests for the shared files on your hard drive...

That and/or someone might be pinging you to find out the lag time from your machine to theirs.

[CXGJarrod]

Originally posted here by Nuke8771


Hello all. New to this so forgive me. This may have been discussed but I searched and didn't come up with anything useful for someone as comp illiterate as I. hehe So I am looking for some hand holding?!
OK I am runnig windows XP, w/ Notron antivirus+internet security which I have set up to notify my of porential attacks. So when allert goes off and logs : You were attacked on, recent intrusion attemts, and most frequent attacker 68.162.31.158 (this one is from today

Hey thats my IP address!! j/k Its probably a zombie machine (as Soda_Popinsky) port scanning you or something. Probably another person out on the net without a firewall...

[Nuke8771]

ok so I'm getting used to sam spade and I try out ip block on latest batch of IP's
when i come accross something disturbing. 192.168.1.1:32441
192.168.1.102:5000
192.168.1.1:32447
192.168.1.1:32450
These addresses tried 67 times combined Alerting me to : Trois v1. Trojan
Running Sam spade on these returns all pretty much the same thing
04/05/04 20:14:45 IP block 192.168.1.1
Trying 192.168.1.1 at ARIN
Trying 192.168.1 at ARIN

OrgName: Internet Assigned Numbers Authority
OrgID: IANA
Address: 4676 Admiralty Way, Suite 330
City: Marina del Rey
StateProv: CA
PostalCode: 90292-6695
Country: US

NetRange: 192.168.0.0 - 192.168.255.255
CIDR: 192.168.0.0/16
NetName: IANA-CBLK1
NetHandle: NET-192-168-0-0-1
Parent: NET-192-0-0-0-0
NetType: IANA Special Use
NameServer: BLACKHOLE-1.IANA.ORG
NameServer: BLACKHOLE-2.IANA.ORG
Comment: This block is reserved for special purposes.
Comment: Please see RFC 1918 for additional information.
Comment:
RegDate: 1994-03-15
Updated: 2002-09-16

OrgAbuseHandle: IANA-IP-ARIN
OrgAbuseName: Internet Corporation for Assigned Names and Number
OrgAbusePhone: +1-310-301-5820
OrgAbuseEmail: abuse@iana.org

OrgTechHandle: IANA-IP-ARIN
OrgTechName: Internet Corporation for Assigned Names and Number
OrgTechPhone: +1-310-301-5820
OrgTechEmail: abuse@iana.org

# ARIN WHOIS database, last updated 2004-04-04 19:15
# Enter ? for additional hints on searching ARIN's WHOIS database.

All are registered to this, Email there abuse line and get this: http://www.iana.org/faqs/abuse-faq.htm

Basicly says iana is not an ISP, but the particular block of IP's that these addresses are in does belong to them!?
Got on NIS site and ran their trace it comes up Dominican Republic
Now what? If it's just a port scan ok but when it starts popping up there trying to drop in a trojan I get pissed.....!