Page 1 of 2 12 LastLast
Results 1 to 10 of 17

Thread: Have ?able hacker's IP now what?

  1. #1
    Junior Member
    Join Date
    Apr 2004
    Posts
    6

    Question Have ?able hacker's IP now what?



    Hello all. New to this so forgive me. This may have been discussed but I searched and didn't come up with anything useful for someone as comp illiterate as I. hehe So I am looking for some hand holding?!
    OK I am runnig windows XP, w/ Notron antivirus+internet security which I have set up to notify my of porential attacks. So when allert goes off and logs : You were attacked on, recent intrusion attemts, and most frequent attacker 68.162.31.158 (this one is from today)
    Ok it's catching it, But now what? My brother showed me comand promt to "ping " this IP to possibly scare this user that your on to there behavior, but does this really do any good? If you want to trace then, How? What do these numbers mean, and how do you determine where they are coming from or if they are hostile? And so now say you do trace it you get what there ISP? You can report them, how do you do that? With the numbers you get back from the trace? And then what if this person has no idea his/her machine is doing this?
    Now let me give you some background, reciently I was supposedly infected with virus, sorry forget name tell you symptoms, I recieved an email form myself. Aparently this virus scans names from contact lists and names from incomming +outgoing email copies itself and sends itself as an attachment, so when you think your getting mail from your buddy, you guessed it!
    Anyway my norton didn't find it on my machine , nor did Stinger or FxNetsky. Could my ISP be infected and sending out Email in my name scaning my email? Sorry of topic! Would really just like to know whether to worry or not, And If retaliation isn't the answer what is?
    Thank you for your time. Nuke


    The dumber people think you are,
    The more supprised they'll be when you KILL them!

  2. #2
    When you get a warning in NIS, there is a alert, plus an option to trace its location. It will give you information about the network, and should include an abuse email. From there, you can report the IP.

    Don't forget, not every alert necessarily means you are being targeted by some evil hacker in a fortress. Some are false alarms, routine network scans, or zombies. I would recommend not trying to scare off anyone through tactics of any sort. A simple phone call to the network admin is enough. You don't want to get in trouble or stir up any extra attention to a malicous person, just as a rule of thumb.


    http://www.arin.net/whois/index.html

    edit:
    Your signature is weird.

  3. #3
    Macht Nicht Aus moxnix's Avatar
    Join Date
    May 2002
    Location
    Huson Mt.
    Posts
    1,752
    Sam Spade returns this:
    04/02/04 20:37:09 IP block 68.162.31.158
    Trying 68.162.31.158 at ARIN
    Trying 68.162.31 at ARIN

    OrgName: Verizon Internet Services
    OrgID: VRIS
    Address: 1880 Campus Commons Dr
    City: Reston
    StateProv: VA
    PostalCode: 20191
    Country: US

    NetRange: 68.160.0.0 - 68.163.255.255
    CIDR: 68.160.0.0/14
    NetName: VIS-68-160
    NetHandle: NET-68-160-0-0-1
    Parent: NET-68-0-0-0-0
    NetType: Direct Allocation
    NameServer: NSDC.BA-DSG.NET
    NameServer: GTEPH.BA-DSG.NET
    Comment:
    RegDate: 2002-08-30
    Updated: 2003-07-18

    NOCHandle: ZV20-ARIN
    NOCName: Verizon Internet Services
    NOCPhone: +1-703-295-4583
    NOCEmail: noc@gnilink.net

    OrgAbuseHandle: VISAB-ARIN
    OrgAbuseName: VIS Abuse
    OrgAbusePhone: +1-703-295-4583
    OrgAbuseEmail: abuse@verizon.net

    OrgTechHandle: ZV20-ARIN
    OrgTechName: Verizon Internet Services
    OrgTechPhone: +1-703-295-4583
    OrgTechEmail: noc@gnilink.net

    # ARIN WHOIS database, last updated 2004-04-02 19:15
    # Enter ? for additional hints on searching ARIN's WHOIS database.
    So any way, if you wish to file a complaint then there you are:
    OrgAbuseHandle: VISAB-ARIN
    OrgAbuseName: VIS Abuse
    OrgAbusePhone: +1-703-295-4583
    OrgAbuseEmail: abuse@verizon.net
    \"Life should NOT be a journey to the grave with the intention of arriving safely in an attractive and well preserved body, but rather to skid in sideways, Champagne in one hand - strawberries in the other, body thoroughly used up, totally worn out and screaming WOO HOO - What a Ride!\"
    Author Unknown

  4. #4
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    Ok it's catching it, But now what? My brother showed me comand promt to "ping " this IP to possibly scare this user that your on to there behavior, but does this really do any good?
    This will probably not "scare" them. ping is used to show connectivity between hosts...

    Take Soda_Popinsky's advise. Trace them back to their ISP and send them an email letting them know about the activity. You can also include some logs for "proof". Just be sure to sanitize them a bit. They only need the activity of the "attacker" not everything your PC does.

    It is good that NIS caught it. Enable autoblock and forget them. Just make sure to update the client frequently to make sure you have up2date virus protection and IDS rules.

    You'll see this type of activity all the time. It can be a pain to trace down ever kiddie out there.
    It most likely won't even do any good. Just waste your time. Just be happy you're protected and go on with you life.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  5. #5
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,785
    its someone in the newark nj area on verison dsl. do yourself a favor, unless you plan to report them to verison abuse (for what i dont know) turn off norton's alerts. the ones it doesnt catch are the ones you need to worry about. the ones it reports are really off the wall and are designed to make the user think "sure am glad i got norton!", besides theirs no law against scanning any port in newark except the port of newark itself. if your talking revenge ' wudah ya focken kidden me? fahgetaboudit!' they even shoot the witnesses in newark. j/k..well kinda
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  6. #6
    Junior Member
    Join Date
    Apr 2004
    Posts
    6
    Thanks for your replies.
    I guess my first thought is how do you know when this is meant to cause harm? If someone is trying to connect to your comp. with out your permission this activity IS illegal right? I see the point of not reporting everyone or you will be doing it all the time, however what happens to the people you report? they get dropped by there current ISP? big deal find another.

    I will take the advise and not ping people. Thanks: soda_popinsky+phishphreek80

    Moxnix: Thanks for doing that. But how'd you do it? I've never reported anyone not sure that I should that's why I am asking for advise. Let's say I did want to . I would contact? abuse@verison.net ? and give them the offenders IP? or how does that work?

    I'm not sure if my NIS actually gives me the opertunity to trace IP. It pops up with alert but can't remember what else..... Next time it happens I will pay more attention!
    It seems to happen alot more when running Kazaa lite. Does this make a diffrence? Somehow opening me up for more attempts?

    Ultimatly, I will probally take the advise and move on, but would like to know what to do and how to do it. Incase I get fed up with it in the future.

    Thanks for putting up with my stupid ?'s everyone.

    Nuke ( a true NEWBIE)
    If you can't dazzle them with brilliance,
    Riddle them with HOLES! Muhaha

    Edited: Just figured out that sam spade is not a person!! nuknuk
    The stupider people think you are,
    The more supprised they\'ll be when you KILL them!

  7. #7
    /QUOTE from Nuke8771:
    Edited: Just figured out that sam spade is not a person!! nuknuk
    /ENDQUOTE

    Actually, he's a semi-real person

    /QUOTED from samspade website:
    Sam Spade is a hard-boiled Film-Noir detective, famously played by Humphrey Bogart in The Maltese Falcon

    The film detective investigates, discovers clues, deduces implications and works to discover the truth. A number of people have contrasted that to the classic film caricature of a cop, more likely to beat the story they want to hear out of a suspect or jail the wrong guy.
    /ENDQUOTE

    If the scans happen a lot while running KazaaLite, you might simply be receiving requests for the shared files on your hard drive...

  8. #8
    Macht Nicht Aus moxnix's Avatar
    Join Date
    May 2002
    Location
    Huson Mt.
    Posts
    1,752
    Sam Spade http://www.samspade.org/ssw/ if you are interested (freeware by the way)
    Actually, gn0min0mic0n probably nailed it for you:
    If the scans happen a lot while running KazaaLite, you might simply be receiving requests for the shared files on your hard drive...
    That and/or someone might be pinging you to find out the lag time from your machine to theirs.
    \"Life should NOT be a journey to the grave with the intention of arriving safely in an attractive and well preserved body, but rather to skid in sideways, Champagne in one hand - strawberries in the other, body thoroughly used up, totally worn out and screaming WOO HOO - What a Ride!\"
    Author Unknown

  9. #9
    AO Decepticon CXGJarrod's Avatar
    Join Date
    Jul 2002
    Posts
    2,038

    Re: Have ?able hacker's IP now what?

    Originally posted here by Nuke8771


    Hello all. New to this so forgive me. This may have been discussed but I searched and didn't come up with anything useful for someone as comp illiterate as I. hehe So I am looking for some hand holding?!
    OK I am runnig windows XP, w/ Notron antivirus+internet security which I have set up to notify my of porential attacks. So when allert goes off and logs : You were attacked on, recent intrusion attemts, and most frequent attacker 68.162.31.158 (this one is from today
    Hey thats my IP address!! j/k Its probably a zombie machine (as Soda_Popinsky) port scanning you or something. Probably another person out on the net without a firewall...
    N00b> STFU i r teh 1337 (english: You must be mistaken, good sir or madam. I believe myself to be quite a good player. On an unrelated matter, I also apparently enjoy math.)

  10. #10
    Junior Member
    Join Date
    Apr 2004
    Posts
    6
    ok so I'm getting used to sam spade and I try out ip block on latest batch of IP's
    when i come accross something disturbing. 192.168.1.1:32441
    192.168.1.102:5000
    192.168.1.1:32447
    192.168.1.1:32450
    These addresses tried 67 times combined Alerting me to : Trois v1. Trojan
    Running Sam spade on these returns all pretty much the same thing
    04/05/04 20:14:45 IP block 192.168.1.1
    Trying 192.168.1.1 at ARIN
    Trying 192.168.1 at ARIN

    OrgName: Internet Assigned Numbers Authority
    OrgID: IANA
    Address: 4676 Admiralty Way, Suite 330
    City: Marina del Rey
    StateProv: CA
    PostalCode: 90292-6695
    Country: US

    NetRange: 192.168.0.0 - 192.168.255.255
    CIDR: 192.168.0.0/16
    NetName: IANA-CBLK1
    NetHandle: NET-192-168-0-0-1
    Parent: NET-192-0-0-0-0
    NetType: IANA Special Use
    NameServer: BLACKHOLE-1.IANA.ORG
    NameServer: BLACKHOLE-2.IANA.ORG
    Comment: This block is reserved for special purposes.
    Comment: Please see RFC 1918 for additional information.
    Comment:
    RegDate: 1994-03-15
    Updated: 2002-09-16

    OrgAbuseHandle: IANA-IP-ARIN
    OrgAbuseName: Internet Corporation for Assigned Names and Number
    OrgAbusePhone: +1-310-301-5820
    OrgAbuseEmail: abuse@iana.org

    OrgTechHandle: IANA-IP-ARIN
    OrgTechName: Internet Corporation for Assigned Names and Number
    OrgTechPhone: +1-310-301-5820
    OrgTechEmail: abuse@iana.org

    # ARIN WHOIS database, last updated 2004-04-04 19:15
    # Enter ? for additional hints on searching ARIN's WHOIS database.

    All are registered to this, Email there abuse line and get this: http://www.iana.org/faqs/abuse-faq.htm

    Basicly says iana is not an ISP, but the particular block of IP's that these addresses are in does belong to them!?
    Got on NIS site and ran their trace it comes up Dominican Republic
    Now what? If it's just a port scan ok but when it starts popping up there trying to drop in a trojan I get pissed.....!
    The stupider people think you are,
    The more supprised they\'ll be when you KILL them!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •