It first happened two days ago, I logged on the net and can't able to go to any site. I've checked the modem and 'receiving' led was blinking at a very high rate.
The I ran the netstat and found that IP 121.11.90.56:4005 had flodded me.
Today again I've found the similar thing but from different IP.
I've taken the screenshot of the output that I'm attaching (doc1.doc) with this message.
Could anyone please confirm that was it a DOS attack?
and how to stop it?
Cheers
The more one comes to know a man the more one admires a dog.
hmm, do you have any sort of servers on your network? or any reason someone would do that? Im not saying its not possible for a random home network to get hit but it seems rare.
Also after a little googling i found the wireshark website (a network protocol analyzer, used to be ethereal).. Could this be it?
I believe in making the world safe for our children, but not our children’s children, because I don’t think children should be having sex. -- Jack Handey
Errr, no. YOU are sending connection requests to 121.11.90.56 port 4005.
..Wow i feel dense... didnt even see the SYN_SENT and jumped to a guess.. Guess i should stick to programming and not networking. SirDice is 100%, you are seeing all those syn_sent messages because your computer is trying to open a connection to another system that is ignoring the connection request.
For reference, here is a site that lists the statuses and what they mean from netstat.
Last edited by mungyun; December 14th, 2008 at 02:51 PM.
I believe in making the world safe for our children, but not our children’s children, because I don’t think children should be having sex. -- Jack Handey
Thanks SirDice.
You meant to say some program from my machine trying to make connection to the other machine at port 4005. If that's the case then, what I can't able to understand which program is it? and why it is using different ports on my system to connect to other.
Please look at the second page of the attachment. I ran netstat -bv the other day when I've got the same issue. I can't able to understand in detail what's happening. You might able to explain it to me.
Cheers
The more one comes to know a man the more one admires a dog.
and why it is using different ports on my system to connect to other.
That's just how tcp/ip works.
Please look at the second page of the attachment.
Didn't notice that one. First line shows something from Norton anti-virus. The http connections are to a default IIS installation somewhere in china.
Code:
dice@williscorto:~>whois 59.60.150.182
OrgName: Asia Pacific Network Information Centre
OrgID: APNIC
Address: PO Box 2131
City: Milton
StateProv: QLD
PostalCode: 4064
Country: AU
ReferralServer: whois://whois.apnic.net
NetRange: 59.0.0.0 - 59.255.255.255
CIDR: 59.0.0.0/8
NetName: APNIC-59
NetHandle: NET-59-0-0-0-1
Parent:
NetType: Allocated to APNIC
NameServer: NS1.APNIC.NET
NameServer: NS3.APNIC.NET
NameServer: NS4.APNIC.NET
NameServer: TINNIE.ARIN.NET
NameServer: NS.LACNIC.NET
NameServer: NS-SEC.RIPE.NET
Comment: This IP address range is not registered in the ARIN database.
Comment: For details, refer to the APNIC Whois Database via
Comment: WHOIS.APNIC.NET or http://www.apnic.net/apnic-bin/whois2.pl
Comment: ** IMPORTANT NOTE: APNIC is the Regional Internet Registry
Comment: for the Asia Pacific region. APNIC does not operate networks
Comment: using this IP address range and is not able to investigate
Comment: spam or abuse reports relating to these addresses. For more
Comment: help, refer to http://www.apnic.net/info/faq/abuse
RegDate: 2004-05-04
Updated: 2005-05-20
OrgTechHandle: AWC12-ARIN
OrgTechName: APNIC Whois Contact
OrgTechPhone: +61 7 3858 3188
OrgTechEmail: [email protected]
# ARIN WHOIS database, last updated 2008-12-14 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.
% [whois.apnic.net node-2]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html
inetnum: 59.56.0.0 - 59.61.255.255
netname: CHINANET-FJ
descr: CHINANET fujian province network
descr: China Telecom
descr: No1,jin-rong Street
descr: Beijing 100032
country: CN
admin-c: CH93-AP
tech-c: CA67-AP
mnt-by: APNIC-HM
mnt-lower: MAINT-CHINANET-FJ
mnt-routes: MAINT-CHINANET-FJ
status: ALLOCATED PORTABLE
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
remarks: This object can only be updated by APNIC hostmasters.
remarks: To update this object, please contact APNIC
remarks: hostmasters and include your organisation's account
remarks: name in the subject line.
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
changed: [email protected] 20041118
source: APNIC
role: CHINANETFJ IP ADMIN
address: 7,East Street,Fuzhou,Fujian,PRC
country: CN
phone: +86-591-3333169-293
fax-no: +86-591-3371954
e-mail: [email protected]
trouble: send spam reports and abuse reports
trouble: to [email protected]
trouble: Please include detailed information and
trouble: times in UTC
admin-c: FH71-AP
tech-c: FH71-AP
nic-hdl: CA67-AP
mnt-by: MAINT-CHINANET-FJ
changed: [email protected] 20020719
source: APNIC
person: Chinanet Hostmaster
nic-hdl: CH93-AP
e-mail: [email protected]
address: No.31 ,jingrong street,beijing
address: 100032
phone: +86-10-58501724
fax-no: +86-10-58501724
country: CN
changed: [email protected] 20070416
mnt-by: MAINT-CHINANET
source: APNIC
dice@williscorto:~>HEAD 59.60.150.182
200 OK
Date: Mon, 15 Dec 2008 08:42:28 GMT
Accept-Ranges: bytes
ETag: "0ce1f9a2d9c21:1f5"
Server: Microsoft-IIS/6.0
Content-Length: 1193
Content-Location: http://59.60.150.182/iisstart.htm
Content-Type: text/html
Last-Modified: Fri, 21 Feb 2003 12:15:52 GMT
Client-Date: Mon, 15 Dec 2008 08:43:18 GMT
Client-Peer: 59.60.150.182:80
Client-Response-Num: 1
X-Powered-By: ASP.NET
dice@williscorto:~>
I seriously suggest scanning your machine for malware as I'm most certain you're infected with something.
Oliver's Law:
Experience is something you don't get until just after you need it.
Reply With Quote
Originally Posted by darknite
