Page 2 of 2 FirstFirst 12
Results 11 to 19 of 19

Thread: China attack??? Massive FW Alerts

  1. August 13th, 2004, 06:41 PM #11
    ShagDevil
    ShagDevil is offline
    Some Assembly Required ShagDevil's Avatar
    Join Date
    Nov 2002
    Location
    SC
    Posts
    718
    cheyenne1212, if it makes you feel any better, I've been getting pounded with connection requests to port 445 for at least 2 weeks now. I think I'm averaging about 40-50 requests an hour from IP ranges that follow no observable pattern.
    The object of war is not to die for your country but to make the other bastard die for his - George Patton
    Reply With Quote Reply With Quote
  2. August 13th, 2004, 06:51 PM #12
    cacosapo
    cacosapo is offline
    Senior Member
    Join Date
    Apr 2004
    Posts
    1,130
    NIS use to that on right way. Nothing to worry. maybe just a random attack.

    So, your are under attack thru an 56K line?
    plug your pc off the line and Get a six pack
    Meu sítio

    FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
    If I die before I sleep, I pray the Lord my soul to encrypt.
    If I die before I wake, I pray the Lord my soul to brake.
    Reply With Quote Reply With Quote
  3. August 13th, 2004, 08:20 PM #13
    allenb1963
    allenb1963 is offline
    Old Fart
    Join Date
    Jun 2002
    Posts
    1,658
    Hey chey....I was getting hammered by Bejing last night too....overzealous skiddie??
    Al
    It isn't paranoia when you KNOW they're out to get you...
    Reply With Quote Reply With Quote
  4. August 14th, 2004, 06:24 AM #14
    cheyenne1212
    cheyenne1212 is offline
    Senior Member
    Join Date
    Feb 2003
    Location
    Memphis, TN
    Posts
    3,747
    lol

    Not really sure allen, seems like a lot of over zealous Hong Kongers, polanders, and netherlanders, at the rate its going, I'll have shrekkie doing a port scan before long on my pc . lol

    Its 12:30 a.m here now and it seems like its kinda cleared up, Not getting anymore invalid TCP flags, but am still getting quite a few of invalid destination IP address warnings.

    Who knows maybe I have a little virus or trojan, I had some program called QBUPSEX.exe trying to get out on the net last night, but I blocked access to it. probably about time for a adawere, spybot and hijack this scan again.

    belive me cacosapo I woudl love to get a six pack but being 1 1/2 years from 21 has its drawbacks. lol

    /edit found that program that was trying ot get out last night.

    This one time, the user has chosen to "block" communications
    Outbound TCP connection
    Remote address,service is (83.155.104.0,microsoft-ds(445))
    Process name is "C:\WINDOWS\System32\uqusex.exe"
    =
    Reply With Quote Reply With Quote
  6. August 14th, 2004, 06:34 AM #15
    Palemoon
    Palemoon is offline
    Senior Member
    Join Date
    Apr 2002
    Posts
    889
    Just took at peek remotly at the system @ work tsiled a couple logs a few minutes looks to me like it is maybe a new varation of the what was it Beagle virus email server is getting hit hard and looks like it scans for open ports you listed looking to install the rest of it's self. But I'm tired already a 12 hour day firewall is blocking and the email is also nixing it as spam...nite will look at the logs after some sleep
    I believe that one of the characteristics of the human race - possibly the one that is primarily responsible for its course of evolution - is that it has grown by creatively responding to failure.- Glen Seaborg
    Reply With Quote Reply With Quote
  7. August 14th, 2004, 06:35 AM #16
    cheyenne1212
    cheyenne1212 is offline
    Senior Member
    Join Date
    Feb 2003
    Location
    Memphis, TN
    Posts
    3,747
    Thats gotta be what it is, I just now got hit from 5 more different IP's in a matter of 30 seconds.
    =
    Reply With Quote Reply With Quote
  8. August 16th, 2004, 06:44 AM #17
    cheyenne1212
    cheyenne1212 is offline
    Senior Member
    Join Date
    Feb 2003
    Location
    Memphis, TN
    Posts
    3,747
    sorry bout the double post guys but check this out

    TCP 127.0.0.1:3535 127.0.0.1:1027 CLOSE_WAIT
    TCP 127.0.0.1:8005 0.0.0.0:0 LISTENING
    TCP 208.180.47.112:3022 67.19.14.2:6667 ESTABLISHED
    TCP 208.180.47.112:3216 207.46.106.30:1863 ESTABLISHED
    TCP 208.180.47.112:8877 0.0.0.0:0 LISTENING
    TCP 208.180.47.112:10445 35.210.225.1:445 ESTABLISHED
    TCP 208.180.47.112:10915 35.198.58.182:445 ESTABLISHED
    TCP 208.180.47.112:10917 35.44.167.243:445 ESTABLISHED
    TCP 208.180.47.112:11086 211.118.208.22:445 TIME_WAIT
    TCP 208.180.47.112:11145 211.118.208.23:445 TIME_WAIT
    TCP 208.180.47.112:11146 208.180.47.47:445 SYN_SENT
    TCP 208.180.47.112:11147 81.0.119.182:445 SYN_SENT
    TCP 208.180.47.112:11148 81.61.71.5:445 SYN_SENT
    TCP 208.180.47.112:11149 81.61.221.0:445 SYN_SENT
    TCP 208.180.47.112:11150 81.61.94.9:445 SYN_SENT
    TCP 208.180.47.112:11152 211.118.49.102:445 SYN_SENT
    TCP 208.180.47.112:11153 211.118.208.24:445 TIME_WAIT
    TCP 208.180.47.112:11154 81.61.160.204:445 SYN_SENT
    TCP 208.180.47.112:11155 81.61.31.139:445 SYN_SENT
    TCP 208.180.47.112:11156 81.61.41.22:445 SYN_SENT
    TCP 208.180.47.112:11158 208.180.158.162:445 SYN_SENT
    TCP 208.180.47.112:11159 81.61.25.159:445 SYN_SENT
    TCP 208.180.47.112:11160 31.228.3.171:445 SYN_SENT
    TCP 208.180.47.112:11161 211.118.143.241:445 SYN_SENT
    TCP 208.180.47.112:11162 208.180.248.11:445 SYN_SENT
    TCP 208.180.47.112:11163 208.180.121.68:445 SYN_SENT
    TCP 208.180.47.112:11164 182.50.211.75:445 SYN_SENT
    TCP 208.180.47.112:11165 81.0.0.42:445 SYN_SENT
    TCP 208.180.47.112:11166 81.0.13.129:445 SYN_SENT
    TCP 208.180.47.112:11167 197.11.106.253:445 SYN_SENT
    TCP 208.180.47.112:11169 25.220.4.170:445 SYN_SENT
    TCP 208.180.47.112:11171 112.222.35.182:445 SYN_SENT
    TCP 208.180.47.112:11172 27.179.114.12:445 SYN_SENT
    TCP 208.180.47.112:11175 29.114.28.87:445 SYN_SENT
    TCP 208.180.47.112:11176 143.80.104.35:445 SYN_SENT
    TCP 208.180.47.112:11177 157.231.253.108:445 SYN_SENT
    TCP 208.180.47.112:11178 34.8.59.79:445 SYN_SENT
    TCP 208.180.47.112:11179 204.165.19.241:445 SYN_SENT
    TCP 208.180.47.112:11180 143.52.155.102:445 SYN_SENT
    TCP 208.180.47.112:11181 123.254.98.233:445 SYN_SENT
    TCP 208.180.47.112:11182 141.25.97.158:445 SYN_SENT
    TCP 208.180.47.112:11183 203.194.115.104:445 SYN_SENT
    TCP 208.180.47.112:11184 133.21.139.253:445 SYN_SENT
    TCP 208.180.47.112:11186 117.181.215.248:445 SYN_SENT
    TCP 208.180.47.112:11188 185.204.83.1:445 SYN_SENT
    TCP 208.180.47.112:11189 93.216.223.240:445 SYN_SENT
    TCP 208.180.47.112:11190 211.220.19.148:445 SYN_SENT
    TCP 208.180.47.112:11191 52.33.116.119:445 SYN_SENT
    TCP 208.180.47.112:11192 94.109.158.112:445 SYN_SENT
    TCP 208.180.47.112:11193 70.229.24.190:445 SYN_SENT
    TCP 208.180.47.112:11194 130.157.37.189:445 SYN_SENT
    TCP 208.180.47.112:11195 113.80.235.125:445 SYN_SENT
    TCP 208.180.47.112:11196 56.209.134.230:445 SYN_SENT
    TCP 208.180.47.112:11197 111.249.4.80:445 SYN_SENT
    TCP 208.180.47.112:11199 191.55.85.188:445 SYN_SENT
    TCP 208.180.47.112:11200 116.210.48.143:445 SYN_SENT
    Thats from a netstat -an

    Thats a hell of a lot of connections, and the worse part is, that theres anohter 80 IP addresses in ther but on the same port of 445.

    wtf is up with that?

    Have I been compromised?
    =
    Reply With Quote Reply With Quote
  9. August 16th, 2004, 08:05 AM #18
    Spyder32
    Spyder32 is offline
    Senior Member
    Join Date
    Oct 2002
    Posts
    4,055
    If you haven't been compromised, you sure did piss off alotta hackers last meeting haha, nah but seriously though.. I think you could very well be being targetted and if not that then I would do a SwatIt scan (http://swatit.org) for trojans, run Ad-aware and Hijackthis (for spyware/adware), update all applications versions, check windows update for any patches you might not have (I know there have been quite a few IE patches lately needed to d/l that mentioned compromising system integrity files), and lookup those ports on google and see what service is running on them. Look into the service, if you need it then download latest version/patches/etc if not needed, turn it off/get rid of it.

    From what I've gathered for you about Port 445: It run's Microsoft-DS and can be a default or another port for the following viruses/trojans/worms: Lioten, Randon, WORM_DELODER.A, W32/Deloder.A, W32.HLLW.Deloder, Sasser.

    My suggestion: All that I mentioned above, but definitely look into some of those trojans/viruses/worms. Check back with added information.
    Space For Rent.. =]
    Reply With Quote Reply With Quote
  11. August 16th, 2004, 04:18 PM #19
    cheyenne1212
    cheyenne1212 is offline
    Senior Member
    Join Date
    Feb 2003
    Location
    Memphis, TN
    Posts
    3,747
    Yeah I'm about to get a ad-aware scan
    spybot
    hijack this
    swatit
    and a different AV scan.

    Someithing isn't right somewhere.

    I'll let you know if I find something.
    =
    Reply With Quote Reply With Quote
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules