| Author |
Message |
squito
Moderator
Joined: 05 Dec 2000
Posts: 5941
Location: USA
|
Posted:
Wed May 09, 2001 8:00 am Post subject: |
|
I've received about 400 of these warnings since engaging the internet lock at 4:00 AM ...Quote:The firewall has blocked Internet access to your computer (TCP Port 6346) from 192.101.80.14 (TCP Port 50259) [TCP Flags: S].
Time: 5/9/2001 10:51:32 AM
... the only time I engage that lock is when I go to bed, because I can't get any program to pass the lock on any security level. I'm concerned as all these warnings are from the same IP (192.101.80.14), a different port on each warning ... what's a dog to do ...   :
Signature down for repairs ... |
_________________
Answers for Atheists and Agnostics
|
|
|
|
|
|
Rover
Tail-Wagger
Joined: 18 Oct 2000
Posts: 2450
Location: Toledo, OH
|
|
Posted:
Wed May 09, 2001 10:19 am Post subject: |
|
Have you tried pinging that IP? if you do get a response then try a trace route to see the path to it. Then we'll fire bomb it back to the stone age! LOL just kidding.
Rover
Toilet bowls...the chalice of dogs everywhere. |
_________________
Rover
"All truth passes through three stages. First, it is ridiculed. Second, it is violently opposed. Third, it is accepted as being self-evident."
~Arthur Schopenhauer
|
|
|
|
|
|
squito
Moderator
Joined: 05 Dec 2000
Posts: 5941
Location: USA
|
|
Posted:
Wed May 09, 2001 8:40 pm Post subject: |
|
Here's the trace ... Quote:Tracing route to campus.wvwc.edu [192.101.80.14]
over a maximum of 30 hops:
1 10 ms <10 ms 10 ms 10.154.192.1
2 <10 ms 10 ms 10 ms mke-rtco-gsr-a-srp3-0.wi.rr.com [24.160.225.38]
3 <10 ms 10 ms <10 ms 12.125.142.25
4 <10 ms <10 ms 10 ms 12.123.5.222
5 10 ms 10 ms 10 ms 12.122.5.14
6 <10 ms 10 ms 20 ms 12.123.5.149
7 <10 ms 10 ms 10 ms p6-0.chcgil2-cr1.bbnplanet.net [4.24.202.5]
8 10 ms 10 ms 10 ms so-2-3-0.chcgil2-br1.bbnplanet.net [4.24.7.133]
9 10 ms 10 ms 20 ms p13-0.iplvin1-br1.bbnplanet.net [4.24.9.58]
10 20 ms 30 ms 30 ms p13-0.phlapa1-br1.bbnplanet.net [4.24.10.181]
11 20 ms 30 ms 30 ms p15-0.phlapa1-br2.bbnplanet.net [4.24.10.90]
12 31 ms 40 ms 30 ms so-0-0-0.washdc3-nbr2.bbnplanet.net [4.24.10.185]
13 30 ms 30 ms 30 ms so-7-0-0.washdc3-nbr1.bbnplanet.net [4.24.10.29]
14 30 ms 30 ms 30 ms p7-0.washdc3-cr1.bbnplanet.net [4.24.4.118]
15 30 ms 40 ms 40 ms s5-1-0.baisclbgwv.bbnplanet.net [4.24.64.14]
16 60 ms 60 ms 70 ms 141.153.95.2
17 80 ms 90 ms 90 ms 129.71.8.133
18 130 ms 100 ms 111 ms campus.wvwc.edu [192.101.80.14]
Trace complete.
... set them up the bomb ... hehehehe !!!
Signature down for repairs ... |
_________________
Answers for Atheists and Agnostics
|
|
|
|
|
|
Rover
Tail-Wagger
Joined: 18 Oct 2000
Posts: 2450
Location: Toledo, OH
|
|
Posted:
Thu May 10, 2001 7:53 am Post subject: |
|
mke-rtco-gsr-a-srp3-0.wi.rr.com
Well RR.com is a group called Excalibur which is owned by Time Warner. The rr stands for Road Runner so I'm going to assume that this person is on a Road Runner internet connection. As for the WI, I'm not sure...could stand for Wisconsin. The first part "mke-rtco-gsr-a-srp3-0" is the name that the Road Runner service gave the cable modem at this person's house.
The IP 10.154.192.1 is probably his personal IP he gave himself/herself on his own LAN or it is the exact IP that Road Runner passed out.
YOu should try telneting into that IP address and see if telnet is open or FTP. If no luck, just try port scanning that IP address and see what you get. If you only get hits during the evenings its a good bet this person either goes to school or works during the day which mean you might be able to bust his box before he knows it. hehehe
Rover
Toilet bowls...the chalice of dogs everywhere. |
_________________
Rover
"All truth passes through three stages. First, it is ridiculed. Second, it is violently opposed. Third, it is accepted as being self-evident."
~Arthur Schopenhauer
|
|
|
|
|
|
Brain
Big Dog
Joined: 20 Oct 2000
Posts: 3689
Location: USA
|
|
Posted:
Thu May 10, 2001 8:14 am Post subject: |
|
here's my take on the situation:
A) ask the members of a local "cybergang" you might have heard of to help you get even with him
B) contact the administrator at ms campus.wvwc.edu and report what your ZA logs show . . . and get him kicked offline at school.
C) first A then B  |
_________________
What would Jay and Silent Bob do :
|
|
|
|
|
|
squito
Moderator
Joined: 05 Dec 2000
Posts: 5941
Location: USA
|
|
Posted:
Thu May 10, 2001 8:44 am Post subject: |
|
Quote:
here's my take on the situation:
A) ask the members of a local "cybergang" you might have heard of to help you get even with him
B) contact the administrator at ms campus.wvwc.edu and report what your ZA logs show . . . and get him kicked offline at school.
C) first A then B
HeH-HeH!!! I thought about doing both of those ... the scans have stopped ... me thinks ZoneAlarm was working (because I did get the warnings ?) ... thanks go out to ALL for your replies ... mucho appreciated !
Signature down for repairs ...  |
_________________
Answers for Atheists and Agnostics
|
|
|
|
|
|
Lil bo Shepherd
Stray Dog
Joined: 10 May 2001
Posts: 24
Location: USA
|
|
Posted:
Fri May 11, 2001 3:57 pm Post subject: |
|
Hehe Rover you confuse me.
Wasn't the ip 192.101.80.14 not 10.154.192.1? It'd make sense cause 10.154.192.1 was only the first hop =)
He is port scanning you, and the script kiddie obviously isn't any good hehe
*checks to see if you have icq*
--Update: I see that he had stopped already, I guess I didn't pay enough attention. Damn. Thats no fun.
Edited by - Lil Bo Shepherd on 05/11/2001 19:59:44 |
_________________
But that's just my opinion.
|
|
|
|
|
|
Rover
Tail-Wagger
Joined: 18 Oct 2000
Posts: 2450
Location: Toledo, OH
|
|
Posted:
Fri May 11, 2001 4:32 pm Post subject: |
|
Yeah I don't know what I was thinking...I must of had my head up my proverbial ass cause I totally was reading the traceroute backwards...[size=32]DUH[/size][B)]
Rover
Toilet bowls...the chalice of dogs everywhere. |
_________________
Rover
"All truth passes through three stages. First, it is ridiculed. Second, it is violently opposed. Third, it is accepted as being self-evident."
~Arthur Schopenhauer
|
|
|
|
|
|
squito
Moderator
Joined: 05 Dec 2000
Posts: 5941
Location: USA
|
|
Posted:
Fri May 11, 2001 8:52 pm Post subject: |
|
... I have always got these warnings ... to me it looks like my computer ( my computer is named "Name") is trying to connect to itself from another IP ... it's always a different IP from what I actually have ...
Signature down for repairs ... |
_________________
Answers for Atheists and Agnostics
|
|
|
|
|
|
Brain
Big Dog
Joined: 20 Oct 2000
Posts: 3689
Location: USA
|
|
Posted:
Sat May 12, 2001 10:28 am Post subject: |
|
Quote:
quote:
... I have always got these warnings ... to me it looks like my computer ( my computer is named "Name") is trying to connect to itself from another IP ... it's always a different IP from what I actually have ...
Signature down for repairs ...
<hr height=1 noshade id=quote></BLOCKQUOTE id=quote>
I'm pretty sure that means someone tried a passive port scan on you (like a ping packet) and ZA is just letting you know that it blocked the "response" from your computer that would have let the guy know your IP existed |
_________________
What would Jay and Silent Bob do :
|
|
|
|
|
|
squito
Moderator
Joined: 05 Dec 2000
Posts: 5941
Location: USA
|
|
Posted:
Sat May 12, 2001 11:02 am Post subject: |
|
Quote:I'm pretty sure that means someone tried a passive port scan on you (like a ping packet) and ZA is just letting you know that it blocked the "response" from your computer that would have let the guy know your IP existed
Thanks Brain ... been reading about NetBIOS attacks on the rise ... is that what a "passive port scan" is essentially ...
Signature down for repairs ... [ ]
Edited by - squito on 05/12/2001 15:03:22 |
_________________
Answers for Atheists and Agnostics
|
|
|
|
|
|
Brain
Big Dog
Joined: 20 Oct 2000
Posts: 3689
Location: USA
|
|
Posted:
Sat May 12, 2001 1:09 pm Post subject: |
|
Quote:
Thanks Brain ... been reading about NetBIOS attacks on the rise ... is that what a "passive port scan" is essentially ... [/green]
Signature down for repairs ... []
Edited by - squito on 05/12/2001 15:03:22
netbios is a network protocol . . relatively low on the OSI model if i remember correctly
passive port scan is one that tries to detect your comp without revealing too much information
essentially it sends a single packet saying "are you there" and gets a single packet back that says "yep"
where as an active attack is one where they send you packets trying to establish a connection that can be exploited/interacted with
passive port scans are often dissmissed by people as erronious(sp?) traffic so they don't attract too much attention
a good hacker will try to passive scan you
then, once he knows your IP and a port that's open, he'll try to get into another system (like a local college) and use THEIR network to try to crack you . . . thus leaving a trail that does not lead back to him if anyone investigates
Edited by - Brain on 05/12/2001 17:10:50 |
_________________
What would Jay and Silent Bob do :
|
|
|
|
|
|
Lil bo Shepherd
Stray Dog
Joined: 10 May 2001
Posts: 24
Location: USA
|
|
Posted:
Sat May 12, 2001 9:52 pm Post subject: |
|
Netbios is a session layer protocol. About in the middle(#5 out of 7).
It's commonly exploited by hackers, because sometimes people have printer or file sharing on, and they can connect to your computer and use these services if it's not passworded(it's normally not on home pc's).
Even if it is passworded, its crackable.
They do this by using nbtstat to find out your netbios name, from there they can edit their lmhosts.sam file and put in the ip address, and the netbios name, and it's basically as if you are part of their local network. |
_________________
But that's just my opinion.
|
|
|
|
|
|
Rover
Tail-Wagger
Joined: 18 Oct 2000
Posts: 2450
Location: Toledo, OH
|
|
Posted:
Sun May 13, 2001 6:59 am Post subject: |
|
Quote:
Netbios is a session layer protocol. About in the middle(#5 out of 7).
It's commonly exploited by hackers, because sometimes people have printer or file sharing on, and they can connect to your computer and use these services if it's not passworded(it's normally not on home pc's).
Even if it is passworded, its crackable.
They do this by using nbtstat to find out your netbios name, from there they can edit their lmhosts.sam file and put in the ip address, and the netbios name, and it's basically as if you are part of their local network.
But that's just my opinion.
Somebody's been studying up on NetBios attacks [ ]
Rover
Toilet bowls...the chalice of dogs everywhere. |
_________________
Rover
"All truth passes through three stages. First, it is ridiculed. Second, it is violently opposed. Third, it is accepted as being self-evident."
~Arthur Schopenhauer
|
|
|
|
|
|
|
|
LWD 
FAQ 
Memberlist 
Usergroups 
Active Topics 
Register 
Profile 
Log in to check your private messages 
Log in 
Who is Online 
Image Gallery 
Chat 
Search 
