|
|||||||
 |
|
|
LinkBack | Thread Tools | Search this Thread | Rate Thread | Display Modes |
09-25-2002, 10:08 PM
|
#1 |
|
Member (9 bit)
Join Date: Jan 2002
Location: Canada
Posts: 296
|
A worm and a hacker all in the same day!
I just found out I had a worm on my comp called "super nova" that I got from Kazaa. It must have been in 60-70 different place (many of the system restore) but after I installed McAfee it cleared em all up.
While I was at it, I also installed the built in firewall and I must say I'm pleased I did. At about 9:45 yesterday I had a "port scan attack". It said: McAfee Firewall blocked an attempt to attack your machine using a "Port Scan" attack. The remote address associated with the traffic was 208.50.150.232 (port 20480). The local port on your PC was 31118. I figured the hacker was spoofing or used a proxy but I checked out the IP and sure enough it was some companies web site. Since they had a link on their main page to report spam I sent em an e-mail explaining what had happened. They wrote back today saying they had looked at the log on that machine and they hadn't found anythig, the hacker was probably spoofing. Today at about the same time I got a "Newtear" attack. Sound like the same guy because this IP was also spoofed and it occured at pretty much the exact same time. I figure I'm on someones target list. This time the message was: McAfee Firewall blocked an attempt to attack your machine using a "Newtear" attack. The remote address associated with the traffic was 67.24.87.182 (port 0). Is this anything I need to worry about? Is there anything I can do to catch this guy? I know McAfee Firewall isn't the greatest, should I get a better one? Last edited by Evil-Lab-Monkey; 09-25-2002 at 10:11 PM. |
|
|
|
09-25-2002, 10:14 PM
|
#2 |
|
Member (9 bit)
Join Date: Sep 2002
Posts: 376
|
You're always getting attacks like that...I run Norton Personal Firewall and get about 30-50 SubSeven/Netbus attacks a week.
|
|
|
|
|
09-25-2002, 10:18 PM
|
#3 |
|
Member (9 bit)
Join Date: Jan 2002
Location: Canada
Posts: 296
|
This is a little different though. I ran it for a few weeks before and never had any attack, probably because I'm on dailup but now I've had 2, in 2 days, both at the same time. Weird.
|
|
|
|
|
09-26-2002, 05:42 AM
|
#4 |
|
Staff
Premium Member
Join Date: Jul 1999
Location: Arlington, TN
Posts: 5,538
|
Port scans are run all of the time for a wide range of IP addresses. It really isn't a hack attempt. It is more like a pre-hack attack. A range of IP's are scanned for vulnerable ports to look into later. I run port scans at least once a week on my internal and external network at work to look for suspicious open ports.
|
|
|
|
|
09-26-2002, 04:03 PM
|
#5 |
|
Member (9 bit)
Join Date: Jan 2002
Location: Canada
Posts: 296
|
Okay then. I had another "newtear" attack at about 2:45 this morning. What the heck is a newtear attack? What prog can I use to port scan, I wouldn't mind taking a look at what this hacker can see about my comp.
|
|
|
|
|
09-26-2002, 04:29 PM
|
#6 |
|
Staff
Premium Member
Join Date: Jul 1999
Location: Arlington, TN
Posts: 5,538
|
The easiest way to do a port scan on your computer is to go to http://www.grc.com and test your ports. Some pretty good info there also.
NewTear is a DOS (Denial of Service) attack. The best thing to do is to turn off the alerts. There are too many false alarms. |
|
|
|
|
09-28-2002, 07:08 PM
|
#7 |
|
Member (9 bit)
Join Date: Jan 2002
Location: Canada
Posts: 296
|
I see now how often "Port scan attacks" happen but I've had 7 in 45 minutes, 4 of which were in the space of 5 minutes. All from the same IP 62.151.26.22 (port 20480) but on different ports.
6:06:02 (port 61416) 6:15:01 (port 20438) 6:43:59 (port 63653) 6:44:46 (port 11774) 6:46:01 (port 11774) 6:46:30 (port 63653) 6:47:52 (port 32691) Is there anywhere I can go to get information on a specific IP? |
|
|
|
|
09-28-2002, 08:04 PM
|
#8 |
|
Staff
Premium Member
Join Date: Jul 1999
Location: Arlington, TN
Posts: 5,538
|
I am telling you port scans can drive you nuts. Most are simply scans from a certain IP address to another IP address. Some are even done by ISP's themselves looking for open ports.
If you still want to try and determine an IP address, here's how: Reverse IP Lookup |
|
|
|
|
09-28-2002, 09:59 PM
|
#9 |
|
Aerospace
Join Date: Aug 2002
Location: MN, USA
Posts: 1,177
|
So far since my last reboot 35 hours ago I have had 70 scans.
and 25 attacks.
__________________
FastFly |
|
|
|
|
09-29-2002, 11:44 AM
|
#10 |
|
Member (9 bit)
Join Date: Jan 2002
Location: Canada
Posts: 296
|
Did you have 7 from the same IP?
|
|
|
|
|
09-29-2002, 12:47 PM
|
#11 |
|
Forum Administrator
Staff
Premium Member
Join Date: May 2000
Location: Joplin MO
Posts: 37,771
|
Many hackers sit there all day scanning known broadband IP address ranges looking for unsecured machines that they can turn into zombies to do their DoS attacks on corporate websites. They don't usually bother with dialup IP ranges. It's at the point now where if you have broadband and do NOT have a firewall, you are not practicing responsible computing.
|
|
|
|
|
09-29-2002, 10:17 PM
|
#12 |
|
Member (9 bit)
Join Date: Jan 2002
Location: Canada
Posts: 296
|
Yeah I've read about the zombies. Good thing I have my firewall now. Might be kind of cool to have a mutant computer though. The article at GRC was really interesting.
|
|
|
|
|
09-30-2002, 01:45 PM
|
#13 |
|
Member (11 bit)
Join Date: Feb 2001
Location: Blue Springs, MO
Posts: 1,766
|
Many hackers have automated programs doing the scanning for them. They are alerted only when the program finds something interesting.
CH |
|
|
|
|
| Bookmarks |
| Thread Tools | Search this Thread |
| Display Modes | Rate This Thread |
|
|
Linear Mode
