hi

i saw another post about this some time ago and i decided to keep an eye on my logs and iv found a few suspect results

my ip is usualy 213.122.xxx.xxx eachtime i log on
how ever the suspect results have a diffrent ip 62.6.xxx.xxx

and im just wondering if this could be evidence of someone using my computer conection as a proxie and if so how do i stop it

now i know that it could be the fact that i just loged on and i got that persons ip but im prity sure that the sus reports happened some time after i loged on eg hapened say 30 min after i loged on

help

Bethrezen,

Got a log or screen cap?

regards.

paul

As Paul says, a couple of illustrative log entries would be helpful.

I have seen something like this on NIS/NPF event logs from time to time. (And, after a quick double-take, I figured out they were perfectly legitimate.)

The ones I have seen have occurred on a PC serving as a LAN gateway between several other PCs and the Internet at large, using Microsoft's ICS in my case, but it could just as well be SHN or any or a number of other software routers. So, if one of the client PCs request a page from a website, it comes in(bound) to the gateway PC for forwarding to the website. In the logs, it would show as an inbound connection from 192.168.0.3 to 12.34.56.78:80, for example, and 12.34.56.78 would not be the IP address of the local machine.

Now, this may not be the kind of situation you're seeing, but maybe it will suggest some other possibilities to you.

I have VisualZone too and went through the same thing a little while back. My ISP assigns my "IP" when I logon. I was getting probes from Kazaa for an IP I'd never seen before. It upset me until I learned what was going on. Now, whenever I logon to my ISP, I go to a site which shows my "IP" and then I know what it is for that session. I go to this site:

http://www.geektools.com/cgi-bin/proxy.cgi

Scroll down to the bottom of the page and it will show you your current IP. This link is also a whois proxy server, so you can check on the IP's you've gotten before. (The link above is the correct address. I always test my links to make sure they work, but it won't connect right now, not even from my bookmark. Hmmm!)

hi

screen caps ?? whats that ??

as for the log entrys i acidentley deleated the log but when i get another instance of it happening ill post the log entry

You can check your own IP with TDS as well TDS > System Analyses > Get IP address; it shows all the IPs of your ISP and internal and lot of other tools.

For your story, was it worse this last weekend? During this hackers conference i had more attacks then ever and saw in visual zone results often the same MAC addresses of the attackers but all time different IPs/DNSs so it looked like people's systems used as proxies.

-{ Quote: " quoting: Bethrezen link=board=23;threadid=2383;start=0#16863 date=1026787766]
hi

screen caps ?? whats that ??

as for the log entrys i acidentley deleated the log but when i get another instance of it happening ill post the log entry
" }-

Screen caps = screen captures. You capture the screen being up at the moment, save it as xx.jpg fe and publish it over here using the "attach" possibility at the bottom of each post.

In case you encounter this again, feel free to posts the (relevant) log file and a screen cap.

regards.

paul

Mentioned above the same MAC addresses in all those alerts, while the IPs all differ.
I've been told in some Windows versions people can change/fake MAC addresses. Anybody knows more about this?
Could it be Win2000 or XP for instance come with a standard MAC 4444553547777 or 4444553540000 to name the most frequent codes?
If so what is the value of MAC addresses anymore?