New Problem--Now What??

Discussion in 'other security issues & news' started by Prince_Serendip, Jul 2, 2002.

Thread Status:
Not open for further replies.
  1. Prince_Serendip

    Prince_Serendip Registered Member

    Joined:
    Apr 8, 2002
    Posts:
    819
    Location:
    Canada
    Last night, from 22:51:49 until 23:31:38 (CDT)there were 63 Low Priority Alerts via the Kazaa Service to my Port 1214 for a Local IP which was NOT mine. I know my machine's IP. I reported the address of the other IP to my ISP later last night (anonymously). My ISP provides DSL service via a LAN. I have never used any Kazaa Service before either!

    I did a "whois" on that IP. It belongs to someone working in the corporate division of my ISP. I now suspect he was using my computer as a proxy. How else can I explain how a completely different Local IP showed up in my VisualZone Log? (Please note: I've never had a different Local IP in my Zone Log before.)

    What I want to know is how do I protect my machine from being used as a proxy, especially when it's without my knowledge? Any help will be much appreciated and perhaps help others with the same problems. I would like to prevent further occurences. Thanks.
     
  2. Detox

    Detox Retired Moderator

    Joined:
    Feb 9, 2002
    Posts:
    8,507
    Location:
    Texas, USA
    This confounds me, but is also very interesting. Wish I could help :-/
     
  3. root

    root Registered Member

    Joined:
    Feb 19, 2002
    Posts:
    1,723
    Location:
    Missouri, USA
    I am not familiar with spoofing, but I think if you have a good firewall with all the right rules, this cannot be done.
    It looks like you use ZA. Did you have to allow unlimited access to and from your lan?
    I am curious about this too. I hope someone with the proper knowlege clues us in here.
    Can you temporarily block his IP? o_O
     
  4. controler

    controler Guest

    If I am not misstaken Qwest had it in their User aggrement , that they could connect to your computer for security checks..

    I would have to go try dig that info up again...
     
  5. Checkout

    Checkout Security Rhinoceros

    Joined:
    Feb 11, 2002
    Posts:
    1,226
    I receive hundreds of such probes - KaZaA and others - from my ISP. I believe they're trying to proactively look for users who have been compromised. At least, I hope so... :(
     
  6. Prince_Serendip

    Prince_Serendip Registered Member

    Joined:
    Apr 8, 2002
    Posts:
    819
    Location:
    Canada
    I am making use of your suggestions. Thank you. :)One of my past jobs was to do research for people writing papers and books. I am using these abilities to work on finding the answers I need. I also conduct private citizen investigations and this certainly qualifies.

    Per Root's suggestion about blocking that IP, I found a Ping/Traceroute program which includes IP Blocking in its repetoire. It's called Sam Spade. Any of you familiar with it? I picked it up at Security Search.Net.

    Per Controler, what is the relationship of Qwest to my phone company (my ISP)? If you figure that any info you have is of a sensitive nature, IM it to me.

    Per Checkout, aside from "How's it going?" do you have any techniques for dealing with arbitrary probes from your ISP? With your firewall? I am trying to ascertain here if my firewall really blocked the attempt, and if so, why is there a different IP in the Local heading? I have ZoneAlarm Freebie and VisualZone. Will I need to upgrade to a different firewall? Any suggestions?

    I like the way ZA acts as a two-way port guardian. Is that all it does? I will be contacting ZoneLabs about this whole question. The more I look into this, the more I realize I need to learn. Well, let's have at it! :D
     
  7. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    PS,

    This might be the culprit:

    I noticed you don't have a static IP. Thus, probably someone probably has had "your" IP and disconnected. Now, you connect > get the same IP as was just on Kazaa > Kazaa users (under the assumption you are the "previous" host) try to connect.

    Bottom line: nothing fishy as it seems.

    regards,

    paul
     
  8. Prince_Serendip

    Prince_Serendip Registered Member

    Joined:
    Apr 8, 2002
    Posts:
    819
    Location:
    Canada
    Thanks Paul! What a relief! I didn't get back to you sooner because we were rather busy last night. Didn't get much sleep. (It's my turn to be on call.) I suppose if I pull up the settings on my ISP connection I can put my real IP in there. Thank you for your help with this problem! I'm breathing again. :)
     
  9. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    PS,

    Sounds the only logical explanation to me at least.

    My pleasure ;)

    regards,

    paul
     
  10. Checkout

    Checkout Security Rhinoceros

    Joined:
    Feb 11, 2002
    Posts:
    1,226
    Okay, but what if - what if - others are trying to exploit the damage already done by Script Kiddies, along the lines that others have (or have been anticipated to have expected) such entrees as B3D?

    I merely pose the question. I didn't do it; I wasn't there; Nobody saw me.

    (Karma Cookies to the above ID, please.)
     
  11. javacool

    javacool BrightFort Moderator

    Joined:
    Feb 10, 2002
    Posts:
    3,995
    B3D shouldn't pose a threat in THIS area yet, to my knowledge, because the client-side server parts have not yet been activated into the new P2P network called Altnet.

    However, once that happens, you can be fairly sure that someone will exploit a weakness in the software. :doubt:
    -javacool
     
  12. Checkout

    Checkout Security Rhinoceros

    Joined:
    Feb 11, 2002
    Posts:
    1,226
    Allow me to point out that the entire Internet is defined by its DNS servers. A secondary or tertiary layer of DNS servers would easily and economically redefine it, and cure a whole lot of problems too.

    Hell, it isn't exactly difficult.
     
  13. Prince_Serendip

    Prince_Serendip Registered Member

    Joined:
    Apr 8, 2002
    Posts:
    819
    Location:
    Canada
    On my Internet Connection Service, it was configured so my ISP assigned my IP. I guess that would mean it would float as Paul suggested. I reconfigured it to my IP. The DNS is still set to the float address. I'll see how things go. No problem signing on to the Internet. When I first started using this ISP, every time I signed on they Pinged me but ZA blocked it as well as blocking any Pings from their program on my computer. It is now a rare occurence that they Ping me. What's the use? It doesn't work.

    Thanks again to Paul and everyone for helping me!
    :) :) :)
     
  14. JacK

    JacK Registered Member

    Joined:
    Jun 20, 2002
    Posts:
    737
    Location:
    Belgium -Li?ge
    If you runs on ADSL, it's normal your ISP assigns you an IP whenever you connect or if you are always connect, they may renew your IP once in a while (for instance my ISP each other 36 hours). You have to pay toi get a static (permanent) IP.
    If your are on RTC, you get too a dyn IP from your ISP.
    On cable, generally (at least in my country) , you get a static address.

    You may enter your ISP's DNS servers instead than automatic.

    It's normal you ISP pings you from time to time : kind of keep alive for you connexion.

    Rgds,

    JacK
     
  15. Prince_Serendip

    Prince_Serendip Registered Member

    Joined:
    Apr 8, 2002
    Posts:
    819
    Location:
    Canada
    Hi JacK! If I have to pay for a static IP in relation to my ISP I guess I'll learn about it when I get my bill! If it's that hard and fast how come I can voluntarily reconfigure it? I do not like sharing IP's so I'm not afraid to pay. (I wasn't seeking explanation--was making one.) I also wanted to say THANK YOU to the people who made every effort to assist! Thanks for noticing. It is appreciated and I have learned more in the process! :)
     
  16. JacK

    JacK Registered Member

    Joined:
    Jun 20, 2002
    Posts:
    737
    Location:
    Belgium -Li?ge
    Hi Prince, ;)

    Sorry maybe due to my bad English : it's no question sharing your IP : when you disconnect the IP is free and it's given to somebody else :)

    When you reconnect you get a new one, just for you lool, but this IP was given to somebody else before he disconnected.

    Each provider has a range of IP, according to its needs and he give them to its customers but NEVER twice the same IP is given at the same time :)

    JacK
     
  17. Prince_Serendip

    Prince_Serendip Registered Member

    Joined:
    Apr 8, 2002
    Posts:
    819
    Location:
    Canada
    I understand now. Since changing my configured "floating" IP to my actual IP, I have stopped getting probes/inquiries from the Kazaa Service. Kazaa is Kaput! I haven't heard a peep (yet) from my ISP. Thank you. (Thanks again Paul!)

    It's at least a possibility, but my ISP may still be assigning me a floating IP from their end even though it isn't floating from my end. Anyone seeking to access the floater will be whistling in the wind and it won't bother me.

    (Sometimes I forget what it's like converting between different languages. I have this same problem with ASL--American Sign Language. I keep thinking English whenever I use Sign.)
     
  18. Detox

    Detox Retired Moderator

    Joined:
    Feb 9, 2002
    Posts:
    8,507
    Location:
    Texas, USA
    I've been watching this thread still, glad you got a fix! That was pretty interesting also, I learned somethin' here.
     
Loading...
Thread Status:
Not open for further replies.