D-Shield's - Distributed Intrusion Detection System

Discussion in 'other firewalls' started by snapdragin, Aug 7, 2002.

Thread Status:
Not open for further replies.
  1. snapdragin

    snapdragin Registered Member

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    well, i just clicked on the link Prince_Serendip left in another thread for D-Shield http://www.dshield.org/index.html and saw the line: "Are You Cracked? Click Here To See".....so i clicked there...and it says i am in their database 3 times as an attacker? ~gulp~

    it is showing my WAN IP, but i don't understand why they are saying i'm in their database as attacker 3 times?

    i am behind a D-Link router with firewall, and also Sygate Firewall and TDS-3, and NOD3...and nothing has ever come up in a scan.

    umm....could someone look at that link above and comment.....oh please?
    ----
    ack! it says total records against my IP = 3! (what?)
    number of targets = 2!
    ports attacked = up to 10!

    i need water....
     
  2. snapdragin

    snapdragin Registered Member

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    i need someone's help to help me understand this.

    i used the ip2 program to check my WAN and LAN IP's to make sure i was seeing the right ones, then went back to D-Shields with both my Win98se and my XP and they both show the same results below for my WAN IP:

    Your IP (24.xx.xx.xxx) appears as an attacker 3 times in the DShield database.

    Date/Source/Source Port/Target Port/Protocol/Flags/Description
    2002-08-01 24.xx.xx.xxx 65455 5101 6 S
    2002-08-01 24.xx.xx.xxx 65458 5101 6 S
    2002-08-01 24.xx.xx.xxx 64931 5101 6 S

    (the 24.xx.xx.xxx is my WAN IP according to ip2)

    i have two different LAN IP'S for each computer, so i then checked the LAN IP's and they do not show up in their database:

    Your IP (192.xxx.x.xxx) does not appear as an attacker in the DShield database.

    i'm just baffled how my router's IP is appearing in their database as an attacker with 3 records against it?
     
  3. snapdragin

    snapdragin Registered Member

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    my questions are:

    - does this mean someone is using my router for attacking?

    - how would i determine that since i don't check my router's
    logs that often...i don't notice any incoming hits unless i actually look at the log, and my software firewall shows only the activity that i initiate.

    - and if someone is using my WAN's IP for attacks...how could i prevent it, if i am unaware of it?

    i am sorry, i just don't understand it well enough to figure out the why and the how of it all, but i don't like being in their database like that.... :doubt:

    maybe this is just one of those flukie hit-n-run things that that'll only happen once and i'll never understand....but if it's not, well....then i'd sure like to know how to fix it.
     
  4. snowy

    snowy Guest

    PROTOCOL #6

    http://www.ipv6.org
     
  5. snowy

    snowy Guest

    Snap......sorry but don't seem to find anything oddly related..........wish I could offer more....


    snowy
     
  6. snowy

    snowy Guest

    http://online.securityfocus.com/archive/1/257584


    **<yahoo messenger> listens on port 5101
     
  7. Prince_Serendip

    Prince_Serendip Registered Member

    Joined:
    Apr 8, 2002
    Posts:
    819
    Location:
    Canada
    Hi snap! I'm sorry to see you are having problems with this. Are your WAN addresses static or dynamic? Whether they are or not it appears to be possible that there can be two addresses, like identical twins. One would be IPv4 and the other would be IPv6. There's bound to be some overlap with these two versions, eh? My point here is although one of your IP's appears to have been an attacker, it is most likely not on your machine. D-Shield gets its reports from users world-wide. Some are using IPv6 but most are still using IPv4. Does this make sense? If I am correct about this then IPv6 needs some revision? Doubled addresses could get very confusing and be a tremendous security risk! Talk about mistaken identities! :rolleyes:

    Then again, it could be someone faking their IP. It can be done. I hope this helps.
     
  8. snowy

    snowy Guest

    details....links etc......


    cert advisory:

    http://www.cert.org/advisories/CA-2002-16.html
     
  9. snowy

    snowy Guest

    **************************

    These vulnerabilities were resolved in Yahoo! Messenger version

    5,0,0,1065, released May 22, 2002; however, a bug in the distribution

    server may have inadvertantly installed Yahoo! Messenger version

    5,0,0,1036 on systems that downloaded Yahoo! Messenger after May 22,

    2002. The bug in the distribution server has since been resolved.

    **** http://www.freelists.org/archives/helpc/06-2002/msg00040.html
     
  10. snowy

    snowy Guest

    SNAP..

    these posts are just in case you may use Y messesger.....don't know what else to offer right now....so please don't think this off topic.



    an while on the subject of messenagers here is a link to some "how-to's for MsN mess.........CAUTION:: hotmail uses the same server as Msn mess so use shivering caution......or else you will lose hotmail


    http://www.novell.com/coolsolutions/zenworks/features/tips/t_block_msn_zw.html
     
  11. snapdragin

    snapdragin Registered Member

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    ~warm smyle~...snowman, thank you for your help, it gave me some leads to start with....and the first thing i checked when i got home from work was the yahoo messengers that are on my Win98 and my son's ME. The one on my Win98 isn't active (i haven't uninstalled it yet but it's pretty dormant) LOL. The one of my son's WinME though is used but he has the most up-to-date version (i don't have Yahoo Messenger on my XP...and MSN stays dormant on this one too)....so i'm still hunting for what could have caused any kind of attack from my router, if that is what it truely was.

    i am a li'l suspicious though of some spyware i just found on my son's pc....CnsMin....nasty for WinME users...unless they have Spybot Search&Destroy...seems the only safe way to remove that, and it did seem to install itself on Aug 1...so, that might be what caused it? i don't know, but it's gone now!

    Prince - Ipv4 and Ipv6? (blank look here)
    both my WAN & LAN IP's haven't changed before or since the date of those 3 attack dates....so unless someone spoofed it, then it came from my router.....i dunno, i'm still in the dark about here. But i would like to thank you for posting the link to D-Shields or i would never have been aware of it, and if i am not aware of it, then i can't fix it. Now i just have to find out how to fix it. ;)

    i apologize for my late reply to both your posts....i've been crashing my son's pc most of the night looking for something on "his" pc that's doing it. LOL

    thank you for your help though, at least i've got a start.
     
  12. snowy

    snowy Guest

    Snap

    you are always most welcome.......although I didn't do much helping o_O

    say whats with this "CnsMin" ? first I heard of it. tryed doing a search but no real results....most were not in english. I don't use spybot.....I have several hundred files that it would show.....all good......an don't want to even consider using it......LOL


    snowman
     
  13. snapdragin

    snapdragin Registered Member

    Joined:
    Feb 16, 2002
    Posts:
    8,415
    Location:
    Southern Ont., Canada
    hi snowman, and you helped more than you know!

    oh this CnsMin, i have not heard of myself until i discovered it on my son's pc. i had done a regular scan of his pc with Spybot S&D just near the end of July and it was clean, but when i did another scan shortly after (Aug 1st actually) i had found it there but didn't know what it was so i left it until i could get back to it once i found out what it was. Well, tonight i looked into it, and if you do a search with just that name...CnsMin...(don't!) LOL! You won't like the search results. i found a site that explained it better http://and.doxdesk.com/parasite/CnsMin.html

    i hope it's ok to post the link here, i've never been to that site before but it does seem to be against spyware, but i also have IE's settings totally disabling everything.

    but for those that can't go there, or don't want to, a short clip from the link above:
    CnsMin is another keyword-lookup provider that takes over the search feature of IE's address bar. It is aimed at providing keywords using Chinese characters.

    Other than replacing the IE search feature with a Chinese site likely to be incomprehensible to non-Chinese users, CnsMin is not overtly harmful, but it uses extremely anti-social methods to make it difficult to uninstall.

    Distribution
    Is installed by ActiveX drive-by-download at its company's site, 3721.com. Has also apparently been included in junk e-mail, which could be how some Western users have ended up with it.
    --------
    but it seems like it is extremely difficult to remove, especially for WinME users.....but Spybot S&D removed it fairly easily for me, had to reboot though to remove the rest of it. The log was incredibly long too! wow! LOL

    and if you use the Add/Remove options in windows, it takes you to their site somehow and reinstalls it again. :eek:

    i better stop, because i am way off topic....but, it could well be the culprit....i'll have to wait and see.

    (just a note, the current ref files for AdAware do not detect this CnsMin...not sure why, maybe it's newer than the last AdAware update?)
     
  14. snowy

    snowy Guest

    Snap

    most grateful for the information......I went to their website..(before you posted) (an with scripts disabled) didn't notice any downloads.......just made my head hurt trying to read LOL

    would think that eventually adaware will get around to this nasty.
    an luck with your own problem......sure hope you locate it soon.

    regards
    snowman
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.