hey guys, I think i need to report an attack ......i got it all in my firewall logs, it contains one remote ip 216.184.40.245 , range of remote ports from about 2000-5000, one local port 6346. I don't know if i need to report it asap but, i got it all in my logs... also did a trace an attacker at symantecs about 5 min after last report attack and have screen shots of the results. heres a lil from my firewall log: (it is a lot longer than this about 15 times MORE) 8/9/02 13:24:32 Rule "IP BLOCK" blocked (172.139.75.xxx,6346). Details: Inbound TCP connection Local address,service is (172.139.75.xxx,6346) Remote address,service is (216.184.40.245,3422) Process name is "N/A" 8/9/02 13:24:29 Rule "IP BLOCK" blocked (172.139.75.xxx,6346). Details: Inbound TCP connection Local address,service is (172.139.75.xxx,6346) Remote address,service is (216.184.40.245,3422) Process name is "N/A" 8/9/02 13:24:24 Rule "IP BLOCK" blocked (172.139.75.xxx,6346). Details: Inbound TCP connection Local address,service is (172.139.75.xxx,6346) Remote address,service is (216.184.40.245,3393) Process name is "N/A" 8/9/02 13:24:18 Rule "IP BLOCK" blocked (172.139.75.xxx,6346). Details: Inbound TCP connection Local address,service is (172.139.75.xxx,6346) Remote address,service is (216.184.40.245,3393) Process name is "N/A" 8/9/02 13:24:15 Rule "IP BLOCK" blocked (172.139.75.xxx,6346). Details: Inbound TCP connection Local address,service is (172.139.75.xxx,6346) Remote address,service is (216.184.40.245,3393) Process name is "N/A" 8/9/02 13:24:09 Rule "IP BLOCK" blocked (172.139.75.xxx,6346). Details: Inbound TCP connection Local address,service is (172.139.75.xxx,6346) Remote address,service is (216.184.40.245,3367) Process name is "N/A" continues...... continues......... continues............. NEED ASSISTANCE......ASAP!!! YODA
Assistance provided! http://www.dshield.org/reports.html Results: http://www.geektools.com/cgi-bin/proxy.cgi Whois Address Search on 216.184.40.245 gave this result: Which is at: http://www.apex2000.net/dynamic/main.asp When you have a dynamic IP assigned by your ISP at each logon, you may be searched by whoever was sharing files with the last person with that address. If it's bothersome, logoff from your ISP and then back on to get a new IP. Hope this helps anyone else having similar problems.
Thanx prince, Thought i was be attacked.. heh . Kind of odd for a person trying to contact me for 2 hours lol. Also got the same whois results . Nothing to worry about i guess.... P.S. Prince u da man, u always come threw for me YODA
heh hey snapdragin, u figure out what was causing ur problem...? when i read ur post that 5101 port look familiar.... yahoo uses that as a remote port... but ne ways.. close that port up if thats wut causing ur problems... YODA
Hey guys These days it doesn't pay to report attacks since most of them are being carried out from behind some poor innocent persons computer (grandma, 13 year old kid ect) Most of the time it is because of a worm that was planted on their computer and in some cases IRC BOTs Most young people hang out in these IRC chat rooms and that's where most of the damage is done. People wanted to find problems with their configurations will go into these places and temp hackers to come into their honeypots - honeynets. Honeynets are much better in that the info gathered is shared over a wide network and not just one system. Doesn't it get boring somedays when we have all our protection up and enabled and get no hack attemps. Makes you wonder if something is wrong.
Port 6346 is typically associated with the p2p file sharing protocol Gnutella. The only reason you're getting probed is because the previous user of your current IP was hosting a Gnutella server. Gnutella clients tend to cache server IP addresses for a long time so now they think YOU have the content they want. The best response to this behavior is either ignore it, or better yet, force an IP address change until you get an IP that doesn't have a history associated with it.
This is absolutely the case, however, it is also why it IS valuable to report it...so that the infected person can be notified. By my estimate 95% of all valid scanning activity is generated by an infected host. However, you definitely should NOT report issues without fully understanding how to differentiate between real issues and false positives (like the Gnutella probes in this thread). See also: http://www.mynetwatchman.com/vision.htm
Do you obtain your IP via DHCP? If so it's likely *sticky* vs. static. Email me if you're interested in experimenting..I've been working on a procedure to force an IP address change even when sticky DHCP is at play.
Although I was referring to the original poster - as for my person: nope. Sounds interesting: might drop you an email anyway! regards. paul
It has been my experience with my local cable company that just because they use dhcp doesn't mean I have to. Becaue I have routers that are always on (so no one can grab my ip while my machine is rebooting; i never turn it off), my ip won't change unless my account is switched to a different node. They sometimes split a node into two separate nodes when they get too full. There is a 50-50 chance I will be shuffled to the other one and loose my current IP. This happens twice a year or so. The reason I get the same ip the rest of the time is the ip is decided by the dhcp server based on a combination of the MAC address of my network card and from some info from my computer. That combination always gets the same ip, but if I change network cards I get a new IP. If i put my current netcard in a different computer I don't get the same IP as I did in the first computer. So one way to get new IPs is two swap network cards between my computers. Another way is to not use DHCP and specify my IP directly. If an IP is available on my node, I can specify it directly and I will get it. If it is in use or outside my node block I will not. This leads me to the third way to change your IP. If you have two computers like I do, I turn off the computer that has the IP I no longer want, and then specify that IP for my second computer directly. Then when I turn on the first computer, it can't get the IP it wants through dhcp, so the dhcp server will assign a different one. Then I switch the second computer back to dhcp and get the ip it used to have provided it wasn't assigned to anyone in the mean time. In my case I am actually changing the IPs of my routers but it is the same for computers. dunno how it might work with dial-up, back when I had dial-up, I had no idea of such things.