| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 39429 | 2003-11-06 07:57:00 | I'm getting attacked... | agent (30) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 189645 | 2003-11-06 07:57:00 | Some foolish person located at 219.89.115.251 (that's 219-89-115-251.adsl.xtra.co.nz) has been consistently sending me UDP packets on local port 500 (isakmp), from remote port 500 (isakmp again, what else?). The program associated with this port is apparently LSA Shell (Export Version), or C:\WINDOWS\system32\lsass.exe. This probably started nearing 30 minutes ago, and has been going consistently. I started logging and automatically denying the connections 10 minutes ago (yes, I was manually closing every alert Kerio popped up :D). Since then I have been able to discover that the connection attempt is made every 30 seconds. And it is now exactly 20 connection attempts since I started logging and alerting. I've fired off an email to abuse [AT] xtra.co.[do you really think this domain exists].nz (following some advice from an Orcon eNews email there... seems stupid, but hey). Now, you might wonder why I haven't just disconnected from the internet and re-established my connection (I'm on dial-up). The reasoning is that I wanted to see how this played out. I haven't been able to ping, perform a trace route, or attempt to send a 'net send' message because this would (a) require me to disable the firewall; or (b) guess which part of the firewall configuration is blocking these and disable that... and I'd rather do testing for that when I am not receiving packets every 30 seconds from some trigger-happy ADSL user. If anyone wishes to attempt anything on the person, I repeat: 219.89.115.251 - feel free to do stuff to them, because they're doing it to me... |
agent (30) | ||
| 189646 | 2003-11-06 08:10:00 | I get this: bash-2.05b$ ping 219.89.115.251 PING 219.89.115.251 (219.89.115.251) 56(84) bytes of data. 64 bytes from 219.89.115.251: icmp_seq=4 ttl=21 time=73.2 ms 64 bytes from 219.89.115.251: icmp_seq=15 ttl=21 time=75.3 ms --- 219.89.115.251 ping statistics --- 16 packets transmitted, 2 received, 87% packet loss, time 15071ms rtt min/avg/max/mdev = 73.240/74.288/75.336/1.048 ms bash-2.05b$ bad lag at their end? |
Chilling_Silently (228) | ||
| 189647 | 2003-11-06 08:41:00 | I also just ping them :D Pinging 219.89.115.251 with 32 bytes of data: Reply from 219.89.115.251 : Bytes=32 time=82ms TTL=22 Reply from 219.89.115.251 : Bytes=32 time=82ms TTL+22 Reply from 219.89.115.251 : Bytes=32 time=69ms TTL+22 Reply from 219.89.115.251 : Bytes=32 time=82ms TTL+22 Ping statistics for: 219.89.115.251: Packets: sent = 4 Received = 4 lost = 0 ( 0 % loss) Approximate round trip times in mill - seconds: Minimum = 69 ms, Maximum = 82ms, average = 78ms |
stu140103 (137) | ||
| 189648 | 2003-11-06 08:46:00 | Weird... Im only downlaoding at half my max limit for downloads (6KB/s)... weird... You might wanna report it to Xtra and your ISP though... I logged into a remote SSH server a while back, and got the following email from ihug (snipped...) Dear Sir/Madam, We have received reports of unauthorised attempts to gain access to an offshore server over the ssh protocol. Because the attempts were made via ssh it indicates that a user on your home pc was intentionally performing these attempts. The user may have been using an application such as 'putty'. If you find 'putty.exe' on your harddrive, then you can be sure that this is the case. This type of activity is not only in breach of the terms and conditions of service agreed to by the account holder but also in breach of the New Zealand Crimes Ammendment Act 2003. No damage was caused on this ocasion but please review our terms and conditions of service available here: www.ihug.co.nz/legal as well as the new hacking laws brought in October 03 available here: www.internetnz.net.nz ory-affairs/larac030708crimes-amendment-6.html Please take this warning seriously, I knew the owner of the server and they'd given me acces... but yeah, have a read of those URL's anyways, might be interesting :-) I would try Net Send but Im in linux ;-) |
Chilling_Silently (228) | ||
| 189649 | 2003-11-06 08:48:00 | Oh the joys of disconnecting from emule and then disconnecting to get a new IP address. (When you close down Emule/eDonkey etc the clients who were downloading from you keep pinging your machine on the UDP port that was being used by the program. So when the program closes, these UDP requests keep coming in, and the firewall thinks they are an attack and can produces very annoying alerts). Just saying that *might* be a cause. |
PoWa (203) | ||
| 189650 | 2003-11-06 09:03:00 | Hadn't used any file sharing applications after booting before this started happening. *Checks logs*. Yup, my strange friend at 219.89.115.251 is still sending those connection attempts... |
agent (30) | ||
| 189651 | 2003-11-06 09:12:00 | You may want this data. I note that when I was with Xtra some time back I was getting pings from Alien and Terminator,xtra etc which are mentioned at the bottom of this post. I don't think you have a lot to worry about. By all means follow up if you want to. Complete trace below. NeoTrace Trace Version 3.25 Results Target: 219.89.115.251 Date: 6/11/2003 (Thursday), 9:58:37 p.m. Nodes: 9 Node Data Node Net Reg IP Address Location Node Name 9 1 1 219.89.115.251 36.867S, 174.767E 219-89-115-251.adsl.xtra.co.nz Packet Data Node High Low Avg Tot Lost 9 80 49 61 6 0 Network Data Network id#: 1 OrgName: Asia Pacific Network Information Centre OrgID: APNIC Address: PO Box 2131 City: Milton StateProv: QLD PostalCode: 4064 Country: AU ReferralServer: whois://whois.apnic.net NetRange: 219.0.0.0 - 219.255.255.255 CIDR: 219.0.0.0/8 NetName: APNIC5 NetHandle: NET-219-0-0-0-1 Parent: NetType: Allocated to APNIC NameServer: NS1.APNIC.NET NameServer: NS3.APNIC.NET NameServer: NS.RIPE.NET NameServer: RS2.ARIN.NET Comment: This IP address range is not registered in the ARIN database. Comment: For details, refer to the APNIC Whois Database via Comment: WHOIS.APNIC.NET or www.apnic.net Comment: ** IMPORTANT NOTE: APNIC is the Regional Internet Registry Comment: for the Asia Pacific region. APNIC does not operate networks Comment: using this IP address range and is not able to investigate Comment: spam or abuse reports relating to these addresses. For more Comment: help, refer to www.apnic.net Comment: RegDate: Updated: 2002-09-11 OrgTechHandle: AWC12-ARIN OrgTechName: APNIC Whois Contact OrgTechPhone: +61 7 3858 3100 OrgTechEmail: search-apnic-not-arin@apnic.net ARIN WHOIS database, last updated 2003-09-25 19:15 Registrant Data Registrant id#: 1 New Zealand Domain Name Registry Limited Users confirm on submission their agreement to all published Terms version: 0.95 query_datetime: 2003-11-06T21:49:17+13:00 domain_name: xtra.co.nz query_status: 200 Active domain_dateregistered: 1997-03-06T00:00:00+13:00 domain_datebilleduntil: 2004-01-01T00:00:00+13:00 domain_datelastmodified: 2003-04-03T10:26:43+12:00 domain_delegaterequested: yes registrar_name: Domainz registrar_address1: Private Bag 1810 registrar_city: Wellington registrar_country: NZ (NEW ZEALAND) registrar_phone: +64 4 918-1740 registrar_fax: +64 4 918-1719 registrar_email: 4service@domainz.net.nz registrant_contact_name: Telecom IP Limited registrant_contact_address1: P O Box 949 registrant_contact_city: Wellington registrant_contact_postalcode: 6015 registrant_contact_country: NZ (NEW ZEALAND) registrant_contact_phone: +64 4 473 8278 registrant_contact_fax: +64 4 472 3358 registrant_contact_email: dns@ajpark.com admin_contact_name: A J Park admin_contact_address1: P O Box 949 admin_contact_city: Wellington admin_contact_postalcode: 6015 admin_contact_country: NZ (NEW ZEALAND) admin_contact_phone: +64 4 473 8278 admin_contact_fax: +64 4 472 3358 admin_contact_email: dns@ajpark.com technical_contact_name: Domain Administrator technical_contact_address1: Telecom Internet Services Private Bag 92028 technical_contact_address2: Auckland New Zealand technical_contact_phone: +64 9 3555238 technical_contact_fax: +64 9 3555281 technical_contact_email: soa@xtra.co.nz ns_name_01: alien.xtra.co.nz ns_ip4_01: 202.27.184.3 ns_name_02: terminator.xtra.co.nz ns_ip4_02: 202.27.184.5 Users are advised that the following activities are strictly forbidden. Using multiple WHOIS queries, or using the output of multiple WHOIS queries in conjunction with any other facility or service, to enable or effect a download of part or all of the .nz Register. Using any information contained in the WHOIS query output to attempt a targeted contact campaign with any person, or any organisation, using any medium. A breach of these conditions will be treated as a breach of the .nz Policies and Procedures. Sanctions in line with those specified in the policies and _____ NeoTrace Copyright ©1997-2001 NeoWorx Inc |
Elephant (599) | ||
| 189652 | 2003-11-06 09:16:00 | Agent you might want to go over to http://grc.com and run ShieldsUP! That might give you an idea why they are attacking you... | stu140103 (137) | ||
| 189653 | 2003-11-06 09:21:00 | > has been consistently > sending me UDP packets on local port 500 (isakmp), > from remote port 500 (isakmp again, what else?). > > The program associated with this port is apparently > LSA Shell (Export Version), or > C:\WINDOWS\system32\lsass.exe. Here is some more information about port 500 (isakmp) Name: isakmp Purpose: Internet Security Association and Key Management Protocol (ISAKMP) Description: Port 500 is used by the Internet key exchange (IKE) that occurs during the establishment of secure VPN tunnels. Users of VPN servers and clients may encounter this port. Source: grc.com |
stu140103 (137) | ||
| 189654 | 2003-11-06 10:04:00 | The thing is with emule, even if you disconnect from the ISP, computers from over the world still send/request packets to the UDP port of that IP address. So the next poor fella who connects with that IP that had just been used for filesharing gets lots of hits to his firewall. So in this case, some other customer of your ISP might have been doing some filesharing and you picked up his old IP. | PoWa (203) | ||
| 1 2 | |||||