People Banging at your Firewall?

The idea

Graduate Poster
T
Joined
Jul 31, 2003
Messages
1,540
Do you get notified of attempted security breaches while you are browsing the JREF Bulletin Board?

Four times today (so far), I've gotten notice that someone with IP address

207.44.202.162

has tried to attack.

Let's start a list of IP addresses. Maybe they're not all dynamic addresses.
 
Define "attack." Most "attacks" just end up being normal internet traffic with nothing at all nefarious going on.

So, what port(s) were being requested, and which protocol (TCP/UDP)?
 
I don't know the technicalities. The firewall alerted me to an attack three times within a 20 minute time period and then another attack two hours and fifty minutes after the first attack. There were no other alerts. All four notifications gave the same IP address. Does that sound like normal internet traffic?
 
is that in any way similar to your own IP address (first couple of numbers?). As Shane says, a lot of these "attacks" are not.

Was it a port probe?

I don't think there is anything to be gained in listing the IP here TBH.
 
The first number is different from the first number of my IP. The second number is different from the second number of my IP. (The third and fourth are different also).
 
Well, if you type it in, you get this...
(Caution, contains ugly, nekked images.)

http://207.44.202.162/

Something called 'http://adorablebunnies.com', and it comes up with other images if you go through THAT link, but not the dot-path.

Possibly, someone has posted an image off there, or used it as part of their 'signature', and this server automatically attempts to divine who is using their bandwidth.

OR, whoever is doing the attacks is simply forging the IP address as comming from that site.
 
evildave said:
OR, whoever is doing the attacks is simply forging the IP address as coming from that site.
Click to expand...
I assumed that the firewall or its associated software was doing some kind of IP trace. How complicated is this stuff? If someone calls your home phone and you have caller ID, then is it possible that the number that shows up is a phony number? What's the difference between the way the phone system traces a number and the way a computer on the internet traces an IP address?
 
shanek said:
Define "attack." Most "attacks" just end up being normal internet traffic with nothing at all nefarious going on.

So, what port(s) were being requested, and which protocol (TCP/UDP)?
Click to expand...

OK it's not always possible to indentify what is or is not an attack.

However, I'm running Windows 98 and get 100+ NetBIOS attempts per day. Aside from ZoneAlarm which alerts me, I have NetBIOS completely disabled on my machine, so no problem. Not everyone has that option.

How to interpret that, except as attacks? If I'm wrong, enlighten me.
 
evildave said:
OR, whoever is doing the attacks is simply forging the IP address as comming from that site.
Click to expand...

Or someone is attacking that site spoofing YOUR IP address and you're seeing the response packets.
 
Abdul Alhazred said:


OK it's not always possible to indentify what is or is not an attack.

However, I'm running Windows 98 and get 100+ NetBIOS attempts per day. Aside from ZoneAlarm which alerts me, I have NetBIOS completely disabled on my machine, so no problem. Not everyone has that option.

How to interpret that, except as attacks? If I'm wrong, enlighten me.
Click to expand...

I don't know. Anyone else on your LAN have NetBIOS installed? Check that... And check your router's 'firewall' settings - the firewall should be configured there, if you have more than one computer on your network.


Everyone does have that option to disable NetBIOS, BTW. Just go into the network settings and uninstall it, or un-check it. Quite trivial. While you're at it, uncheck everything but 'TCP/IP' for connections that go out on the internet. Of course, there is some liability (for me) attached with this sort of advice, as people can disable services they need, and then blame me for their own ignorance.

Most people never, ever need to enable 'File and Printer Sharing for Windows', and those who do only need it enabled when they actually get around to doing that sharing. 'Client for Microsoft Windows' is all you need to ACCESS files and/or printers shared on another computer with 'File and Printer Sharing for Windows'. These ports are (sensibly) blocked by most routers with firewalls, by default. As is NetBIOS.
 
evildave said:
I don't know. Anyone else on your LAN have NetBIOS installed? Check that... And check your router's 'firewall' settings - the firewall should be configured there, if you have more than one computer on your network.
Click to expand...

I am not on a LAN. There is no router. I post here from home using a dailup connection from what is otherwise a stand alone computer, to my ISP which is also my phone company. There is no reason for me to have NetBIOS at all, except that having it is the default. And a naive user might not realize the issue at all.

My 'firewall' (it really isn't one) is the freeware version of ZoneAlarm. Otherwise I have seen to it that my NetBIOS ports do not exist.

The attack is someone looking for someone vulnerable, not personal against me.

But it is an attack, no?
 
Abdul Alhazred said:
But it is an attack, no?
Click to expand...

Again, impossible to tell without the TCP/UDP ports that are being probed. ZoneAlarm should tell you this in its logs.
 
Abdul Alhazred said:
The attack is someone looking for someone vulnerable, not personal against me.

But it is an attack, no?
Click to expand...

Dunno. Ask your ISP about the apparent hits on your computer. If you don't like the answer you receive, get another ISP. Especially if your ISP is one of those abominations with a "custom" spyware dial up. ISPs are a dime a dozen, and the next one will probably not have this particular activity occurring.
 
evildave said:


Dunno. Ask your ISP about the apparent hits on your computer. If you don't like the answer you receive, get another ISP. Especially if your ISP is one of those abominations with a "custom" spyware dial up. ISPs are a dime a dozen, and the next one will probably not have this particular activity occurring.
Click to expand...

My ISP is ameritech.net They are not perfect, a pain in some ways, but there is no custom dial up. I just use the Windows default dail up program with their parms.

And I know how to check for spyware. I'm reasonably sure I haven't any, but who knows? Someone may be more clever than me.

The attacks wouldn't even be visible to me if I didn't check my ZoneAlarm log.

I think I'm protected, but the volume of bad guys trying bothers me on principle.
 
Abdul Alhazred said:


I will check that and report back, later.
Click to expand...

I just got a whole mess of them, all well outside the normal service port range.

3630, 3007, 3268, 4976, 4790, and hundreds of others. What do you make of this?
 
Abdul Alhazred said:
I just got a whole mess of them, all well outside the normal service port range.

3630, 3007, 3268, 4976, 4790, and hundreds of others. What do you make of this?
Click to expand...

3630 is a remote database port. It could be someone looking for a database on your system with vulnerabilities, or it could be someone else on your side of the network looking for other databases to sync to.

3007 is for the Lotus Notes mail system. There aren't many exploits out there for Lotus Notes, and I seriously doubt anyone is probing the internet for them. Most likely, someone on your side is running a Lotus Notes client.

3268 is the Microsoft Global Catalog port. You'll see this if someone on your side is running Active Directory.

The 4000-4999 ports are for iMesh, which is a filesharing utility. It's someone checking to see if you're running iMesh and have files to share. Nothing nefarious.

I don't see any reason to conclude from this that your system is being attacked, and certainly not that it's being deliberately targeted for attack.
 
You must log in or register to reply here.

Back
Top Bottom