Fear of an attacker!!!

[Kazi]

I got up this morning and turned my computer on, not more than 10 min later i got attacked my someone in ASIA! 1 guy at first, then 20 min later, after i forgot about it, i was hit again this time with 7 different ip#'s all on the same port...
I know im pretty safe cause im running ZAPro (just as i was typin i was hit again)
ok its about 3 hours later, 900+ alerts from ZAPro. Im in stealth mode but obviosly they know someone is here. My IP# changes on a daily basis and i have no idea why they would choose this one. It was worse this morning, hit 1000 and it knocked me off the net. I reconected(with my buddy Zone Alaem Pro) and i was still being hit.

Note: I have to restart to get a different IP#

Is anyone else getting hit? They have all targeted port 6346. Here is just one of the reports from Zone alarm..

The firewall has blocked Internet access to your computer (TCP Port 6346) from 211.127.99.167 (TCP Port 2335) [TCP Flags: S.]

Time: 6/22/01 9:56:04

its now 9:56 here as im typing, so yes i was hit again. But has anyone else received anything?? But man, at one point i was receiving 2.1 Mbps(magabits) and i wasnt transmitting anything, not even a bit of info....

-Kazi

PS was just hit again

 

[arod]

http://odn.ad.jp/english/index.html

Heres his internet service provider and this is his name on their service.

N01cc-06p167.ppp11.odn.ad.jp [211.127.99.167]

Try sending them an email telling them whats happening, maybe they can do something on their side...

 

[konichiwa]

Run a GOOD, UPDATED virus program on your computer as well as a trojan checker. You may have something like BackOrifice or NetBus. IIRC, 6346 is the default port for Bo2k.

 

[Kazi]

anywhere to get a trojan checker, for free, and i ran McaFee virus scan, nothin...

EDIT- I KNOW WHAT TO DO!! Get 50 friends and nuke the bast*rds!!

 

[konichiwa]

Did you update Mcafee's virus definitions before you ran it?

Try download.com or hotfiles.com for trojan checkers.

 

[sharkeeper]

Try this.

Cheers!

 

[Kazi]

ok i took a screenshot of my PC Screen heh let me have a few sec to upload it


EDIT- Here is the screenshot - HELP!!!!!
NOTE: This is a very large screen shot in size (284k) even for a JPG

 

[medic]

Dowload TDS-3 Trojan Defense System, it claims to detect nearly 7000 Trojans.

TDS-3

Also on that page is an excellent Worm and IRC checking utility.

 

[wyvrn]

Do a web search for "the cleaner" and download it. Great little program. As long as you have ZA active, they should not be able to activate any trojans though.

 

[TruculentTucan]

I think you should get your friends together and go after the mofo =)

 

[thorin]

As someone else pointed out it's someone on a Japanese dialup:
N01cc-06p167.ppp11.odn.ad.jp [211.127.99.167]

Who get their service from Alternet.

Do a ping or tracert on him and you'll get lots of info.

Note port 6346 is used by gnutella.

gnutella-svc 6346/tcp gnutella-svc
gnutella-svc 6346/udp gnutella-svc

gnutella is a information (read software) sharing (read pirating) client/server which allows file sharing over the internet. Kind like napster, etc...

Thorin

 

[arod]

somebody else is having a similar problem... check it out and see if this accurately describes you.

They also tell you how to fix it

GRC

 

[Kazi]

ya heh traced ip by going Here and they gave me lots of info, and it was about 10-15 different IP#'s all attacking the same port. That just doesnt happen that all the IP#'s were attacking the same port... heh ASIA, someone was bored and said to about 15 friends, lets nuke this address, and BAM it was me but they didnt relize that i had a FireWall and they couldnt get through.



<< Gnutella >>

ya i read about this, kinda like napster or so but better, i dont even have the program!



<< GRC >>

went they about 2 days ago and no ports open they were all stealthed.

All in all, I LOVE ZAPro heheh if you dont have it...GET IT!!

 

[zippy]

If they are pretty good, a firewall probably won't do too much to keep them out- especially a software one. Right guys?

 

[Kazi]

software firewall is better than no firewall i had 998 when i took that pic and at 1000 it maxed out and took me offline LOL neat but when i reconnected they seamed to stop because they were getting &quot;No Response&quot; so better a software firewall then no firewall

 

[fitzhue]

Kazi, I had that EXACT SAME PROBLEM. I was getting bombed with the exact same types of packets you were getting. I had a three meg text file listing all the attacks I got. I formatted last night and today it seems to be all good. I don't think one packet got through thanks to ZA. The attacks seemed to have stopped as of right now though (crosses fingers). Scary though. My connection was wiped out thanks to the attacks. I called my ISP about it (@Home) and told them about it. They didn't seem to think 500 attacks in a couple minutes time is significant. Go figure. Is it still happening for you? This only started happening after I starting using Morpheus. I left my computer on all night and forgot I was connected to Morpheus. The next I was being bombed by packets from thousands of different IPs. Well anyways, good luck.

 

[Kazi]

<< I think you should get your friends together and go after the mofo =) >>



LMAO i almost did, but decided not to because it would open another port to get out hehe

 

[GrumpyMan]

It sounds like they are trying out a new DDos attacking program of some kind. You are not their ultimate target though just testing testing 123...........Too bad they can't get a life and leave everyone the f__k alone.

 

[Kazi]

<< They didn't seem to think 500 attacks in a couple minutes time is significant. Go figure. Is it still happening for you? This only started happening after I starting using Morpheus. I left my computer on all night and forgot I was connected to Morpheus. The next I was being bombed by packets from thousands of different IPs. >>



HOLY SH!T i was only hit by 10-15 at a time, but im on DSL so...i dont know. So far so good....they wernt getting any response so they stopped for now...(holding breath)

 

[fitzhue]

Yeah it got pretty scary for a while there. They were going so fast I couldn't even read the IPs in ZA's alert window. Im still holding my breathe too, they've stopped for now at least.

 

[LuNoTiCK]

www.moosoft.com
Get the cleaner there, and try it.

 

[InVitro]

My story...
I set-up my home network, I didn?t really know much about it. I had print file sharing enabled on both cards (yeah uh oh) and Client for Microsoft Networks. To make things worse I also had net BIOS enabled. I didn?t pay much attention to Zone Alarm, so one day I come back... all my games are missing. Strange but true. Everything else was in tact though. It was really strange; maybe somebody just wanted to give me a warning? Well I called my ISP (Shaw @ home) and I asked them if I could get some kind of Address sweep that could indicate the intruder IP address... they basically told me to screw off, since there was nothing they could do. Great eh?



You should run Telnet and connect to the port your being attacked, usually Trojans let you connect and return some kind of string. If that is the case, go into your Auto Start registry and look for it in there. They also hide stupid Trojans in start-up files like Win.ini

Go to www.tucows.com and look for The Cleaner. It's a good Trojan utility, for some reason I never trust McAfee with Trojans, it never does a good job. Norton Anti-Virus I believe is better when it comes to that.

What you can try doing is getting a port listener, set it to listen on the victim port, and see if their sending over any kind of string. Usually nukers (outdated but stupid ppl still use em) leave some kind of string... usually the Nuke name and version, or Message.

If its a Trojan horse, the port listener will give you a warning that its unable to bind to the port, because its in use.

You all probably know most of these things, but I just thought I?d mention them anyways.

Oh yeah, sometimes these ports are used by Applications like ICQ. Why does that matter? I made a program, which connects, to my ICQ port. I found out that ICQ doesn?t disconnect you even if your connection is idle for hours. So I made an exploit which sends packets to ICQ like crazy, flooding the connection. Someone said 6346 is used by BO2k and someone said it?s used by Gnutella. If you are running Gnutella, maybe its possible to exploit it in the same way as ICQ.
I don't know, look around.

If you can't find a port listener (those things are ancient) I'll make you a crappy one, but it will work

Well good luck,
I hope my info is useful in some way

 

[Kazi]

ya i got the cleaner and searched for trojans, none found. Got a port listner, nothing being used by trojans, only DSL and AOL etc..programs. Looked up the port and ya gnutella, why would i want that, but i dnt have it... i dunno prolly just a random IP# attack like what GrumpyMan said a new DDoS program..i dont know but glad ZAPro stopped it...

-Kazi

 

[Jeff7]

Weird; that IP is showing port 80 as being open. (I don't think portscans are illegal)
I did resolve the hostname first too; got the same thing as everyone else:
N01cc-06p167.ppp11.odn.ad.jp

Firewalls can be brought down; I hear people at school talking about taking down a firewall with a flood of something; pings, or syn packets maybe, don't remember. Hopefully your firewall has fixes for those problems.

I've never gotten that many attacks; heck, since I installed my gateway/router, I almost never get any unauthorized attempts to get into my computer; guess the router blocks them all.

 

[InVitro]

Port Listeners are legal, nothing wrong with them.
And port 80 is your web browser...

Firewalls do have their limitations and can be brought down, but usually people who talk about that kind of thing are just a bunch of wannabies who think their 'cool' or something. Yet you can never be to carefull...

Did that port listener register any hits on your computer?