Mye angrep.. !

[Prizefighter]

Får uforklarlig mye angrep fra forskjellige ip'er, det er trojanske hester, norton har ingen problemer med å stoppe de. Varierer fra dag til dag hvor mange angrep jeg får men det er iallefall veldig mange.

• Backdoor/SubSeven Trojan horse
  
• GateCrasher Trojan horse
  

Det varierer mye hvem det er fra, men det er nok mer enn bare trojanske hester.

 

IP'ene:

 

150.xx

80.xx

200.xx

172.xx

12.xx

81.xx

150.xx

62.xx

 

Eks: Details: 80.xxx.xx.xxx will be blocked further access to your machine for 30 minutes.

Click on the address to trace the attacker

 

Vil da gjerne spørre om hjelp fra forumet og høre hva dere sier og om dere kan hjelpe meg med dette.

 

 

 

Takk.

Endret 22. november 2003 av Chris88

[Spragleknas]

Det var da enormt!

[Prizefighter]

Det var da enormt!

Ikke akkurat beroligende det du sa der, overdrev litt da jeg sa 20-30 hver dag men det varierer.

Var en som sa det var en worm som sendte ut informasjon hit og dit, takker for all hjelp.

Endret 22. november 2003 av Chris88

[John Kr]

Sjekket litt på de adressene der - de er ikke sporbar.

 

Du kan prøve selv fra denne siden:

 

http://security.symantec.com/ssc/vr_main.a...SJRFSKLUKUMXCCJ

 

Bare et tips....

[Prizefighter]

Sjekket litt på de adressene der - de er ikke sporbar.

 

Du kan prøve selv fra denne siden:

 

http://security.symantec.com/ssc/vr_main.a...SJRFSKLUKUMXCCJ

 

Bare et tips....

Har da tracka endel adresser men blir ikke klokere, brukte norton sin tracker, fant noen men det hjelper da ikke. Det er ikke mye av samme ip uansett så.

[alex100]

Prøv denne for å sjekke hvor usikkert du har det:

 

http://security.symantec.com/sscv6/default...id=ie&venid=sym

 

edit: skrivefeil... trøtt.

Endret 23. november 2003 av alex100

[pskard]

peroivind@iota:~$ whois 202.134.88.5

% [whois.apnic.net node-1]

% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

 

inetnum: 202.134.88.0 - 202.134.88.15

netname: KADER-HK

descr: Kader Electronics Company Limited

country: HK

admin-c: CC288-AP

tech-c: CC288-AP

mnt-by: MAINT-HK-GENESIS

changed: [email protected] 20010117

status: ASSIGNED NON-PORTABLE

source: APNIC

changed: [email protected] 20020827

 

person: Calvin Chu

address: Unit 2501,

address: 25/F Winsor Center,

address: 168 Yeung Uk Rd,

address: Tsuen Wan,

address: Hong Kong.

country: HK

phone: +852-3152-5011

fax-no: +852-3152-5024

e-mail: [email protected]

nic-hdl: CC288-AP

mnt-by: MAINT-HK-GENESIS

changed: [email protected] 20001023

source: APNIC

 

 

peroivind@iota:~$ whois 67.73.50.133

 

OrgName: Level 3 Communications, Inc.

OrgID: LVLT

Address: 1025 Eldorado Blvd.

City: Broomfield

StateProv: CO

PostalCode: 80021

Country: US

 

NetRange: 67.72.0.0 - 67.75.255.255

CIDR: 67.72.0.0/14

NetName: LC-ARIN-4BLK

NetHandle: NET-67-72-0-0-1

Parent: NET-67-0-0-0-0

NetType: Direct Allocation

NameServer: NS1.LEVEL3.NET

NameServer: NS2.LEVEL3.NET

Comment: ADDRESSES WITHIN THIS BLOCK ARE NON-PORTABLE

RegDate: 2002-08-15

Updated: 2002-08-22

 

TechHandle: LC-ORG-ARIN

TechName: level Communications

TechPhone: +1-877-453-8353

TechEmail: [email protected]

 

OrgAbuseHandle: APL8-ARIN

OrgAbuseName: Abuse POC LVLT

OrgAbusePhone: +1-877-453-8353

OrgAbuseEmail: [email protected]

 

OrgTechHandle: TPL1-ARIN

OrgTechName: Tech POC LVLT

OrgTechPhone: +1-877-453-8353

OrgTechEmail: [email protected]

 

OrgTechHandle: ARINC4-ARIN

OrgTechName: ARIN Contact

OrgTechPhone: +1-800-436-8489

OrgTechEmail: [email protected]

 

# ARIN WHOIS database, last updated 2003-11-21 19:15

# Enter ? for additional hints on searching ARIN's WHOIS database.

peroivind@iota:~$ whois 151.204.199.251

 

OrgName: Verizon Internet Services

OrgID: VRIS

Address: 1880 Campus Commons Dr

City: Reston

StateProv: VA

PostalCode: 20191

Country: US

 

NetRange: 151.196.0.0 - 151.205.255.255

CIDR: 151.196.0.0/14, 151.200.0.0/14, 151.204.0.0/15

NetName: VIS-151-196

NetHandle: NET-151-196-0-0-1

Parent: NET-151-0-0-0-0

NetType: Direct Allocation

NameServer: NSDC.BA-DSG.NET

NameServer: GTEPH.BA-DSG.NET

Comment:

RegDate:

Updated: 2002-08-22

 

TechHandle: ZV20-ARIN

TechName: Verizon Internet Services

TechPhone: +1-703-295-4583

TechEmail: [email protected]

 

OrgAbuseHandle: VISAB-ARIN

OrgAbuseName: VIS Abuse

OrgAbusePhone: +1-703-295-4583

OrgAbuseEmail: [email protected]

 

OrgTechHandle: ZV20-ARIN

OrgTechName: Verizon Internet Services

OrgTechPhone: +1-703-295-4583

OrgTechEmail: [email protected]

 

# ARIN WHOIS database, last updated 2003-11-21 19:15

# Enter ? for additional hints on searching ARIN's WHOIS database.

 

 

 

peroivind@iota:~$ whois 80.14.35.113

% This is the RIPE Whois server.

% The objects are in RPSL format.

%

% Rights restricted by copyright.

% See http://www.ripe.net/ripencc/pub-services/db/copyright.html

 

inetnum: 80.14.35.0 - 80.14.35.255

netname: IP2000-ADSL-BAS

descr: BSSGW107 Ste Genevieve Bloc1

country: FR

admin-c: WITR1-RIPE

tech-c: WITR1-RIPE

status: ASSIGNED PA

remarks: for hacking, spamming or security problems send mail to

remarks: [email protected] AND [email protected]

mnt-by: FT-BRX

changed: [email protected] 20020111

changed: [email protected] 20030318

source: RIPE

 

route: 80.14.0.0/16

descr: France Telecom

descr: Wanadoo Interactive

remarks: -------------------------------------------

remarks: For Hacking, Spamming or Security problems

remarks: send mail to [email protected]

remarks: -------------------------------------------

origin: AS3215

mnt-by: RAIN-TRANSPAC

mnt-by: FT-BRX

changed: [email protected] 20011221

source: RIPE

 

role: Wanadoo Interactive Technical Role

address: WANADOO INTERACTIVE

address: 48 rue Camille Desmoulins

address: 92791 ISSY LES MOULINEAUX CEDEX 9

address: FR

phone: +33 1 58 88 50 00

e-mail: [email protected]

e-mail: [email protected]

admin-c: WITR1-RIPE

tech-c: WITR1-RIPE

nic-hdl: WITR1-RIPE

mnt-by: FT-BRX

changed: [email protected] 20010504

changed: [email protected] 20010912

changed: [email protected] 20011204

changed: [email protected] 20030428

source: RIPE

 

 

peroivind@iota:~$ whois 81.37.101.211

% This is the RIPE Whois server.

% The objects are in RPSL format.

%

% Rights restricted by copyright.

% See http://www.ripe.net/ripencc/pub-services/db/copyright.html

 

inetnum: 81.35.0.0 - 81.39.255.255

netname: RIMA

descr: TELEFONICA DE ESPANA

descr: Provider Local Registry

country: ES

admin-c: AFG2-RIPE

admin-c: JB986-RIPE

tech-c: FLT14-RIPE

status: ASSIGNED PA

remarks: ***************************************************

remarks: For ABUSE/SPAM/INTRUSION issues

remarks: PLEASE CONTACT THROUGH LINK

remarks: http://www.telefonicaonline.com/nemesys/

remarks: or send mail to [email protected]

remarks: any mail to [email protected] will be ignored

remarks: ***************************************************

mnt-by: MAINT-TdE

mnt-lower: MAINT-TdE

mnt-routes: MAINT-TdE

changed: [email protected] 20030923

source: RIPE

 

route: 81.37.0.0/16

descr: RIMA (Red IP Multi Acceso)

origin: AS3352

mnt-by: MAINT-AS3352

changed: [email protected] 20020326

source: RIPE

 

person: Antonio Fuentes

address: TELEFONICA DE ESPANA

address: Emilio Vargas, 4

address: 28043-MADRID

address: SPAIN

phone: +34 91 5846497

fax-no: +34 91 5842650

remarks: ***************************************************

remarks: For ABUSE/SPAM/INTRUSION issues

remarks: PLEASE CONTACT THROUGH LINK

remarks: http://www.telefonicaonline.com/nemesys/

remarks: or send mail to [email protected]

remarks: any mail to [email protected] will be ignored

remarks: ***************************************************

e-mail: [email protected]

nic-hdl: AFG2-RIPE

notify: [email protected]

changed: [email protected] 20020225

changed: [email protected] 20020530

source: RIPE

 

person: J Benet

address: TELEFONICA DE ESPANA

address: Emilio Vargas, 4

address: 28043-MADRID

address: SPAIN

phone: +34 91 5846497

fax-no: +34 91 5842650

remarks: ***************************************************

remarks: For ABUSE/SPAM/INTRUSION issues

remarks: PLEASE CONTACT THROUGH LINK

remarks: http://www.telefonicaonline.com/nemesys/

remarks: or send mail to [email protected]

remarks: any mail to [email protected] will be ignored

remarks: ***************************************************

e-mail: [email protected]

nic-hdl: JB986-RIPE

notify: [email protected]

changed: [email protected] 20020220

changed: [email protected] 20020530

source: RIPE

 

person: Francisco Lorenzo de Tuero

address: TELEFONICA DE ESPANA

address: Emilio Vargas, 4

address: 28043-MADRID

address: SPAIN

phone: +34 91 5194446

fax-no: +34 91 5846936

remarks: ***************************************************

remarks: For ABUSE/SPAM/INTRUSION issues

remarks: PLEASE CONTACT THROUGH LINK

remarks: http://www.telefonicaonline.com/nemesys/

remarks: or send mail to [email protected]

remarks: any mail to [email protected] will be ignored

remarks: ***************************************************

e-mail: [email protected]

nic-hdl: FLT14-RIPE

notify: [email protected]

changed: [email protected] 20020225

changed: [email protected] 20020530

source: RIPE

 

 

 

peroivind@iota:~$ whois 150.243.174.216

 

OrgName: Truman State University

OrgID: TSU-8

Address: 100 East Normal

City: Kirksville

StateProv: MO

PostalCode: 63501

Country: US

 

NetRange: 150.243.0.0 - 150.243.255.255

CIDR: 150.243.0.0/16

NetName: TRUMAN-NET

NetHandle: NET-150-243-0-0-1

Parent: NET-150-0-0-0-0

NetType: Direct Assignment

NameServer: TS3.TRUMAN.EDU

NameServer: TS5.TRUMAN.EDU

Comment:

RegDate: 1999-11-24

Updated: 1999-11-24

 

TechHandle: NA24-ORG-ARIN

TechName: Network Administrator

TechPhone: +1-660-785-4163

TechEmail: [email protected]

 

# ARIN WHOIS database, last updated 2003-11-21 19:15

# Enter ? for additional hints on searching ARIN's WHOIS database.

peroivind@iota:~$ whois 80.117.112.213

% This is the RIPE Whois server.

% The objects are in RPSL format.

%

% Rights restricted by copyright.

% See http://www.ripe.net/ripencc/pub-services/db/copyright.html

 

inetnum: 80.117.0.0 - 80.117.255.255

netname: TINIT-ADSL-LITE

descr: Telecom Italia

descr: Accesso ADSL BBB

country: IT

admin-c: BS104-RIPE

tech-c: BS104-RIPE

status: ASSIGNED PA

remarks: Please send abuse notification to [email protected]

notify: [email protected]

mnt-by: TIWS-MNT

changed: [email protected] 20020927

source: RIPE

 

route: 80.117.0.0/16

descr: INTERBUSINESS

origin: AS3269

notify: [email protected]

mnt-by: INTERB-MNT

changed: [email protected] 20011210

source: RIPE

 

person: BBBEASYIP STAFF

address: Via Val Cannuta, 250

address: I-00100 Roma

address: Italy

phone: +39 06 36881

e-mail: [email protected]

nic-hdl: BS104-RIPE

notify: [email protected]

changed: [email protected] 20001019

source: RIPE

 

 

peroivind@iota:~$ whois 80.130.211.115

% This is the RIPE Whois server.

% The objects are in RPSL format.

%

% Rights restricted by copyright.

% See http://www.ripe.net/ripencc/pub-services/db/copyright.html

 

inetnum: 80.128.0.0 - 80.146.159.255

netname: DTAG-DIAL16

descr: Deutsche Telekom AG

country: DE

admin-c: DTIP

tech-c: DTST

status: ASSIGNED PA

remarks: ************************************************************

remarks: * ABUSE CONTACT: [email protected] IN CASE OF HACK ATTACKS, *

remarks: * ILLEGAL ACTIVITY, VIOLATION, SCANS, PROBES, SPAM, ETC. *

remarks: ************************************************************

mnt-by: DTAG-NIC

changed: [email protected] 20010807

changed: [email protected] 20030211

source: RIPE

 

route: 80.128.0.0/11

descr: Deutsche Telekom AG, Internet service provider

origin: AS3320

mnt-by: DTAG-RR

changed: [email protected] 20010807

source: RIPE

 

person: DTAG Global IP-Addressing

address: Deutsche Telekom AG

address: D-90492 Nuernberg

address: Germany

phone: +49 180 5334332

fax-no: +49 180 5334252

e-mail: [email protected]

nic-hdl: DTIP

mnt-by: DTAG-NIC

changed: [email protected] 20031013

source: RIPE

 

person: Security Team

address: Deutsche Telekom AG

address: Germany

phone: +49 180 5334332

fax-no: +49 180 5334252

e-mail: [email protected]

nic-hdl: DTST

mnt-by: DTAG-NIC

changed: [email protected] 20030210

source: RIPE

[pskard]

Om det er flere IP-er kan jeg sikkert ta de også. Bare ikke gi meg alt for mange...

[Prizefighter]

flott, men hva kan jeg gjøre for å stoppe slike angrep.

[Spragleknas]

Endre IP?

[DrDoogie]

flott, men hva kan jeg gjøre for å stoppe slike angrep.

Legge ned Internettet, kanskje?

 

Nei seriøst: sende mail til abuse@...

 

Men egentlig, hvis du blokker dem med brannmuren din, er det jo ikke så mye å bry seg om. Hvis du blir skikkelig nervøs, kan du jo vurdere å skaffe deg en eldre maskin, og sette den opp som en "honningkrukke" (offermaskin), slik at du er litt tryggere hvis folk faktisk skulle klare å hakke deg (dem hakker kun "honningkrukka", og hovedmaskinen din er "trygg").

[Prizefighter]

Endre IP?

Det som da er så rart er at jeg har dynamisk ip og de fortsatt sender mange angrep.

[Prizefighter]

flott, men hva kan jeg gjøre for å stoppe slike angrep.

Legge ned Internettet, kanskje?

 

Nei seriøst: sende mail til abuse@...

 

Men egentlig, hvis du blokker dem med brannmuren din, er det jo ikke så mye å bry seg om. Hvis du blir skikkelig nervøs, kan du jo vurdere å skaffe deg en eldre maskin, og sette den opp som en "honningkrukke" (offermaskin), slik at du er litt tryggere hvis folk faktisk skulle klare å hakke deg (dem hakker kun "honningkrukka", og hovedmaskinen din er "trygg").

Høres bra ut, bare dumt jeg har en honningkrukke uten honning (cpu). *grin*

[keisamteisam]

Det som da er så rart er at jeg har dynamisk ip og de fortsatt sender mange angrep. 

Det er neppe noen som er ute etter DEG. Alt for vanlig i disse dager. Folks maskiner er smittet, og dermed blir brukt som base for nye angrep. Du kan gidde å melde i fra til abuse@isp.

 

Ruteren min hadde mulighet til å maile meg fw-loggen, men jeg slo den av da den sendte 128 linjer med logg hvert 5-6-7 minutt.

[Torbjørn]

som keisamteisan sier, slikt er mer som bakgrunnsstøy å regne enn spesifike angrep.

 

det er en jungel av infiserte windowsmaskiner der ute.

[Torbjørn]

pgressum: hvorfor ikke bare poset abuse@adressen til hvert iprange fra whois lista istedet for å kopiere inn en kilometer med tekst i tråden?

[genesis]

er det ikke mulig at det er et lite buggy program som ligger å sender ut informasjon (via et ellerannet som din (eventuelle) brannmur ikke oppdager)?

 

edit:

altså informasjon om "hvor du er"

Endret 23. november 2003 av genesis

[Nikkor]

OMG hvordan fant du all den imformasjoen der :-)

 

Tar du min og eller?

(bare for og teste)

80.2*3.1*2.2**

 

Var kanskje ikke helt smart og gi ut Ip adressen min..men men..

Endret 23. november 2003 av nikkor

[pskard]

pgressum: hvorfor ikke bare poset abuse@adressen til hvert iprange fra whois lista istedet for å kopiere inn en kilometer med tekst i tråden?

Fordi det kan være noe annen informasjon som er av interesse der. F.eks. hvilket land IP-ene kommer fra. Den viktigste grunnen er vel at jeg måtte gå gjennom hver IP og finne den frem. Kall meg gjerne lat

[pskard]

OMG hvordam fant du all den imformasjoen der :-)

 

Tar du min og eller?

(bare for og teste)

80.213.102.246

 

Var kanskje ikke helt smart og gi ut Ip adressen min..men men..

peroivind@zeta:~$ whois 80.213.102.246

% This is the RIPE Whois server.

% The objects are in RPSL format.

%

% Rights restricted by copyright.

% See http://www.ripe.net/ripencc/pub-services/db/copyright.html

 

inetnum: 80.213.0.0 - 80.213.255.255

netname: NO-NEXTRA-ADSL-1

descr: Telenor Business Solution AS

country: NO

admin-c: SI217-RIPE

tech-c: TRR5-RIPE

tech-c: TBS-RIPE

status: ASSIGNED PA

remarks: - - - - - - - - - - - - - - - - - - - - - - - - - - - -

remarks: - - For abuse matters, mailto: [email protected] - - -

remarks: - - - - - - - - - - - - - - - - - - - - - - - - - - - -

notify: [email protected]

mnt-by: AS8210-MNT

mnt-lower: AS8210-MNT

mnt-routes: AS8210-MNT

changed: [email protected] 20020102

changed: [email protected] 20020325

changed: [email protected] 20020814

changed: [email protected] 20030401

source: RIPE

 

route: 80.213.0.0/17

descr: TELENOR-INTERNET

descr: Nextra, Postboks 393 - Skoyen, N-0212 Oslo, Norway

origin: AS2119

mnt-by: AS8210-MNT

changed: [email protected] 20020214

source: RIPE

 

role: Telenor Routing Registry

address: Telenor Business Solutions AS

address: Snaroeyveien 30

address: N-1331 Fornebu

address: Norway

phone: +47 22 77 19 00

fax-no: +47 22 77 19 10

e-mail: [email protected]

admin-c: HSO3-RIPE

tech-c: HSO3-RIPE

tech-c: TNA4-RIPE

tech-c: DF344-RIPE

tech-c: THK-RIPE

nic-hdl: TRR5-RIPE

notify: [email protected]

mnt-by: AS8210-MNT

changed: [email protected] 19990119

changed: [email protected] 19991012

changed: [email protected] 19991027

changed: [email protected] 20000411

changed: [email protected] 20000516

changed: [email protected] 20020610

changed: [email protected] 20020730

changed: [email protected] 20020731

source: RIPE

 

role: TBS AS - Customer Internet Access

address: Telenor Business Solutions AS

address: N-1331 Fornebu

address: Norway

phone: +47 67 89 00 00

e-mail: [email protected]

admin-c: RG737-RIPE

tech-c: EAO-RIPE

nic-hdl: TBS-RIPE

remarks: - - - - - - - - - - - - - - - - - - - - - - - - - - - -

remarks: - - Please send abuse reports to [email protected] - -

remarks: - - - - - - - - - - - - - - - - - - - - - - - - - - - -

notify: [email protected]

mnt-by: TNXHM-MNT

changed: [email protected] 20021029

changed: [email protected] 20030314

source: RIPE

 

person: Sigbjorn Isene

address: Telenor Networks AS

address: Snaroyveien 30

address: N-1331 Fornebu

address: Norway

phone: +47 67 89 00 00

e-mail: [email protected]

nic-hdl: SI217-RIPE

mnt-by: AS8210-MNT

changed: [email protected] 19980526

changed: [email protected] 20011205

changed: [email protected] 20030508

source: RIPE