Just Received Computer Attack (Hacker Port Scan)

me ^

[Bobby777]

my firewall intercepted, recorded and blocked ... did traceroute on attacker ... it was right after I logged on to FR ... about 1/2 hour ago ... attacker's IP address was 206.61.145.6 ... saved traceroute ping ... guess I'll hand it over to the FBI if something serious happens ... heads up FReepers ...

[Bobby777]

yeah, I'm in "stealth mode" but I thought it said port scanning could still be attempted ... attempted but failed obviously ... thanks ...

[Nick Danger]

For the sake of all of us, please do not launch a new thread every time your firewall intercepts a port scan. Most of us get hundreds of these a day... many hundreds when one of those worms like Code Red is propagating.

Everyone who connects to the Internet should assume that at any given moment there are thousands of automated port scanners running, most of them in the hands of so-called "script kiddies" who use these scripts to find machines that are open to attack. When they come back from skateboarding, the script kiddies look at the log to see what new treasures their port scanner has uncovered.

Being scanned has nothing to do with being "logged on" to FR. There is no "circuit" between you and FR that remains open when you are freeping; every click is a different transaction. The packets might not even travel over the same route, or arrive in the proper order. All that stuff is sorted out after it arrives. If you get scanned while you're on FR, the same thing would have happened if you'd been anywhere else. Your IP address just came up at random in some script kiddie's port scanner, and it was your turn in the barrel. What 'page' you are viewing at the moment has nothing to do with it.

Anybody concerned about this stuff can find out more here.

[Khaleel]

my firewall intercepted, recorded and blocked...206.61.145.6

Relax!

Using a reverse IP lookup: 206.61.145.6 resolves to: a4205.sandpiper.net
If you want to, go to www.sandpiper.net. Looks like an ISP.
Bobby777, by any chance you don't use Sandpiper at work do you?

what firewall are you using? Freepmail me if you like.

If I may be so bold as to suggest "FireAlarm."
It if free for personal use and very very good. Once you get it in place you'll realize just how many times your computer is pinged.

If you are a Windows user check out this for your security.

[Bad~Rodeo]

ZA sucks...get NeoWatch

[Nogbad]

What on earth is all this about?

Have you located Bin Laden?

[Flyer]

Great minds think alike.

[Khaleel]

If you use a cable modem and Windows I highly recommend www.grc.com to check your security. Good tutorial and some interesting reading there also.

[Khaleel]

I saw the article and one reply. Did the reverse DNS lookup, checked the location of FireAlarm, posted my reply and found myself now not #3 but almost #30.

[Landru]

Thanks for the tip, b7.
I'll check it out.

[vince_foster]

We are getting a few subtle terms mixed up. A port scan is slightly different than what we are talking about. If someone pings your computer (ICMP echo request - just a little hello, please reply), they do so on port 7. Telnet is 23, and when you connect to this web page, you are connecting on port 80. A hacker will typically scan a block of IP's looking for a specific port that you have left open, and then run a program to exploit that open port. In a sense, this hacker is port scanning. However, lets say he is pinging computers just to see if they exist (some serious attacks can occur on this port, also). Then he is port scanning, or more precisely IP scanning, but if you are hit with his ping, you have not been port scanned. You are port scanned when someone checks your IP for all open ports, thus scanning all the ports on your comp to see which are open. This is a more serious attack, because it means someone has singled you out. They are trying to get into your machine on any port possible, not trying for any computer that they can run their script kiddie program on. This will trigger an alert from firewalls, even a hack-back from some, while a ping will not. It may show up in zone alarm or blackice, but it is nothing to worry about. Run any file sharing program, and you will get hit hundreds to thosands of times a day. Join bearshare or morpheus or audiogalaxy, etc. and report your speed as T-1 and you'll see what I mean.

[Landru]

Gibson Reasearch Center?
~Just got back from their site; its now been bookmarked.
I'm a LangaList *Plus* subscriber & believe I've heard Fred speak of this org in the past.

Thanks, Khaleel.

[Flyer]

LOL! I looked up the IP address first, too. Then checked the Shields Up! link. Are we geeks or what?

P.S. Have another cup of coffee - it's ZoneAlarm.

[Bobby777]

nope ... never use Sandpiper.net at all ... of course it's an ISP ... it's a modem at the end of the IP address that a user is logged in on ... eh?

[Bobby777]

well Nick, appreciate all the sentiment but this is my first post on port scan attack ... so a little education is appreciated ... as far as "posting everytime" you must be thinking about somebody else ... regards ...

[Bobby777]

thanks for the insult ... there's always at least one ... I'm sure there's a few areas you may not be totally proficient in either ...

[Libertarian_4_eva]

Everyone don't take bobby's action too harsly because of him hundreds of newsbies should be on their way to secure computers.

[Don Joe]

"Being scanned has nothing to do with being "logged on" to FR. There is no "circuit" between you and FR that remains open when you are freeping; every click is a different transaction. The packets might not even travel over the same route, or arrive in the proper order. All that stuff is sorted out after it arrives. If you get scanned while you're on FR, the same thing would have happened if you'd been anywhere else. Your IP address just came up at random in some script kiddie's port scanner, and it was your turn in the barrel. What 'page' you are viewing at the moment has nothing to do with it."

As a rule, yes, but it's not absolute. I believe there have been instances where a not-very-nice person posted something to FR, and included a graphic file for the purpose of tracking the IP of everyone who accessed the image.

All he had to do was include the image (even a 1x1 "web bug" would suffice), and then check the headers when requests come in to his server. He'd get a log of IPs of people who visited the FR thread that had his post.

Of course "all he had to do" is not that trivial for the majority of users, but it is possible, and short of blocking images, there's really no way to stop it. Still, a decent firewall (zone alarm) will prevent him from doing anything with that IP number.

[Bobby777]

well a lot of people don't know about this stuff ... but some smarta$$ with an inferiority complex always has to come in and pop off ... geez ...

[Flyer]

Ditto. When I first installed my firewall I thought the entire world wanted into my computer.