Why am I being pinged? Am I being hacked?

[The Surb]

Here's the scoop. My Zone Alarm is going nuts so normally I ignore it but this time it's different.

I noticed my internet connection was a lot slower, I checked all open programs to see if another program was accessing the net, no.
I checked ZA and I am getting pinged about every 30 seconds for the last two days from different IP addresses all belonging to Comcast but different locations, CA, CT, CO, etc. I used my Sam Spade to look them up. But it is never the same IP address. It starts with 67. then adrresses 160-167 and the rest but always different.

What could be going on? I called Comcast. The tech rep was polite and helpful but didn't help much. She had no idea why I would be getting pinged so often. But she had me ping other places and my ping time was twice what it should be.

I understand ZA and NORMAL background but being pinged every 30 seconds for two days is NOT normal. Could someone be trying to slow down my connection? I recently had a war of words with a fellow gamer (HL mod) so I know someone who has a motive to do this.

Of course I could just be paranoid.

Any help is greatly appreciated.

The Surb

[Number]

I've noticed high ping traffic from addresses on my ISP as well. This is probably caused by the Nachi worm.

Quote:

This worm spreads by exploiting a vulnerability in Microsoft Windows. It scans the local class-b subnet (port 135) for target machines. It sends an ICMP ping to potential victim machines, and upon a reply, sends the exploit data.

[The Surb]

Well I was wondering about something like that, but the tech rep at Comcast pinged me and did not receive a reply. So my ZA was doing its job. I could see where I blocked a set of pings from one (Comcast I think) IP addy but she couldn't see my comp with the ZA on.

She also pinged me with ZA off and received a reply. The ping also seemed to be aimed at port 80.

I will look at site and see if it helps.

Thanks.

[troub]

So, The Surb, even though you're not be getting exploited (if the ping request doesn't get a reply, the exploit code won't be sent), you'll still get pinged by people who did get infected.

[poissongrand69]

ahhh, had to chime in on this one too....

Im also running zone alarm and im getting hit just as bad as you.. in 4 days I have had 100k plus hits plus 1000 intrusion attempts.. My modem lights constantly are blinking.. One thing that Ive been told, yet have not done yet, is buy yourself a cheap router. That should minimalize the hits but youll still have some apparently.

;j

[The Surb]

Ok I got you. But it still seems strange that I am getting pinged two-three times a minute and each one is a different address for the last two days.

All say (IP ADDY) ###.##.###client.comcast.net

Would that be consistent with this?

Can I change (or have ISP change) my IP addy so this goes away?

[Balthisar]

The router is helpful. My Comcast modem's activity light is almost constantly on. Yet my router's link connections don't indicate any traffic on the LAN, so I know I'm protected and they don't seem to be going after any of my open ports.

On that note, I've been wondering what the heck's been going on.

[troub]

I don't think changing your IP address would help at all, because it's not you specifically being attacked. The infected machines scan all kinds of IP addresses just waiting for one to respond so it can attack that one. The fact that all of the pings are coming from your ISP's network isn't surprising, given Number's quote about the worm scanning its class-b subnet. As for whether a router would help: I would think that even though your computer's not getting hit anymore, the modem/router still is, so you'd essentially have the same amount of traffic on your connection and still have high ping times.

[Mort Furd]

A short note:
A ping is a certain request for an answer that is a standard function used on the internet. When you receive a real ping, someone simply wants to know the if you are there, and how long the trip takes for the data packet.

Most of what ZA shows are NOT pings, but requests to other ports that are used for other things - connecting to a trojan or a worm or to KAZAA.

Please don't call just any random request that ZA blocks a ping - it most likely isn't. A real ping goes to port 8. Any thing else is god knows what.

[rowrrbazzle]

I've averaged 300 of these pings a day since August 21. I'm on Comcast/ATTbi and almost all of them have come from other users on the same ISP.

[troub]

Mort, you are partly correct, however ICMP (ping, et. al) doesn't not use "ports." Especially not port 8, which is unassigned (iana.org).

If ZA says ICMP--ping request (I don't remember the exact terminology as it's been a while since I used ZA), it's probably a real ping. There are other "types" of ICMP packets--probably where you got the port 8 thing is that an ICMP echo request (ping) is an ICMP packet with a type code of 8 (http://www.faqs.org/rfcs/rfc792.html)

Quote:

Summary of Message Types

0 Echo Reply

3 Destination Unreachable

4 Source Quench

5 Redirect

8 Echo

11 Time Exceeded

12 Parameter Problem

13 Timestamp

14 Timestamp Reply

15 Information Request

16 Information Reply

[The Surb]

Thanks for the help.


At least it looks like my comp isn't under a personal attack. It's just slow.

Again, thanks for the replies.

Surb

[Musicat]

I am getting a flood of MSRPC attacks in the last few weeks, too, at least that's what Blackice Defender calls them. Most are from 68.78.*.* and other subnets starting with 68. However, I am on 68.78.*.*, too, so I wonder if that means anything?

I just checked the logs for just one PC -- over 4000 in two weeks. And this is on a dialup, not always-on; I would imagine cable customers are getting hit a lot more over 24 hours.

The nachi worm does look like the most likely culprit. See if traffic drops on January 1, 2004, when it is scheduled to expire.

And this is supposed to be a "white hat" worm!

[ComeToTheDarkSideWeHaveCookies]

An excellent way to be proactive with your firewall information is to use a (free) reporting service such as MyNetWatchman. Without having to play cyber-sleuth for each and every bit of traffic spawned from all of the infected systems out on the net, the reporting service accepts your firewall output, prioritizes the traffic (you do have to make sure you're firewall is not configured too sensatively first), determines the network of origin of each incident, and sends a standardized report to that network's administrators. This allows the administrators to investigate the report, determine which of their customers is infected, and provide them with information about virus/worm/malware detection and removal.