I don’t know if that’s the right phrase, but here’s what happened.
At about 6:20 PM Chicago time, I turned on my computer, then stepped away from it as it was booting. When I got back, I saw ZoneAlarm had logged more than 500 attempted accesses to my PC. By the time I cut the power to the cable modem, about three thousand accesses had logged. A bit scary, actually. Here’s one of the ZoneAlarm log entries:
The source IP addresses were all different, but almost all began with 192. I’m not an Internet whiz, so that may not be significant.
About an hour later, I plugged the modem back in, and the attack had stopped. So this seems to have been a temporary inconvenience, fortunately.
A few months ago, my ISP changed my account to have a static IP address without my requesting it. I’m thinking perhaps whoever hacked into the SDMB got my address and picked me as a random target. Maybe I should see if I can get my ISP to go back to a dynamic IP.
I’m posting to see if this happened to any other SDMB poster. If not, I’ll have to look elsewhere for the source. But if it has, I’ll state (just for the record, since it should be obvious) that I place the blame entirely on the hacker, not the SDMB.
As I understand it, what they’re looking for is a static IP that they can use for awhile. I’ve had a couple of experiences similar to what you describe - I use a dial-up at home, but since I leave the machine on and logged on to the net I’ve got a near-static IP. The only contribution I can offer here is that it is not necessarily related to yesterday’s hack of the board as the DoS attack folks are continually searching for assets.
You say you have a cable modem? It is very likely you were affected by Code Red. This virus looks for web servers running Microsoft server software (IIS). Infected IIS servers look for more IIS servers.
For example, say Server A was infected with Code Red. The infected Server A looks for more servers to spread to. It starts scanning addresses, and eventually finds and infects Server B. Server B now starts searching for more servers. This pattern repeats. Because there are so many Code Red infected servers, a single user may recieve thousands of incoming packets looking for IIS servers.\
The bolded area shows the origin of the attack. The number after the colon is the port number. Port 80 is used for web servers. This means the attacker was trying to connect to a web server, a sign you have been affected by Code Red.
NOTE: Code Red only affects computers running IIS. Plus, you have ZoneAlarm, one of (if not the best) personal firewalls availible.
I dunno - I’ve got some concerns here. Concerns enough to make me break my self-imposed promise to merely lurk-and-be-amused and post a message.
The log as posted in the OP doesn’t stike me as consistant with an attack from a Code Red infected IIS server. Two things strike my attention. First, as appropriately pointed out, 192.43.152.118:80 is the source of the attack. The destination is listed as 0.0.0.0:4890. My point here is that source is listed as the web-server port, not the destination. That is, when the attacking machine opened the connection, it used port 80 to connect out, attempting to connect to port 4890 on the destination machine.
A Red Worm attack would come from some port with port 80 as the destination.
More importantly, the FWROUTE in the log excerpt claims that the packed was neither sent by, nor intended for, your machine. It was just trying to get somewhere through you. (This tidbit gleefully pulled from http://www.zonelog.co.uk/support.html#types). And a destination address of 0.0.0.0? More and more curious.
None of which, of course, answers your question. Indeed, it appears to raise more. Tell me, you said the log had several different source addresses, most of them 192. Are there (m)any from 192.168.whatever?
(And I wonder if this thread would be more appropriate elsewhere. But that’s just me.)
Louhron: of the 3083 attempts, 2719 came from 192.whatever, and of those 1145 came from 192.168.whatever. There were only 10 duplicate IPs. I now realize this could have come from one person faking all the source IP addresses. If you’re really interested, I could send you the whole log.
I’ve gotten FWROUTE attempts previously, but never in such large numbers.
And since it’s now apparent this wasn’t connected with the SDMB being cracked, I’m asking TubaDiva to move this to GQ.
Just how obsessive do you think I am? No, please, don’t answer that. Probably best that way.
So, I’ve been pondering this over the past couple of days, and remain uncertain if there is anywhere to go with the attack save breathing a sigh of relief that it isn’t happening anymore.
First, 0.0.0.0 was listed as the destination address for each attempt. This is the address that is used for default routing, and fits with the log heading of FWROUTE. In essence, then, each attempt contained a message that said “hi!” (note: Internet packets are always talking and saying things like ‘hi’. Let me amuse myself). “Hi,” the packets were saying, “this isn’t actually for you, but if you would be good enough to pass it on to whomever you normally send Internet traffic, that’d be great. Thanks”.
This has some interesting possibilities. This “routed traffic” attack (see second URL below) has the effect of, were your machine to be willing, not only using your downstream (‘incoming’) bandwidth, but your upstream (‘outgoing’) bandwidth as well, messing up your connection both ways.
I’m tempted to speculate further here, but need to do just a wee bit more research first.
Second, you received an attempt from what amounts to 3073 unique IPs. Not likely. Sure, it’s possible, I suppose, but I don’t buy it. Especially given that 1145 of them came from 192.168, private network addresses that don’t live on the Internet. This suggests that they are not the IPs of the actual machine doing the sending, but are, as you pointed out, faked addresses instead. Likely, but not necessarily, from one person. For this reason I would say that Coldfire’s recent post, while a tempting avenue, would not in the end be fruitful.
Third (would somebody please expalin to me the whole Opal thing? I don’t get it.), the flags on each attempt are “AR”. “A” is Acknowledge, and wouldn’t be used to create the connection - are there any with “S” flags instead? “R” is Reset. In your case it appears that the reset will abort the connection and send a message back to the source to that effect. Now, since the source is claiming to be somebody else, this has the effect of you sending a message back to somebody who either is not there, or does not want it. Either way, it is taking up your bandwidth. (This comes from RFC793 - first URL below - in case anybody is interested. If somebody feels my interpretation is in error, I’d appreciate knowing!)
Sadly, all this takes you right back to the subject of this thread: Denial of Service. It has every appearance that somebody (perhaps plural), felt it necessary to twit your connection.
In a desperate attempt to further justify this thread’s existance in ATMB, I’ll offer conjecture that whoever grabbed the admin passwords for the board, found your logged IP, and, due to some long and deep-seated dislike of names with too many double-consonants, selected you for their target.
As good a reason as any. Be glad you don’t live in Mississippi.
. . . And everybody else as well. My firewall has logged an inordinate number of port blocks since the hack. I’d venture that list of IP addresses is being put to use.
Y’all should make damn sure your firewalls are in order.
Okay, reading this thread has spooked me a little bit, so I downloaded ZoneAlarm, and in the 45 minutes since I’ve installed it I got 8 FWIN blocks. Is that an inordinate number? Only one was identified as a trojan port scan by the analyzer.
Well that’s interesting. Although an n of two hardly a sample makes, would you describe the port blocks that you are experiencing as at all similar to the situation as presented by rowrrbazzle in the OP? That is, a thousand or two or three connection attempts in a comparitively short span of time, or an increase in the sporadic attempts that everybody experiences?
Has anybody else noticed such an attack on their machine?
I’ve been conversing briefly with rowrrbazzle in email in the hope that ZoneAlarm might have saved a packet or two, so that one might be able to take a good look at it and see what it up. It appears that ZA doesn’t support such a function, but if your own firewall software does, I’d be very interested is seeing a sample.
(Well what do you want from me? I get a kick out of this kind of thing.)
Eight in 45 minutes? No, I wouldn’t think that is at all unreasonable. You are always going to see some low-level amount of traffic heading towards your machine. From pings to somebody ‘nearby’ sending out a broadcast packet, to back-door scans, to legitimate traffic that used to connect through just fine until you put up the firewall. (Instant Messangers are a good example of this - they will usually try to connect directly to the machine before giving up and sending through the server.)
If you’re really worried, feel free to email me an excerpt of those eight items from the ZA log and I will take a peek, but honestly, I would not stress over it.
Now, if you get 800, then that’s a fish calling the kettle a different colour.
No, not at all like thousands of items, but I’ve definitely noticed an increase in the number of “sporadic” attempts. I used to get something like 10 - 20 blocks in a couple of hours online, but I’ve been seeing a 10 - 20 about every 30 minutes lately. Maybe just a coincidence, I dunno. And I’m on a freakin’ dial-up fer chrissakes. Like it’s worth their while.
It looks like a number of virus infected machines is trying IP addresses to find a web server that has IIS (the default gateway address coupled with the port number above)
rowrrbazzle:
I don’t think your machine is any real danger, more that your static IP address was checked because Servewrs normally run off Statics.
if that makes any sense…
