The UK Home Automation Archive

Archive Home
Group Home
Search Archive


Advanced Search

The UKHA-ARCHIVE IS CEASING OPERATIONS 31 DEC 2024


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: OT: IP Address & Frewall



To be honest, I doubt it's specifically targetted at you.  The person in question is most likely what is known as a "script kiddie" - someone who has an automated program that scans a specified IP range, looking for potential targets exploitable by one or more specific methods.  I've had an always-on connection of one form or another for at least 4 years now (ADSL now, Tele2 wireless beforehand) and a day rarely goes by without at least 10-15 alleged intrusions being blocked by my firewall.  For example, a lot of email-spread trojans will not only spread themselves via your address book, they'll also install themselves on the quiet and listen for a certain command on a certain port.  The scan you've noticed will log whether that port is open on your machine to the person at the other end and then they'll come back and try and use the trojan that might or might not be waiting for them.
 
If it is a muppet without "l33t sk1llz", as it were, then they may have neglected with the usual precautions and performed the scan directly, in which case, you can resolve the IP address and determine the ISP.  Then you can notify them that this client IP was performing illegal activity at this time.  A slight problem with this is that a lot of ISPs use dynamically allocated IPs as they don't have enough to give to every one of their customers ( a bit like banks - if everyone wanted to withdraw their money, they'd be buggered) and I'm not sure how religiously they keep logs of who had what IP address when.
 
If this person HAS been in the slightest bit sensible, they would have routed their probes through one or more proxies, which makes it damn near impossible to determine the original source, especially since there are a lot of anonymous proxies out there.  I once had a series of probes that, on resolution, appeared to originate from the Russian Space Agency! (One of my work colleagues was unimpressed though - "If it was Mir, THEN I'd be impressed", he said :-) )  Thousands of companys/organisations don't set up their proxy servers securely so it's very easy to route your traffic anonymously.
 
www.samspade.org is a good place to start.  For example, putting your IP address in the IP Whois tool, all I get is that it is V21 and who to report abuse to.  Nowt about yourself :
 
inetnum:      213.121.66.0 - 213.121.71.255
netname:      V21-CO-UK-LTD
descr:        V21 Co UK Ltd Dial Pool
country:      GB
 
person:       Steve Kaye
address:      Magna House
address:      Goodwood Road
address:      Eastleigh
address:      Hampshire
address:      SO50 4NT
address:      GB
phone:        +44 870 903 4111
 
Put in the attacker's IP and you get :
 
inetnum:      213.1.128.0 - 213.1.191.255
netname:      BT-IMSNET-2
descr:        BT-IMS-net-1
country:      GB


role:         BTnet Support
address:      154 St Albans Rd
address:      Sandridge
address:      St Albans
address:      Hertfordshire
address:      AL4 9NH
address:      GB
phone:        +44 1189 512313

So it looks like it's someone on BT's dialup - That could be true or it could be someone anywhere in the world using BT's proxy.
 
http://grc.com/dos/intro.htm is a well written account of what can be achieved relatively easily, but I implore you to take any technical assertions and scaremongering with a huge shovel of salt.  Although it's a good read for someone not hugely familiar with this topic, much of the specifics are blown out of proportion.  Gibson has come under fire lately for a lot of his assumptions, suggested fixes etc etc, but for a rough idea of what can be done, it's a pretty accessible article.  I must now take a moment to prostrate myself in front of all those who know about Internet networking for even daring to suggest something written by Steve Gibson :-)
 
Hope that helps
 
G

 
----- Original Message -----
Sent: Saturday, December 08, 2001 12:01 AM
Subject: [ukha_d] OT: IP Address & Frewall

Guys,

 

I only ask this in here because I know that somebody will know the answer and be able to explain what I should do about it.

 

My PC has been being snooped by some crafty little bugger but Norton Personal Firewall stopped the intrusion and has given me the IP address of the local address and the remote address. Now, more for my own curiosity rather than being nasty (…would I *best angelic look*) I would like to find out who it is but I don’t know how I would do this and I would like to learn how to resolve this and find this stuff out, plus this clown has now tried this two nights on the trot.

 

Really I just want to learn more about the way the net works with IP addresses and suchlike, like I said, I’m curious.

 

The log I got is this:

 

Date: 07/12/2001 Time: 21:21:13

Rule "Default Block Hack 'A' Tack Trojan horse" blocked (213.121.70.35,31789).  Details:

Inbound UDP packet

Local address,service is (213.121.70.35,31789)

Remote address,service is (213.1.166.88,31790)

Process name is "N/A"

 

Any pointers any of you can give would be great.

 

BTW, thank you all for the nice comments about the new arrival, much appreciated, so much so even Tracey says thanks and she thinks I spend far too much time reading e-mail! ;-)

 

K.



For more information: http://www.automatedhome.co.uk
Post message: ukha_d@xxxxxxx
Subscribe:  ukha_d-subscribe@xxxxxxx
Unsubscribe:  ukha_d-unsubscribe@xxxxxxx
List owner:  ukha_d-owner@xxxxxxx

Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service.

Yahoo! Groups Sponsor
ADVERTISEMENT

For more information: http://www..automatedhome.co.uk
Post message: ukha_d@xxxxxxx
Subscribe:  ukha_d-subscribe@xxxxxxx
Unsubscribe:  ukha_d-unsubscribe@xxxxxxx
List owner:  ukha_d-owner@xxxxxxx

Your use of Yahoo! Groups is subject to the Yahoo! Terms of Service.

Home | Main Index | Thread Index

Comments to the Webmaster are always welcomed, please use this contact form . Note that as this site is a mailing list archive, the Webmaster has no control over the contents of the messages. Comments about message content should be directed to the relevant mailing list.