Firewall Alerts

[liquidacid]

Last night, and as soon as i switched on this morning, i'm getting all sorts of firewall alerts. My Mcafee firewall, is blocking fragment attacks, port scans and incoming tcp's very frequently and all from the same ip. I switched off my pc last night as i'm scared of losing all my downloads if the worst was to happen.

The ip is 195.92.168.120. What is going on?

["The Avatar Man"]

sounds like you'r trying to get hacked but your firewall is doing it's job try tracing that ip and seeing where it comes from

[Leech_Killer]

If all of the attacks are coming from one IP address you should be able to block that IP address with your firewall. There should be an option init to add IP addresses to a exclusion list, this will prevent that IP address from ever being able to connect to you.

Alternatively goto http://www.samspade.org towards the bottom there is a box to the left of a button that says 'IP Whois' copy & paste the IP address in here and click on the button. This will tell you where it's coming from.

I've just done a quick search and it's coming from Energis UK. Scroll down and you'll find 'Abuse reports to [email protected] please!' send them a poilte email giving all of the information that your firewall is reporting, Time, Time Zone (i.e. GMT), Date, Type of attack, your IP address, their IP address. Once they've been able to verify the attack they will do something about it, usually they cancel that persons subscription to the ISP. If they find that it's not come from them they will forward it on to the correct ISP for you. This is an example of the type of thing you need to send them, by all means use it.

Example.

To whom it may concern,

Dear Sir/Madam

I have had an attempted unauthorised access to my personal computer originating from your netrange. I would ask if you might be able to resolve this issue at source. Please find below all the information I have regarding this matter. If you are unable to help with this problem would you please email me with any contact addresses where I might be able to find the help I need.

Date: 23/02/2003 Time: 10:54:07 GMT
Rule "Default Block Backdoor/SubSeven Trojan horse" blocked (work(217.46.167.220),27374).
Details: Inbound TCP connection
Local address,service is (work(217.46.167.220),27374)
Remote address,service is (217.226.43.145,2294)
Process name is "N/A"

Yours sincerely,

Mr *******

I hope this helps.

[liquidacid]

Cheers to you both.

Leech_Killer, really kind of you to explain so clearly, even including a draft! Cheers mate.

OK. I'd blocked the IP's. Strangely there were two which seemed to be constantly putting my firewall to task. They are 195.92.168.102 and 195.92.168.117. Both on the same LAN perhaps. Having just checked, i find that my firewall is still blocking this address, every minute it's blocking incoming and outgoing TCP packets.

I wonder if i have a worm, currently i am virus scanning. Seems really strange. I am running two firewalls, Mcafee and Zonealarm, and they are both logging alerts constantly. Can't do much else but i just went out and bought some cdr's. Am about to start backing up everything, just in case.

[Leech_Killer]

Glad to help. go here and download 'Swat It'

http://lockdowncorp.com/bots/downloadswatit.html

It's a free piece of software for scanning and removng Trojans/Bots.

[Leech_Killer]

The only other thing you can do is to block the net-range of that ISP, that way even if your attackers are on a network it'll filter out all possible attacks.

Energis UK's net range is 195.92.168.0 to 195.92.171.255

I've also had many attacks from this company over the last year or so.

[baccyman]

could this be the isp doing a scan . because i use the sygate pro firewall and i am always getting scanned by ntl . so it may not be hackers . just a thought .

[Curley]

Way I see it, if your firewall is picking it up, then theres nothing to worry about

[liquidacid]

To Leech_Killer, thanks again for tip. I scanned with mcafee and swat it but nothing found. My assailant seems to have given up.

Baccy man, i was inclined to think it was my firewall scaremongering. Thing is though, i was getting these warnings of fragment attacks and portscans so regularly from one ip address.

Indeed Curley, my firewall was doing its job, but it was the frequency of the attacks that made me wonder. If someone was so determined (god knows why) to hack me, eventually they might find a way.

Another more frequent warning i get from mcafee firewall is of a "newtear" attack, this usually occurs when i'm running Kazaa Lite. Does anyone know what this means in relation to KL? Could it be hindering it from functioning correctly.

[Ron]

I have those Sub7 attacks all the freaking time, but NAV always blocks them for 30 minutes.
I've been thinking that it may be something else.
Could it be that someone is using the "find more files from this user", and that NAV thinks it's a hacker??
Don't know, but I get like 50, 60 of these "attacks" every day.