Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Attempted Attacks stopped by firewall

  • 26-07-2003 11:53am
    #1
    Closed Accounts Posts: 801 ✭✭✭


    I recently installed (free) Kerio Personal Firewall (http://www.kerio.com/kpf_home.html) and found it easy to set up and use. I was staggered at the frequency and regularity of unauthorised attempted connections to the PC when I am connected to the net.

    These are the latest IPs attempting unauthorised connections, any idea how to identify who they are?

    213.200.97.37
    212.162.1.99
    ip-76.uplevel.nl
    www.lockergnome.com
    194.145.128.1

    Attempted connections from these addresses came literally in the last 2 minutes.

    There are hundreds of others. Anyone know of a central database where I can find out who it is?


Comments

  • Moderators, Society & Culture Moderators Posts: 3,935 Mod ✭✭✭✭Turner


    Using a trace program i got this....



    iP Address: 213.200.97.37
    Location: San Francisco (37.778N, 122.417W)
    Network: DIGISLE-TIN

    Registrant contact information is not available.


    Name: ip-76.uplevel.nl
    IP Address: 217.67.237.76
    Location: Rotterdam (51.867N, 4.600E)
    Network: 217-RIPE

    Registrant:
    Sqad VOF
    Roerdomp 70
    4872 PN ETTEN-LEUR
    Netherlands


    Name: ns.esatclear.ie
    IP Address: 194.145.128.1
    Location: DUBLIN (53.333N, 6.250W)
    Network: ESAT-RES

    Registrant contact information is not available.


    www.lockergnome.com

    Domain Name: LOCKERGNOME.COM
    Registrar: TUCOWS, INC.
    Whois Server: whois.opensrs.net
    Referral URL: http://www.opensrs.org
    Name Server: NS1.DNSCENTRAL.COM
    Name Server: NS2.DNSCENTRAL.COM
    Status: REGISTRAR-LOCK
    Updated Date: 01-apr-2002
    Creation Date: 19-oct-1996
    Expiration Date: 18-oct-2011




    Name: Unknown
    IP Address: 212.162.1.99
    Location: Frankfurt am Main (50.117N, 8.683E)
    Network: DIGITAL-ISLAND-DE

    Registrant contact information is not available.


  • Registered Users, Registered Users 2 Posts: 5,461 ✭✭✭Frank Grimes


    http://www.ripe.net/perl/whois
    http://www.apnic.net/info/network.html
    http://www.arin.net/tools/index.html

    That 194.145.128.1 address is IOL's primary DNS server, not every connection you'll see in a firewall is someone trying to haX0r you!


  • Closed Accounts Posts: 36,634 ✭✭✭✭Ruu_Old


    Whois try that, probably nothing sinister :)


  • Closed Accounts Posts: 1,141 ✭✭✭fisty


    thers a few central databases for IP addresses.
    however a script i have checks all the main ones,
    heres what

    arin
    ripe
    apnic
    and lacnic gave me.

    They all seem pretty innocent, wouldn't worry too much about it.


    213.200.97.37 =



    person: Ken King
    address: 225 W. Hillcrest Dr.
    address: Ste 250
    address: Thousand Oaks, CA 91360, United States
    address: US
    phone: +1 805 370 2170
    e-mail: cdnhostmaster@exodus.net
    nic-hdl: KK1195-RIPE
    mnt-by: TISCALI-INT-PERS
    changed: tobias@tiscali.net 20030312
    source: RIPE



    212.162.1.99 =

    person: Douglas Van Buren
    address: DIGITAL ISLAND INC
    address: California
    phone: +1-415 738 4612
    e-mail: dvanbur@digisle.net
    nic-hdl: DB10015-RIPE
    mnt-by: LEVEL3-MNT
    changed: jeff.lekieffre@level3.com 20001128
    source: RIPE



    ip-76.uplevel.nl =

    person: Michel Onstein
    address: Promera
    address: Mauritslaan 18
    address: 2741 CH Waddinxveen
    address: The Netherlands
    phone: +31 619 630 320
    e-mail: michel@promera.nl
    nic-hdl: MO799-RIPE
    notify: michel@promera.nl
    mnt-by: GFX-MNT
    source: RIPE
    changed: michel@promera.nl 20030113

    www.lockergnome.com=

    OrgNOCHandle: VSC-ARIN
    OrgNOCName: Verio Support Contact
    OrgNOCPhone: +1-800-551-1630
    OrgNOCEmail: support@verio.net

    OrgTechHandle: VIA4-ORG-ARIN
    OrgTechName: Verio, Inc.
    OrgTechPhone: +1-303-645-1900
    OrgTechEmail: vipar@verio.net

    194.145.128.0 - 194.145.135.255 =

    netname: ESAT-RES
    descr: EsatBT ISP Services
    descr: Dublin Ireland
    country: IE
    admin-c: GP1184-RIPE
    tech-c: GP1184-RIPE
    status: ASSIGNED PI
    notify: ripe@esat.net
    mnt-by: RIPE-NCC-HM-MNT
    mnt-by: IEUNET-NOC
    mnt-lower: IEUNET-NOC
    mnt-routes: IEUNET-NOC
    changed: hostmaster@ripe.net 19981029
    changed: dave@esat.net 20030507
    source: RIPE

    route: 194.145.128.0/21
    descr: Esat Residential Network
    origin: AS2110
    remarks: Aggregated Route for Esat Residential Networks
    notify: noc@esat.net
    mnt-by: IEUNET-NOC
    changed: conor@esat.net 19990614
    changed: dave@esat.net 20030220
    source: RIPE

    person: Gary Petticrew
    address: Esat Residential Service
    address: 7-13 Cardiff Lane
    address: Dublin 2
    address: Ireland
    phone: +353 1 6724016
    fax-no: +353 1 6771477
    e-mail: gpetticrew@esat.ie
    nic-hdl: GP1184-RIPE
    notify: gpetticrew@esat.ie
    mnt-by: IEUNET-NOC
    changed: gpetticrew@esat.ie 19981031
    source: RIPE


  • Closed Accounts Posts: 801 ✭✭✭dod


    wow pretty nifty script. Thanks for the info.

    dod.


  • Advertisement
  • Closed Accounts Posts: 801 ✭✭✭dod


    To some extent, I guess I'm answering my own question above, but I found the tools on the following page useful for identifying who is trying to access my MySQL port and other unsolicited queries to my 'puter when connected to the web:

    http://www.samspade.org/t/


  • Closed Accounts Posts: 590 ✭✭✭herbie747


    You can download a program called "Slap!".

    It sends a message back to the hacker, using their IP address, and tells them that you're aware of them trying to hack you, and to p*ss off or else...

    I've uploaded the software to here:
    http://www.dudemasters.com/forum/slap.zip

    It's only 500KB.


  • Closed Accounts Posts: 78 ✭✭pdogs


    There will be times when there will be a lot of sniffing of your ports by p2p programs; especially if your dynamic IP address was previously being used for this purpose.

    When first using a firewall people begin to see just how much traffic is knocking at your door. This is generally fairly normal and mostly innocent - just turn off the alerts, when you get bored with them, and let the firewall do its stuff.

    ;)


  • Registered Users, Registered Users 2 Posts: 153 ✭✭crowbar


    Originally posted by herbie747
    ("Slap!") sends a message back to the hacker, using their IP address, and tells them that you're aware of them trying to hack you, and to p*ss off or else...
    is that wise? i mean, drawing a hacker's attention to yourself is like prancing in front of a pack of hungry wolves ...


  • Registered Users, Registered Users 2 Posts: 7,740 ✭✭✭mneylon


    If you've got a fixed IP, or are connected to the net for extended periods you will get scanned etc., I wouldn't lose too much sleep over it, as long as you have a firewall etc. installed


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 2,152 ✭✭✭dazberry


    I found this little gem this morning in my webserver logs. I wrote the webserver itself - so it can't do any of those things anyway :D

    03:39:29 213.37.160.174 [www] GET \scripts\root.exe - File Not Found
    03:39:39 213.37.160.174 [www] GET \MSADC\root.exe - File Not Found
    03:39:39 213.37.160.174 [www] GET \c\winnt\system32\cmd.exe - File Not Found
    03:39:40 213.37.160.174 [www] GET \d\winnt\system32\cmd.exe - File Not Found
    03:39:50 213.37.160.174 [www] GET \scripts\.%5c.\winnt\system32\cmd.exe - File Not Found
    03:39:59 213.37.160.174 [www] GET \_vti_bin\.%5c.\.%5c.\.%5c.\winnt\system32\cmd.exe - File Not Found
    03:40:03 213.37.160.174 [www] GET \_mem_bin\.%5c.\.%5c.\.%5c.\winnt\system32\cmd.exe - File Not Found

    Re: Lockerknome
    I was subscribed to the Lockerknome digest for a while after they reviewed a freeware product I had. I would consider them(/him) legit. It might be an idea if you mail them with the details.

    D.


Advertisement