Page 1 of 3 123 LastLast
Results 1 to 10 of 25

Thread: Blocked Intrusions, Same source

  1. #1
    concerned_user Guest

    Default Blocked Intrusions, Same source

    About half of the intusions shown in Zone Labs log are from the same IP adress.
    It seems to belong to
    a user at the same ISP I use (a local company).
    Is someone I know trying to hack my computer?

    Operating System:
    Windows XP Home Edition
    Product Name:
    ZoneAlarm Internet Security Suite
    Software Version:
    7.0


    Message Edited by concerned_user on 01-29-200706:11 AM

  2. #2
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: Blocked Intrusions, Same source

    What is the IP and the port(s) involved?

    Oldsod
    Best regards.
    oldsod

  3. #3
    concerned_user Guest

    Default Re: Blocked Intrusions, Same source

    The source IP is 65-165-164-8-????
    the last 4 digits seem to be different.
    The port is different, for example in the length of time it took me to log in to the forum, and check Zone Alarm log for the address, I got 5 notices of blocked intrusions, all
    from this IP.
    The ports were TCP 3684, TCP 3738, TCP 3730, TCP 3671, and TCP 3621.
    Thank you for your help, this is worrying me esp. because recently my computer has shown symptoms of malware, virus or something (slowing, crashing, eccentric glitches etc.) although several programs besides ZA haven't found anything.
    I'm afraid my computer is being hacked or attacked.

  4. #4
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: Blocked Intrusions, Same source

    http://www.dnsstuff.com/tools/whois.ch?ip=65.165.164.8

    http://www.fixedorbit.com/cgi-bin/cg...&submit=Search

    http://www.grc.com/port_3684.htm

    http://www.grc.com/port_3621.htm

    http://www.grc.com/port_3671.htm

    Questions:

    A). Have the DNS and DHCP servers been added as Trusted in the Zones of the Firewall of the ZA? If the ZA is misconfigured, then the intrusions could be a false reading or misleading...

    Make sure your DNS and DHCP server IP's are in your Firewall's Trusted zone. Finding DNS and DCHP servers, etc

    1. Go to Run type in command , hit 'ok', and type ipconfig /all then press enter. In the returned data list will be a line DNS and DHCP Servers with the IP address(s) listed out to the side.
    2. In ZA on your machine on the Firewall>Zones tab click Add and then select IP Address. Make sure the Zone is set to Trusted.
    3. Click OK and then Apply and see if that works to fix it.
    4. The loopback or localhost (127.0.0.1) must be listed as Trusted.
    5. The Generic Host Process (svchost.exe) must have server rights for the Trusted Zone.
    Plus it must have both Trusted and Internet Access.

    http://www.donhoover.net/dnsdhcp.html

    http://www.microsoft.com/resources/d....mspx?mfr=true


    B). Does your printer software or the spoolsv.exe have access to the Internet Zone or server rights for the Internet Zone? Is File and Printer Sharing enabled in the
    Properties of the Network Connections?

    C). Have you contacted your Internet provider and made an inquiry about this? They can give information about these events and if there is a hacker on their network, they can easily track the individual(s) down. They will require the logs found in the C\WINDOWS\Internet Logs called zalog.txt
    Please do not delete these or lose these as they are proof of any hacking events. They will have to be forwarded to your provider and they will examine the logs and they will have physical proof from your end to match their server's logs.

    D). Ports and trojan matches (but not limited to what I found)

    http://www.simovits.com/trojans/trojans.html

    http://www.sans.org/resources/idfaq/oddports.php

    http://www.glocksoft.com/trojan_port.htm

    Zero trojans matched the ports listed.


    E). Okay lets try some scans and maybe we can find some trojan or malware:

    Online scans (free) , use the IE browser since they use activeX and use all three:

    http://www.bitdefender.com/scan/license.php

    http://www.ewido.net/en/onlinescan/

    http://www.microsoft.com/downloads/d...displaylang=en

    Scanner (free) to download and just run:

    http://www.microsoft.com/downloads/d...displaylang=en

    Freeware scanners for download/install/update and run and use all three:

    http://www.superantispyware.com/

    http://www.emsisoft.com/en/software/free/

    http://www.lavasoftusa.com/products/...e_personal.php

    Please remember to file the names of infections, plus the sizes, time/dates, locations and any possible information given by the scanners.

    Once these scan are completed, the try a HJT forum (just choose one forum):

    http://castlecops.com/forum67.html

    http://www.bleepingcomputer.com/foru...lysis-f22.html

    HJT forums are free, have expert advice, and most often the given advice will clean the PC from any thing missed or unremovable.

    Oldsod

    Message Edited by Oldsod on 01-29-2007 10:37 PM
    Best regards.
    oldsod

  5. #5
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: Blocked Intrusions, Same source

    Okay this is the result of a trace route (in the command) for this IP:

    Microsoft Windows XP [Version 5.1.2600]
    (C) Copyright 1985-2001 Microsoft Corp.

    C:\Documents and Settings\SKYRIDER>tracert 65.165.164.8

    Tracing route to 65-165-164-8.du.volcano.net [65.165.164.8]
    over a maximum of 30 hops:

    1 <1 ms <1 ms <1 ms 192.168.x.x
    2 9 ms 6 ms 8 ms 10.132.42.1
    3 8 ms 8 ms 6 ms 66.x.x.x
    4 8 ms 10 ms 6 ms "edited"
    5 11 ms 8 ms 8 ms "edited"
    6 8 ms 9 ms 7 ms 66.x.x.x
    7 24 ms 24 ms 23 ms "edxited"
    8 110 ms 111 ms 112 ms POS2-1.ar2.DCA3.gblx.net [208.51.239.201]
    9 112 ms 113 ms 115 ms ge5-3-1-1000m.ar1.dca3.gblx.net [67.17.107.13]
    10 112 ms 111 ms 113 ms sl-st20-ash-13-0.sprintlink.net [144.232.8.17]
    11 112 ms 114 ms 114 ms sl-bb20-dc-9-0-0.sprintlink.net [144.232.20.153]

    12 115 ms 115 ms 114 ms sl-bb25-rly-14-0-0.sprintlink.net [144.232.8.163
    ]
    13 273 ms 223 ms 277 ms sl-bb23-sj-8-0-0.sprintlink.net [144.232.8.145]

    14 227 ms 224 ms 300 ms sl-bb22-stk-13-0.sprintlink.net [144.232.20.112]

    15 222 ms 221 ms 220 ms sl-gw28-stk-9-0.sprintlink.net [144.232.4.118]
    16 184 ms 184 ms 191 ms sl-voltele-7-0.sprintlink.net [160.81.16.102]
    17 239 ms 239 ms 308 ms 204-213-194-21.du.volcano.net [204.213.194.21]
    18 533 ms 415 ms 425 ms 65-165-164-8.du.volcano.net [65.165.164.8]

    Trace complete.

    C:\Documents and Settings\SKYRIDER>

    ---------------------------------------------------------

    This is the result for the ping (in the command):

    Microsoft Windows XP [Version 5.1.2600]
    (C) Copyright 1985-2001 Microsoft Corp.

    C:\Documents and Settings\SKYRIDER>ping 65.165.164.8

    Pinging 65.165.164.8 with 32 bytes of data:

    Reply from 65.165.164.8: bytes=32 time=695ms TTL=113
    Reply from 65.165.164.8: bytes=32 time=520ms TTL=113
    Reply from 65.165.164.8: bytes=32 time=454ms TTL=113
    Reply from 65.165.164.8: bytes=32 time=531ms TTL=113

    Ping statistics for 65.165.164.8:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
    Approximate round trip times in milli-seconds:
    Minimum = 454ms, Maximum = 695ms, Average = 550ms

    C:\Documents and Settings\SKYRIDER>

    --------------------------------------------------------

    The nslookup command for the IP failed. It got stuck at my OpenDNS servers and went nowhere.

    I tried the IP in the browser using the http port and the ports listed and no conections were made. Yes, the IP address itself can be entered in the address bar of the browser instead of URLs.

    ---------------------------------------------------------

    Take care.

    Oldsod
    Best regards.
    oldsod

  6. #6
    concerned_user Guest

    Default Re: Blocked Intrusions, Same source

    Thank you for your help (and patience).
    I'm nor familiar with the meaning of these codes.
    Does this mean someone with the user name SkyRider is trying to hack my computer, or something called SkyRider is on my computer?
    I'm on my way to work, so I haven't had time to try the suggestions in your previous message, (although I've already ran some of the programs, and my computer hangs when I try the online scanners) I'm going to try the other suggestion as soon as I can.
    I can't thank you enough for your help!

  7. #7
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: Blocked Intrusions, Same source

    Please do not interept the SkyRider as a threat. It is just the copy and paste of the result from the command. The SkyRider is the name of my PC/User Name. I am quite sure your PC has it's own name or you have your own name or some special special name.

    It fact I call all my machines the same name and lways use the same user name. I never register the PCs with any personal information. It make life eaier for me and it confuses Microsoft- they still have no idea of who I am or have any personal information about me.

    I was merely showing the attempts made to find and contact this server.

    Make sure the full time guard of the resident antivirus is disabled, when doing the online scans. Or in other words disable the antivirus in the ZASS before doing the online scans- that way there is no interference from having two antiviruses run at the same time.

    If the scanners have a difficulty in scanning when the PC is actually booted and running the OS, then try a free DOS scanner that will scan the PC when it is still not actually running ( in many ways this is a superior scan since it has nothing hindering it):

    http://antivirus.about.com/od/securi...a/fprotdos.htm

    Note you may need F12 to boot from the D Drive (CD/DVD drive) to do the scans. It maybe complicated the first few times, but after that it is easy. Don't forget the Enter key after the commands. You may actually need some help with this type of scaan from a knowledgeable friend or colleague.

    Oldsod

    Message Edited by Oldsod on 01-30-2007 10:53 AM
    Best regards.
    oldsod

  8. #8
    concerned_user Guest

    Default Re: Blocked Intrusions, Same source

    I have tried the suggestions in your previous message.
    The scanning programs found some tracking cookies but nothing else.
    In ZA my DNS servers were not set to trusted, however changing this did not stop the problem.
    In the results of ipconfig it showed DHCP enabled: NO.
    The printer ports and spoolsv.exe
    do not have internet access.
    I have been studying ZA log more closely, and realized that not all alerts are from the IP ending in .8 there are multiple 65.165.164 but the endings are .8
    .66 .53 .45 .4 .22 .10 and .29
    Within the last three days (and I've been online very little because I've been at work most of the day)
    there have been 63 blocked intrusions from 65.165.164 addresses.
    Of them 15 were http, 2 were https, 4 were NetBios, 5 were sent to port 135, 1 sent to port 4444, 1 sent to port 8721, 4 were routed, 2 outgoing, and 29 sent to port 445.
    My computer is not networked. The alerts seem to come in batches, for example this morning there were 8 alerts in less than 7 minutes.
    Thank You for all of your help

  9. #9
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: Blocked Intrusions, Same source

    Are there any programs or components with server allowed or set for the Internet Zone? Remove the server rights for the Internet Zone.

    Any Internet Messengers or Google desktop running?

    If so disable these from running with the startup of Windows.

    Also:

    My Computer > Properties > Remote > Remote Assistance is disabled?

    Also in the Properties of the Network Connections is the File and Printer Sharing unchecked?

    Under the Properties of the Internet Protocol TCP/IP > Advanced > Wins > is the LMHostlookup unchecked and the Disable NetBIOS checked?

    Oldsod
    Best regards.
    oldsod

  10. #10
    concerned_user Guest

    Default Re: Blocked Intrusions, Same source






    These Components have a check mark
    under Access:

    LEGITCHECKCONTROL.DLL





    Windows Genuine Advantage Validation

    LegitLib.dll








    Windows Genuine Advantage Validation Library

    ACROIEHELPER.DLL









    Adobe Acrobat IE Helper Version 7.0 for ActiveX

    Flash8.ocx







    Macromedia Flash Player 8.0 r22

    MCPS.DLL









    Media Catalog Proxy/Stub

    MpClient.dll







    Client Interface

    MpOAv.dll










    IOffice Antivirus Module

    MpShHook.dll








    Shell Execution Monitor

    MSOHEV.DLL








    Microsoft Office XP component

    muweb.dll











    Microsoft Update Web Control

    ssv.dll








    Java(TM) 2 Platform Standard Edition Library

    wuapi.dll








    Windows Update ClientAPI

    wuaueng.dll







    Windows AutoUpdate Engine

    wups.dll









    Windows Update client proxy stub

    wups2.dll












    Windows Update client proxy stub 2

    wuweb.dll










    Windows Update Web Control

    zlavscan.dll









    zlabscan shell extinsion




    Programs:

    Generic Host Process for Win32 Services













    C:\Windows\system32\svchost.exe has Access Trusted and Internet, Server Trusted and Internet (I just changed Server Internet to ask)

    Internet Explorer















    C:\Program Files\Internet Explorer\iexplorer.exe
    has Access trusted and Internet

    LSA Shell (Export Version)












    C:\Windows\system32\lsass.exe
    has Access Trusted and Internet

    Outlook Express











    C:\Program Files\Outlook Express\msimn.exe

    has Access Trusted and Internet

    Run a DLL as an App










    C\Windows\system32\rundll32.exe
    has Access Trusted and Internet

    Services and controller app







    C:\Windows\system32\services.exe
    has Access Trusted and Internet

    Spam Filter













    C:\Program Files\Zone Alarm\MailFrontier\manispm.exe


    has Access Trusted and Internet

    Usrenet Logon Application











    C:\Windows\system32\userninit.exe

    has Access Trusted and Internet

    Windows Defender command line utility












    C:\Program files\windows defender\MpCmdRun.exe

    has Access Trusted and Internet

    Windows Explorer












    C:\WINDOWS\explorer.exe
    has Access Trusted and Internet

    Windows Media Player Network Sharing Service












    C:\Program Files\Windows Media Player\wmpnetwk.exe has Access Trusted and Internet

    Windows NT Logon Application








    C:WINDOWS\system32\winlogon.exe

    has Access Trusted and Internet

    Windows NT Session Manager












    C:\WINDOWS\system32\smss

    has Access Trusted and Internet

    Zone Alarm Updating Client







    C:\WINDOWS\system32\ZoneLabs\UpdClient.exe


    has Access Trusted and Internet

    <hr>

    There are no Messenger Services or google desktop running.

    Remote Assistance is not disabled.

    File and Printer sharing is unchecked.

    LMHostlookup is checked, so is Disable NetBIOS.




    Thank You












Page 1 of 3 123 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •