Who is this guy that is trying so hard???

[fLYtRap]

Hi,

ok, there is this one IP that is "hacking" my firewall as soon as I am connected.
Is using DHCP_Format_String and UDP_Probe_Other. That really doesn't say much to me, here is what it says:

1- [Unauthorized Access Attempt] This signature detects the presence of a printf style format string in the options segment of a DHCP request.

2- [Pre-attack Probe] This signature detects UDP port probes directed at ports not detected by more specific signatures.

I have no clue who that is, but it is trying really hard. Event indicator shows this in red color which is the highest. (high-to-low - red/orange/yellow/green) Most events that I got shows in yellow which is OK and only that one IP shows in red. For now I am just blocking this IP from future attempts, but I am wondering if I could actually trace and find out who that is or at least where is pinging from. I was searching for some free software, but I couldn't find anything. Is there a way to find out who that is for free?

[redwudz]

My software firewall gives me their IP address. Then I do a 'Whois' to get their ISP name. You can find one here: http://www.dslreports.com/whois

But what I see most often are Bots like Google or similar. They hit our site here many times a day. They aren't attacking, just being persistent to gather info.

There's a nice discontinued freeware graphical tracing program with maps that shows all the jumps and timiings, that you may still find with a Google search: Neotrace express 3.25 Highly recommended and fun to play with.

Some other sites that aren't so friendly have hit my computer once a second for days. But I block them incoming and outgoing, so they just use up my bandwidth, no harm done otherwise. They seem to give up after a while.

Does your firewall create a log? If so, see if the IP address is there.

EDIT: Here's one that I blocked. It took 23 jumps and about 380ms to get to:



I would say the origin might be suspicious.

[Bjs]

Should it not be "Dubious"

http://www.softpedia.com/progDownload/Sam-Spade-Download-34862.html
Dose all you need in whois , finger , trace , ect .

My mate in vic had same issue , he gave me the offending ip ... Ten minutes later , they stopped .

I wonder if it was , the message that popped up on their screen from my system , or the fact they where only a 4 hour drive away from my place ... not far enough ... if I come calling .

Took me 8 cracks to get through the firewall ... politely , not trying to crash it .

Not only was I able to get the address , phone number , bussiness name ... But the level the offending pc was on .

[fLYtRap]

OK, check this out...


neot.jpg

how to show image here instead of link?

[fLYtRap]

OK, I got location...

neot2.bmp

[fLYtRap]

I got incoming pocket from this IP every minute or so...

[Bjs]

07/01/07 20:55:54 IP block 10.128.112.1@whois.eunet.es
Trying 10.128.112.1 at ARIN
Trying 10.128.112 at ARIN

OrgName: Internet Assigned Numbers Authority
OrgID: IANA
Address: 4676 Admiralty Way, Suite 330
City: Marina del Rey
StateProv: CA
PostalCode: 90292-6695
Country: US

NetRange: 10.0.0.0 - 10.255.255.255
CIDR: 10.0.0.0/8
NetName: RESERVED-10
NetHandle: NET-10-0-0-0-1
Parent:
NetType: IANA Special Use
NameServer: BLACKHOLE-1.IANA.ORG
NameServer: BLACKHOLE-2.IANA.ORG
Comment: This block is reserved for special purposes.
Comment: Please see RFC 1918 for additional information.
Comment:
RegDate:
Updated: 2002-09-12

OrgAbuseHandle: IANA-IP-ARIN
OrgAbuseName: Internet Corporation for Assigned Names and Number
OrgAbusePhone: +1-310-301-5820
OrgAbuseEmail: abuse@iana.org

OrgTechHandle: IANA-IP-ARIN
OrgTechName: Internet Corporation for Assigned Names and Number
OrgTechPhone: +1-310-301-5820
OrgTechEmail: abuse@iana.org

# ARIN WHOIS database, last updated 2007-06-30 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

----

Get on the phone .

[fLYtRap]

Yeah I just saw that info...

[Bjs]

http://www.iana.org/faqs/abuse-faq.htm

Very interesting , and long reading .

Describes how the ips are assigned , ect

I once found myself on the fbi site years ago ... funny stuff .

----

Im on doc rfc 1918 ... unambiguous / ambiguous defs between enterprises

http://www.rfc-editor.org/rfc/rfc1918.txt

I though quickpos from quicken drove me nutts ... never a smooth upgrade .

[fLYtRap]

http://www.iana.org/faqs/abuse-faq.htm

Very interesting , and long reading .

Describes how the ips are assigned , ect

I once found myself on the fbi site years ago ... funny stuff .

----

Im on doc rfc 1918 ... unambiguous / ambiguous defs between enterprises

http://www.rfc-editor.org/rfc/rfc1918.txt

I though quickpos from quicken drove me nutts ... never a smooth upgrade .

"May you live in interesting times"
"May you come to the attention of those in authority"
"May you find what you are looking for"

It sure took me all nite to figure this one out...time to go to sleep

[isogonic]

your firewall is doing what its supposed to do, i wouldnt worry about it to much.

[rallynavvie]

I still use PeerGuardian for local IP blocking. My firewall prevents use of unused ports but PG stops any suspicious IPs that may use the ports I have open. On my lapper I have Norton's software firewall but the only thing it does is prevent unauthorized processes from accessing the internet. Of course that's only useful if you're dumb enough to get your PC infected with a trojan but it's often interesting to see some applications you don't think need internet access are "calling home".

As redwudz said they'll give up after trying and finding a dead end. Your firewall seems to be stopping it from doing anything malicious. However if it is IANA they're one of the blackhole servers that feed spam IPs and the like to website hosts for use in their blacklisting features. However my experience with such services is that if you're being pinged by them it means someone is sending spam or similar from your IP, or at least spoofing it. Usually once they see the IP or domain is valid they'll leave you alone, odd to see it recurring.

[fLYtRap]

However my experience with such services is that if you're being pinged by them it means someone is sending spam or similar from your IP, or at least spoofing it. Usually once they see the IP or domain is valid they'll leave you alone, odd to see it recurring.

Yes, that is exactly what I was thinking about. I was wondering why am I on their list since I am an "average nobody"
Since I started to pay more attention what is going on in the "background of my PC" and I found several Trojans and Malware I though that perhaps some hacker was using my IP as a host to either spam or spoof...hm-mm...very interesting indeed...