I recently installed a ZoneAlarm FireWall (http://www.zonelabs.com/) on my system because my cable modem is connected all the time, and began seeing a lot of attempts to probe my system. Interestingly the first I caught was someone else on the @home cable modem system, and the most recent one (last night) was also on that system, but I have had many from non @home IPs as well.
I was in the process of writing an email to ZoneLabs about wanting to be able to log these attacks when one began, and they probed me 8 times while I was writing the email, giving me enough time to switch to another window and do a tracert to them, which I included in the email to ZoneLabs and to a couple of people with @home, and which I have forwarded to the FBI:
| Subject | : | logs |
| Date | : | Wed, 09 Feb 2000 23:22:41 -0600 |
| From | : | Don Singleton <djs@ionet.net> |
| Organization | : | Tulsa Computer Society |
| To | : | feedback@zonelabs.com, support@zonelabs.com |
| CC | : | Mark Fancher <fancherboy@home.com>, customer.care@tci.com |
|
I understand that Zone Alarm does not currently log attempts to get past the firewall but are considering adding it. I don't know how much trouble that would be, but I have had a LOT of attempts to probe me, from a number of IPs, in the last day or two, and I am suspicious that the people killing Yahoo, etc may be looking for other machines to hijack, and if you were able to add something, even if crude, that allowed them to be caught, it would be one heck of a feather in your cap. While writing this message 24.10.237.210 attempted to access my Port 12345 from their port 1699 AND they also tried to access my port 12346 from their port 1953 AND tried to access my port 31337 from their port 2207 AND my port 1243 from their port 2461 AND my port 6670 from their port 2715 AND someone tried to access my NetBIOS Name (10.76.118.1) AND (10.0.192.5) and (10.0.236.38)
In fact I got so many that I did not think I could type fast enough to copy them (since I can't seem to mark the text in your pop up windows). FYI here is a tracert to 24.10.237.210 Since this site is apparently an @home customer as I am, I am also forwarding it to the man who installed my cable modem and a tech number with TCI. Mark, you may want to forward this to the abuse number you gave me as well.
C:\WINDOWS>tracert 24.10.237.210
| ||
The FBI web site has information about these attacks (http://www.fbi.gov/nipc/trinoo.htm) and they even have sofware which can be installed on Unix systems to help identify the culprits. As far as I can tell, they don't have Windows software, so I guess the ZoneAlarm is the best that can be used there.
I wanted to let you know about ZoneAlarm, in case you wanted to install it on your systems. Just go to http://www.zonelabs.com/ Its use is not limited to DSL and Cable Modem connections. It was installed on my system yesterday during a dial up connection for a Sig Meeting, and we were interrupted with at least 10 different probes during the meeting.
See also:
http://www.zdnet.com/zdnn/special/doswebattack.html
http://cnn.com/2000/TECH/computing/02/08/yahoo.assault.idg/index.html
http://cnn.com/2000/TECH/computing/02/09/cyber.attacks.01/index.html
http://www.forbes.com/forbes/00/0221/6504068a.htm
http://www.forbes.com/forbes/00/0221/6504068s1.htm
Previous TCS Virus Alerts: