1. Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

Being repeatedly attacked!!!

Discussion in 'Networking & Security' started by NotS0Pro, Jul 8, 2008.

  1. NotS0Pro New Member

    Joined:
    May 15, 2007
    Messages:
    10 (0.00/day)
    Thanks Received:
    1
    I'm currently running Windows XP, with AVG free and Spybot guarding my PC. As far as I understand, they are protecting my registry, though not my network.

    "Your computer has been attacked from the internet."

    I just recently installed a free version of kasperspy anti-virus, seeing as I only have windows firewall in the way of the big-bad internet. Since installation (about 4 days ago), it has picked up numerous attempts from a helkern worm, and now a TCP SYN Flood.

    The flood is actually going on as I write this, with numerous IP addresses from around the world being cited as the source - as expected according to wikipedia.

    I'm not exactly the noisiest internet user, and I don't really know anyone whom is capable of doing this. I'm also very careful when downloading files, and don't visit sites I shouldn't be on, or give away information that I'm not supposed to.

    Nonetheless, it would seem that someone or something has it in for me.
    This may be coincidental, but I was on TPU forums when the problems started occurring, anyone else having problems?

    Is kasperspy feeding me reliable information? I know how difficult it is (or can imagine) to trace bouncing, but is there any way I can find out who or what is causing this?

    I'm actually on TPU as I'm learning about Overclocking, and well, hardware in general, and this is proving to be a real pain! If anyone could perhaps offer some advice I would be eternally grateful!

    Thanks, Nots0pro
     
  2. MKmods Case Mod Guru

    Joined:
    Feb 26, 2008
    Messages:
    5,697 (2.29/day)
    Thanks Received:
    1,748
    Location:
    Nevada
    I would format the HDD and start over with a clean comp.
     
  3. farlex85

    farlex85 New Member

    Joined:
    Mar 29, 2007
    Messages:
    4,829 (1.71/day)
    Thanks Received:
    638
    Yeah me too, I wouldn't play around w/ it. Sometimes you can hunt and find things in your computer causing problems like that, but I really wouldn't risk it, back up your important stuff and reformat.
     
  4. intel igent

    intel igent New Member

    Joined:
    Jun 5, 2005
    Messages:
    4,641 (1.33/day)
    Thanks Received:
    434
    Location:
    Toronto, Canada
    start fresh, use one good program and limit your pr0n sites to known good one's ;)
     
  5. TheMailMan78

    TheMailMan78 Big Member

    Joined:
    Jun 3, 2007
    Messages:
    21,301 (7.72/day)
    Thanks Received:
    7,781
    I agree. Format that thing ASAP. As far as Anti-virus programs go I use Microsoft Onecare and Spybot among others. Also Iv been on this forum for a long time and have never had a problem and believe me Iv pissed people off. 99.9% of the people on this forum are good people with different views. They are also pretty smart people and know how to defend their systems. I think most know who come here its pointless to attack us. Plus from my experience its just not that kind of place. :toast:
     
  6. calvary1980

    calvary1980 New Member

    Joined:
    Dec 26, 2007
    Messages:
    1,801 (0.71/day)
    Thanks Received:
    310
    Location:
    Toronto, CA
    if it was a real syn flood you wouldn't be able to post a thread here, it's probably some stupid kid you mouthed off to recently, change your ip (mac) and reboot.

    - Christine
     
  7. Ravenas

    Ravenas

    Joined:
    May 24, 2007
    Messages:
    4,691 (1.69/day)
    Thanks Received:
    349
    Location:
    Tennessee
    That's exactly what it is. I wouldn't be worried about finances either, but then again don't go typing passwords all over the place. Chances are if it's a kid, there's a keylogger.
     
  8. p_o_s_pc

    p_o_s_pc F@H&WCG addict

    Joined:
    May 2, 2007
    Messages:
    13,009 (4.66/day)
    Thanks Received:
    2,183
    Location:
    Newark ohio
    +1 :toast:
     
    Crunching for Team TPU
  9. calvary1980

    calvary1980 New Member

    Joined:
    Dec 26, 2007
    Messages:
    1,801 (0.71/day)
    Thanks Received:
    310
    Location:
    Toronto, CA
    -1. formatting his computer isn't going to change anything, he is just going to format and reinstall windows on the same ip if he is static. he needs to change his ip then deal with the worm.

    - Christine
     
  10. Ravenas

    Ravenas

    Joined:
    May 24, 2007
    Messages:
    4,691 (1.69/day)
    Thanks Received:
    349
    Location:
    Tennessee
    Formatting his HDD will get rid of the worm (-1 for him). However, that doesn't really matter, because he still has your ip. Reset your router & modem.
     
  11. p_o_s_pc

    p_o_s_pc F@H&WCG addict

    Joined:
    May 2, 2007
    Messages:
    13,009 (4.66/day)
    Thanks Received:
    2,183
    Location:
    Newark ohio
    I was saying +1 to limiting the pr0n sites to only ones that are known to be good
     
    Crunching for Team TPU
  12. NotS0Pro New Member

    Joined:
    May 15, 2007
    Messages:
    10 (0.00/day)
    Thanks Received:
    1
    Thanks for your quick replies :)

    There's a screenshot here, if you're interested. *sorry http://i303.photobucket.com/albums/nn149/NotS0Pro/TCPSYN.jpg

    If you could indulge my interest (or perhaps ignorance), though... I thought that this was external, rather than internal?

    I have no idea how to change my MAC address , I thought that they were permanent? >.<
     
    Last edited: Jul 8, 2008
  13. Ravenas

    Ravenas

    Joined:
    May 24, 2007
    Messages:
    4,691 (1.69/day)
    Thanks Received:
    349
    Location:
    Tennessee
    If you have a worm its internal. If he's using something like TELNET or apache its external.

    You have a worm.
     
  14. calvary1980

    calvary1980 New Member

    Joined:
    Dec 26, 2007
    Messages:
    1,801 (0.71/day)
    Thanks Received:
    310
    Location:
    Toronto, CA
    wipe your entire hard drive over 1 worm? weak. unplug your modem, scan, remove worm, plug modem back in, change mac address, reboot.

    - Christine
     
  15. Ravenas

    Ravenas

    Joined:
    May 24, 2007
    Messages:
    4,691 (1.69/day)
    Thanks Received:
    349
    Location:
    Tennessee
    I never said wipe the whole HDD :p
     
  16. Tatty_One

    Tatty_One Super Moderator Staff Member

    Joined:
    Jan 18, 2006
    Messages:
    16,918 (5.19/day)
    Thanks Received:
    2,690
    Location:
    Worcestershire, UK
    Amen to that!
     
  17. imperialreign

    imperialreign New Member

    Joined:
    Jul 19, 2007
    Messages:
    7,043 (2.60/day)
    Thanks Received:
    909
    Location:
    Sector ZZ₉ Plural Z Alpha


    like others have mentioned, it's prob just some twerp out to annoy you - and to add to it, you might have picked up a trojan or otherwise, or if you're on a wireless connection, some twerp trying to breach your network. One person can appear as hundreds of attacks if they're using a bot (which points to an unexperienced twerp).

    either way, first, update whatever AV softwares your using, also pick up a couple of the freebies (like Windows Defender), get everything updated primo - disabled your internet connection, and have your AV softwares run full scans - this might take a few hours, depending on how big your HDD is, and how in-depth you've configured the scanners to dig; if they turn up anything, remove or quarantine it.

    Afterwards, as someone else mentioned, try changing your mac address and see how things go.



    One final word of caution, though - although free spyware and AV softwares can typically be good, they still usually fall short of the highly-rated, paid-subscription AV softwares - of which will also usually include a firewall, malware and virus scanner, network monitoring and protection, etc. You might want to think about a better software suite sometime soon.
     
    NotS0Pro says thanks.
  18. panchoman

    panchoman Sold my stars!

    Joined:
    Jul 16, 2007
    Messages:
    9,595 (3.53/day)
    Thanks Received:
    1,200
    im with christine on this one... he's best off just downloading a trial version of zone alarm pro and hijackthis and similair and killing the worm, etc while offline and then going back and using proper firewalls etc to block out any other intrustions.
     
    NotS0Pro says thanks.
  19. calvary1980

    calvary1980 New Member

    Joined:
    Dec 26, 2007
    Messages:
    1,801 (0.71/day)
    Thanks Received:
    310
    Location:
    Toronto, CA
    for XP.

    1) start -> run -> "control" -> network and internet connections -> network connections -> right click nic -> properties -> general -> configure -> advanced -> network address -> value

    2) start -> run -> "cmd" -> ipconfig /all -> copy "Physical Address" -> select nic window -> paste into value without dashes -> change last 2 characters -> ok

    - Christine
     
    Last edited: Jul 8, 2008
  20. W1zzard

    W1zzard Administrator Staff Member

    Joined:
    May 14, 2004
    Messages:
    15,038 (3.88/day)
    Thanks Received:
    11,948
    changing your mac address wont do anything to your internet ip. if your isp gives you a static ip you will keep that ip which is bound to your login name/dsl line/cable line. if they give you dynamic ips you will end up with ips from a certain range allocated to some kind of spatial area

    mac adresses are an ethernet technology
     
  21. calvary1980

    calvary1980 New Member

    Joined:
    Dec 26, 2007
    Messages:
    1,801 (0.71/day)
    Thanks Received:
    310
    Location:
    Toronto, CA
    if he is receiving a syn flood his ip must be static brainiac I have static and own 5 ip that I can change at will most cable packages allow "up to 5 pc per household" which really means 5 ip even if you only use 1 you can still access them.

    - Christine
     
    NotS0Pro says thanks.
  22. W1zzard

    W1zzard Administrator Staff Member

    Joined:
    May 14, 2004
    Messages:
    15,038 (3.88/day)
    Thanks Received:
    11,948
    syn flood can happen to dynamic ips as well. even though if you reconnect to your isp and get another ip you are probably not going to be syn flooded instantly... until the attacker somehow finds out your new ip.

    does your software detect the internet background noise as syn flood?

    your neighbour runs a torrent and seeds like a champ. the trackers have his ip and give it out to other leechers. those will try to connect to the ip and port advertised. at some point your neighbour goes offline and you come online, get his ip. so all those torrent users will now try to connect to your box because they still think its your neighbour. since more filesharing protocols than just bt exist, the traffic increases quite a bit. then there are all sorts of people scanning the whole internet for open ports, vulnerabilities etc.

    can your software give a more detailed report than just "syn flood from x.x.x.x" ?
     
    NotS0Pro says thanks.
  23. NotS0Pro New Member

    Joined:
    May 15, 2007
    Messages:
    10 (0.00/day)
    Thanks Received:
    1
    Hey again, I've just ran spybot S&D, AVG free and Ad-aware SE Pro. Spybot picked up some tracking cookies (11!), Ad-aware picked up some spyware (Mediaplex... generic stuff really), and running AVG last picked up nothing. I did this offline.

    I think I was a little skimpy on information beforehand, so to clarify...

    I'm using an ADSL modem, which I am using a DUN connection to connect to, due to crappy AOL software. The modem is USB 2.0. The IP address is static.

    I realize I was having a bit of a dull moment before... I have an ASUS Striker Extreme v.1 motherboard, which has an in-built NIC, as I understand (2 Gbit Ethernet ports on rear panel). I'm not that clued on networking, although as W1zzard mentioned, MAC addresses are ethernet (I remember now :p) so this doesn't apply to me?

    The kasperspy window I referred to is real-time protection, which notifies me of "attacks" that were prevented. A series of worms, or a series of the same worm to be precise, named "Helkin" were brought to my attention over the past two days. These were from IP addresses in China. These notifications have actually continued, and I literally just got one :/.

    Unfortunately, as one problem seems to have "stopped", another has become apparent to me. This is the constant barrage of "TCP SYN" attacks, which I assume are part of an automated program, due to the short latency between the notifications. The amount of notifications I have received from the Kasperspy software is easily within the hundreds at this point. No further information is available from the program other than the type of attack, the ip address and the fact that it was repelled.

    I can turn these notifications off, although it really doesn't solve the problem. The problem that now seems to be someone deliberately attacking my system? I can't afford to buy cigarettes at the moment, let alone any new software :(

    I'm not sure what you mean by the background noise? Do you mean the noise on the line? I have no idea, either way.

    Thanks again, Nots0pro
     
  24. candle_86 New Member

    Joined:
    Dec 28, 2006
    Messages:
    3,916 (1.34/day)
    Thanks Received:
    233
    Ok well if its static contact AOL and request an IP change tell them why you are requesting it and they should honor it. Second of all get windows defender if your broke its a damn decent firewall on the cheap. And if you have 30 bucks to spare go to wal mart and get one care live i use it and love it
     
    NotS0Pro says thanks.
  25. mrhuggles

    mrhuggles

    Joined:
    Oct 10, 2007
    Messages:
    1,540 (0.59/day)
    Thanks Received:
    174
    do you go on irc? if you dont go on irc then its probably not a targeted attack.
     

Currently Active Users Viewing This Thread: 1 (0 members and 1 guest)

Share This Page