rod_kalashnikov Posted July 28, 2004 Share Posted July 28, 2004 Link to comment Share on other sites More sharing options...
george Posted July 28, 2004 Share Posted July 28, 2004 Are you using outpost software firewall? Can you see which IP address it's coming from? It's most likely the worms on the net scanning for vulnerable machines. Probably nothing to worry about if your patched up. It's someone looking to see if you are vulnerable to some known exploits in Windows. If you are using XP with SP1 and recent security patches then you are safe. Odds are they are scanning hundreds of systems at a time by scanning a range of ip addresses. Example exploit: http://www.kb.cert.org/vuls/id/547820 Link to comment Share on other sites More sharing options...
rod_kalashnikov Posted July 28, 2004 Author Share Posted July 28, 2004 Link to comment Share on other sites More sharing options...
george Posted July 28, 2004 Share Posted July 28, 2004 I have forwarded this thread to our hosting provider for advise. My guess is that these activities SEEMS to come from our server, but I am quite confident that they are not. Will revert asap. Link to comment Share on other sites More sharing options...
rod_kalashnikov Posted July 28, 2004 Author Share Posted July 28, 2004 Link to comment Share on other sites More sharing options...
george Posted July 28, 2004 Share Posted July 28, 2004 We have a dedicated server, so my best guess is that this is someone one the same C class net. I am chasing the NOC now. Could you please filter out the relevant log entries and email them to me as an attachment. admin[at]thaivisa.com Thanks. I have installed Outpost on a separate machine, and so far nothing from our C net. A lot of other crap, though. Link to comment Share on other sites More sharing options...
tuky Posted July 28, 2004 Share Posted July 28, 2004 For the past couple of days I've been periodically hit with suspicious port scans from thaivisa.com ................===== 7:37:24 PM Attack Detection Report Port Scanning has been detected from www.thaivisa.com (scanned ports:TCP (1391, 1390, 1392, 1388, 1389, 1387)) 6:33:05 PM Attack Detection Report Port Scanning has been detected from www.thaivisa.com (scanned ports:TCP (4828, 4827, 4826, 4825, 4824, 4823)) 12:00:14 AM Attack Detection Report Port Scanning has been detected from www.thaivisa.com (scanned ports:TCP (1278, 1277, 1280, 1276, 1275, 1274)) 7/27/2004 11:54:59 PM Attack Detection Report Port Scanning has been detected from www.thaivisa.com (scanned ports:TCP (2582, 2581, 2580, 2579, 2578, 2577)) 7/27/2004 8:02:16 PM Attack Detection Report Port Scanning has been detected from www.thaivisa.com (scanned ports:TCP (4057, 4055, 4053, 4052, 4051, 4050)) ===== For those interested, can someone in the know explain what all this means? Link to comment Share on other sites More sharing options...
huski Posted July 28, 2004 Share Posted July 28, 2004 For the past couple of days I've been periodically hit with suspicious port scans from thaivisa.com ................===== 7:37:24 PM Attack Detection Report Port Scanning has been detected from www.thaivisa.com (scanned ports:TCP (1391, 1390, 1392, 1388, 1389, 1387)) 6:33:05 PM Attack Detection Report Port Scanning has been detected from www.thaivisa.com (scanned ports:TCP (4828, 4827, 4826, 4825, 4824, 4823)) 12:00:14 AM Attack Detection Report Port Scanning has been detected from www.thaivisa.com (scanned ports:TCP (1278, 1277, 1280, 1276, 1275, 1274)) 7/27/2004 11:54:59 PM Attack Detection Report Port Scanning has been detected from www.thaivisa.com (scanned ports:TCP (2582, 2581, 2580, 2579, 2578, 2577)) 7/27/2004 8:02:16 PM Attack Detection Report Port Scanning has been detected from www.thaivisa.com (scanned ports:TCP (4057, 4055, 4053, 4052, 4051, 4050)) ===== For those interested, can someone in the know explain what all this means? tuky, rod has a firewall that is logging port scan attempts...this activity usually occurs when a hacker is looking for a way into a computer. when rod says it is one the best spoofs he means the hacker would be faking the thaivisa webserver's ip or there is a compromised port on the webserver that is redirecting port scans and using our webserver as the last hop. however, i believe it is something else and not an attack on his system. Link to comment Share on other sites More sharing options...
chingy_ Posted July 29, 2004 Share Posted July 29, 2004 im not sure if this is anything important, but let me give it a try, i browse thro thaivisa.com very often, more like a few dozen time a day, i have notice that every time i click to go to next page i have an extra click sound that sound like some one is trying to send me cookies or what ever it is, it never happen before, but now aday every page i go to i have and extra click sound other than my own. Link to comment Share on other sites More sharing options...
rod_kalashnikov Posted July 29, 2004 Author Share Posted July 29, 2004 Link to comment Share on other sites More sharing options...
rod_kalashnikov Posted July 29, 2004 Author Share Posted July 29, 2004 Link to comment Share on other sites More sharing options...
george Posted July 29, 2004 Share Posted July 29, 2004 I have exchanged several e-mails with the hosting company, they are convinced that no suspcious programs or scripts are on the server ( they checked thoroughly ) and thus conclude that everything is normal, that these might just be the server doing it's normal job. I have been logged in to the forum all day with two machines, one with Zone Alarmpro installed and one with Outpost Pro. Nothing suspicius in the logs. May I suggest that you ask in a professional internet security forum, they might have some ideas what is wrong with your computer, OS, network or firewall setup. Link to comment Share on other sites More sharing options...
Bluecat Posted July 29, 2004 Share Posted July 29, 2004 Did you clean your computer from any trojan viruses/worms? The "attacks" seem to be to frequent to be generated from an outside source. Aren't they originating from your computer? Link to comment Share on other sites More sharing options...
huski Posted July 29, 2004 Share Posted July 29, 2004 Those hacker attacks and port scans seem to occur ONLY when I'm logged in.While I'm a Guest, nothing happens. Things that make me go "Hmmmmmmm.........." try logging into thaivisa with a different browser than microsoft IE, like firefox...if the problem goes away and you still want to use IE, delete your cookies and reset the firewall rules. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now