i have had over 1000 alerts this week!!!!!!!!

ZA blocked this - what does it mean??
i wasnt using any FTP software at the time

can somebody help thanx

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Reverse DNS Lookup of 193.253.202.148
The computer name ("domain name") identified for this IP address is:

ASte-Genev-Bois-103-1-2-148.abo.wanadoo.fr

(Note: if you see "Unavailable", instead of a computer name, that means no reverse DNS entry was found for this IP address, and so the domain name could not be identified.)

Whois Lookup of 193.253.202.148
The following information was obtained from the "whois" database for the registry with which ASte-Genev-Bois-103-1-2-148.abo.wanadoo.fr is registered. This gives administrative and contact information about ASte-Genev-Bois-103-1-2-148.abo.wanadoo.fr.

If no domain name was identified, or if it was not possible to determine which registry the IP address is registered under, and for certain foreign domains that are not currently supported, the information below was obtained from the ARIN whois database. In that case, the information is not about the specific computer at 193.253.202.148. The information in that case is administrative and contact information for the "upstream provider" that administers a block of IP addresses, of which 193.253.202.148 is only one.

Particularly in the case of ARIN database results, the whois information below includes administrative information about a group of IP addresses that are all administered together. They may be administered together because the computers are all owned by the same person or organization, but they may not be. For example, an ISP may administer a large block of IP addresses together, but the ISP doesn't own all, or even most, of the computers on its network.

Please do not assume the people named in this report are the ones who are responsible for the alert you saw. However, if you are getting repeated alerts from IP addresses in the same IP block, this is a good place to find out who administers the network. If you have identified malicious or highly suspicious activity and have ruled out configuration errors, bugs, and other benign causes, you may wish to contact a network administrator to notify him or her.

Tous droits reserves par copyright.
Voir http://www.nic.fr/outils/dbcopyright.html
Rights restricted by copyright.
See http://www.nic.fr/outils/dbcopyright.html

domain: wanadoo.fr
descr: France Telecom Interactive
descr: 41, rue Camille Desmoulins
descr: 92442 Issy Les moulineaux cedex
admin-c: CC1215-FRNIC
tech-c: FTI-FRNIC
zone-c: NFC1-FRNIC
nserver: ns.wanadoo.fr 193.252.19.10
nserver: ns.wanadoo.com
nserver: ns2.wanadoo.fr 193.252.19.11
nserver: ns2.wanadoo.com
mnt-by: FR-NIC-MNT
mnt-lower: FR-NIC-MNT
changed: ripe-dbm-updates@nic.fr 19990506
changed: auto-update@nic.fr 19990823
changed: migration-dbm@nic.fr 20001015
source: FRNIC

role: Contacts of FTI
address: France Telecom Interactive
address: 41, rue Camille Desmoulins
address: 92442 Issy Les Moulineaux cedex
phone: +33 1 41 33 39 00
fax-no: +33 1 41 33 39 01
e-mail: postmaster@wanadoo.fr
e-mail: abuse@wanadoo.fr
trouble: mail postmaster for ANY problem.
admin-c: SC1509-FRNIC
tech-c: TEFS1-FRNIC
tech-c: SC1509-FRNIC
tech-c: NS1058-FRNIC
tech-c: CC1215-FRNIC
tech-c: IH678-FRNIC
nic-hdl: FTI-FRNIC
notify: ripe.mnt@fti.net
mnt-by: FT-INTERACTIVE
changed: Patrice.Robert@fti.net 19990413
changed: Patrice.Robert@fti.net 19990415
changed: Patrice.Robert@fti.net 19990506
changed: addr-reg@rain.fr 19990921
changed: migration-dbm@nic.fr 20001015
source: FRNIC

role: NIC France Contact
address: AFNIC
address: Immeuble International
address: 2, rue Stephenson
address: Montigny le Bretonneux
address: 78181 Saint Quentin en Yvelines Cedex
address: France
phone: +33 1 39 30 83 00
fax-no: +33 1 39 30 83 01
e-mail: tech@nic.fr
trouble: Information: http://www.nic.fr/
trouble: Questions: mailto:nic@nic.fr
trouble: Spam: mailto:abuse@nic.fr
trouble: Test: mailto:ping@nic.fr
admin-c: AR41
tech-c: AR41
tech-c: PL12-FRNIC
tech-c: JP1110-FRNIC
tech-c: EM634-FRNIC
tech-c: MS1887-FRNIC
tech-c: VL-FRNIC
tech-c: PR1249-FRNIC
tech-c: PV827-FRNIC
tech-c: GO661-FRNIC
tech-c: FT1632-FRNIC
tech-c: MS32434-FRNIC
tech-c: AI1-FRNIC
nic-hdl: NFC1-FRNIC
mnt-by: FR-NIC-MNT
changed: pick@nic.fr 20010313
changed: pick@nic.fr 20010313
source: FRNIC

person: Catherine Chevalier
address: France Telecom Interactive
address: 41, rue Camille Desmoulins
address: 92442 Issy les Moulineaux cedex
phone: +33 1 41 33 39 00
fax-no: +33 1 41 33 26 75
e-mail: catherine.chevalier@wanadoo.com
nic-hdl: CC1215-FRNIC
remarks: Exploitation Manager
mnt-by: FT-INTERACTIVE
changed: Patrice.Robert@fti.net 19990205
changed: migration-dbm@nic.fr 20001015
source: FRNIC


The firewall has blocked Internet access to your computer (FTP) from 193.253.202.148 (TCP Port 4750) [TCP Flags: S].

Time: 8/8/01 23:11:10

I'm getting tons of the things too, so are loads of other peeps Jim. Mine are from flipping everywhere! Current consensus of opinion seems to be that it's this ruddy Red Worm thing looking for more systems to inhabit. As long as you're not running W2K Server you're probly OK. Annoying though isn't it? ZA keeps throwing alerts at me like a mad thing! :eek:

Edit:
See ZA thread in General Help for more details.

Jill, you could always turn the alert window off through the main window -> Alerts. Instead it gives you an annoying blinking yellow thing in the ZA icon in the systray, blocking half of the green indicator. :mad:
Still, less annoying than 2 popups a minute (like an annoying adserver or something)

Jim, yours isn't Code Red as you are being attacked on port 21 (FTP) not port 80 (HTTP). Most people are getting scanned on port 80 for unpatched IIS installations, you are being scanned for something else - an FTP server by the looks of things :(

If you are getting lots of these all originating from wanadoo.fr addresses then email their abuse address with the logs (not the RIPE whois lookup as they know all that info, just the time , IP and details of the ports you gave in the last couple of lines)

Sorry Mark, I thought it was the same as the things I've been getting :o

Synergy, just found out about 5 mins ago that I could turn the alert off .. durr .. brain's gone tonight :o

No need to apologise Jill, I just spend too much time with my nose in this stuff when I should be trying to find that life I misplaced :lol

Get yourself up to the Balloon Fiesta this weekend Mark :)
You know it makes sense ;) Night glow tomorrow night (Thursday) at about 9pm-9.30pm. Wouldn't miss it for the world :).

What a good idea :), I've never been - only lived locally for 13 years as well :lol

i also get the http ones aswell this was a diff 1 i thought id just check out

heres some this morn :(

~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The firewall has blocked Internet access to your computer (HTTP) from 213.155.38.254 (TCP Port 3266) [TCP Flags: S].

Occurred: 2 times between 8/9/01 10:06:06 and 8/9/01 10:06:12

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The firewall has blocked Internet access to your computer (HTTP) from 61.128.186.141 (TCP Port 3862) [TCP Flags: S].

Time: 8/9/01 10:06:06

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The firewall has blocked Internet access to your computer (NetBIOS Name) from 213.38.208.173 (NetBIOS Name).

Time: 8/9/01 10:11:04

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Looking a bit damp for the balloon glow tonight, at least if the weather over at Ashton court is anything like it is here in Westbury on Trym :(

Jim, those are most likely code red scans.

-------------------------------
The firewall has blocked Internet access to your computer (NetBIOS Name) from 213.38.208.173 (NetBIOS Name).

Time: 8/9/01 10:11:04

------------------------------------


Ohhh!!!!!!!!!! its not just a script kiddie this one.

At last a hacker that actually knows a little something,

Different IP addressess and attacking different services.

Jim dont worry about it ZA has stopped them.

IS this on a Dial up? if so less reason to be worried.

Log off leave 5 minutes then log back on again.

You could also try using a proxy to browse with

Ian, you know more about NETbios scans than me but could not a 137-137 scan be an indication of a badly set up machine (ie configured with a workgroup name of WORKGROUP and announcing itself over the internet to everyone in its /24)?

Yes you right Mark BUT this is also dependent on the node type of the NETbios function :-

http://www.microsoft.com/windows2000/en/server/help/default.asp?url=/windows2000/en/server/help/sag_TCPIP_und_nr_NetBIOS.htm

http://www.winntmag.com/Articles/Index.cfm?ArticleID=113

Its looking for a Netbios Name server isnt it !

The same happens when you run the NBstat -a command or in other words when trying to get the "Named Shares" off a remote PC. Hence why its better to disable the NetbioS over TCP/IP ;)

The NETBIOS named Shares are listed in order and then it is very simple to connect to those remote Shares on a remote PC using the ******* Command although you dont even need to use that if u have windoze you just connect using ********** (See below). The Happy Hackers way of doing it that is. Interestingly enough there has been a recent increase in NETBIOS route hacking and it now accounts for about 5% of hacking routes. I think directly because of the Steve Gibson article making more script kiddies aware of the method in the first place, there are references to it on the net everywhere. They all know how to use search engines all it takes is a few minutes and your past script kiddies status. IE No need for those trojans. and have now become a fully fledge command line guru. Hacking from DOS command line & Windoze is now as easy as Hacking from Linux. This is due to the SMB modules that are available and was one of the reasons the that the L0pht had once had lunch with MS Suits many years ago.

For some itneresting stats from one guys machine over the period of ONE MONTH have a look at these tables

Hacking Method Method is Used by Number of Hacks Percent of Total
1 (1) TCP 27374/* SubSeven v2 197 35.3%
2 (4) ICMP Ping More information... 69 12.4%
3 (3) TCP 1243/* SubSeven v1 64 11.5%
4 (2) NetBIOS Session (TCP 139/*) Windows - More information... 61 10.9%
5 (6) NetBIOS Name (UDP 137/*) Windows - More information... 27 4.8%
6 (5) UDP 2140/60000 Deep Throat 27 4.8%
7 (7) UDP 31337/* Back Orifice 21 3.8%
8 (8) UDP 31789/31790 Hack 'a' Tack 14 2.5%
9 (9) FTP (TCP 21/*) More information... 13 2.3%
10 (-) TCP 111/* Linux/Unix - More Information... 5 0.9%


Also interstly enough BT Internet Seem to be the ISP with the most problems in Script kiddie hacking :-

Top Ten Hacking ISPs
ISP Name Number of Hacks Percent of Total
1 (1) BT Internet (UK) 359 64.3%
2 (2) NTL Internet (UK) 19 3.4%
3 (3) Planet Online (UK) 13 2.3%
4 (4) America Online (US) 12 2.2%
5 (5) BT Click (UK) 7 1.3%
6 (6) Deutsche Telecom Internet (DE) 5 0.9%
7 (-) Logical Networks (UK) 5 0.9%
8 (-) Financial Training Co (HK) 4 0.7%
9 (7) JAK Internet (UK) 4 0.7%
10 (8) Level 3 Communications (UK) 4 0.7%

Remember this is one months stats on one guys machine.

I didnt see the original port where it came from (Blinded)

until u just pointed it out :)

Now you all wonder why I flap on about security all the time using this single method above in less than ten seconds I can have access to someones machine. (Provided they have no firewall that is configure properly)

People still dont bother reading the article properly that I wrote. Some people on here keep coming back asking the questions that they can find answers for there.

Im glad at least we have managed to convince a good portion of this board to get a Firewall through making them aware of the dangers.


******* & ******** means u will have to go on a networking course and learn about networking by which time you will able to get a good job and will be out drinking to much to be wanting to think about hacking.

For the ISP percentages I would guess that "BT Internet" = "BT Ignite" and covers all ISPs using surf/web port and the like, since "BT Net" tends to appear in the whois details for these ISPs somewhere.

Yes it just show what a monopoly they have on the telecoms industry doesnt it!

the majority of mine come from BT internet , deutsche telekom and some french n belgium ones

Cloud Nine were recently taken off the internet by a DDOS attack, they are now proposing a "Practice Safe Internet Campaign".

ISPreview News Story (http://www.ispreview.co.uk/cgi-bin/ispnews/viewnews.cgi?newsid997282387,75732,)

Any one with a rules based firewall who is still being bothered by the Code Red scans can easily enough write a rule to block it without logging, to save your logs filling up with it.

Stu.