cancel
Showing results for 
Search instead for 
Did you mean: 

Can someone explain??

N/A

Can someone explain??

hi folks, for the last week or so my sygate firewall has been flashing red like there is no tomorrow. In the severity section in the log viewer i neither get a minor or a major and all the so called attacks i get are from Plusnet/ users. Now has Plusnet decided to hack it users for fun or is there a good reason behind this why this is happening?? it is starting to get a joke now and it is happening on a very often basis
Any info would be greatfully accepted

Craig
14 REPLIES
Community Veteran
Posts: 14,469
Registered: 30-07-2007

Can someone explain??

Most likely the culprits have been infected with a virus. Just collate the IP addresses that are hitting your firewall and send them off the abuse@plus.net who will investigate and get the offending machines either isolated or request steps are taken to disinfect them.
Plusnet Staff
Plusnet Staff
Posts: 12,169
Thanks: 18
Fixes: 1
Registered: 04-04-2007

Can someone explain??

Hi,

We have seen a upturn in the amounts of reports we are getting like this. If you are seeing significant numbers of scans from the same IP address then please do send them through to us and we can inform the users, as Peter says they are likely infected with a virus and are unaware of this.
N/A

Can someone explain??

thanks for the very swift reply, what is the best way of sending the ip address? is it through the contact us section or a pm to one of you chaps?

Craig
Community Veteran
Posts: 14,469
Registered: 30-07-2007

Can someone explain??

Contact us: Technical support -> contact PlusNet abuse team

Then post the details from your firewall log containing the offending IP addresses.

Note: you may not get a reply for this due to the volume of reports the abuse team gets.

or the email address I gave earlier.
N/A

Can someone explain??

oops sorry Peter i some how missed that email address Shockedops: i put that down to the old age of 23 Cheesy

ok i will paste and copy the results i get from the whois then address ?

thanks again

Craig
Community Veteran
Posts: 14,469
Registered: 30-07-2007

Can someone explain??

Just the IP addresses are all that are needed, you don't have to post whois info as plusnet can identify the user by IP address anyway and it will save you some work.
N/A

Can someone explain??

I have got a bit confused about what or what not to report Smiley

As Dave says, there has been a substantial increase in this type of activity recently. Anyway, I took a sample day and extracted the full list of PN IPs and forwarded them on an abuse ticket and sent the associated log file filtered to include just those PN IP entries. The assessment and log filtering was based on the standard 255.255.0.0 IP range that generates most of the connection attempts.
The worst I have seen over the last week or so is about 7000 from one IP in a day, and the least is just one or two. In my simple mind, I suppose that all these machines are infected to a greater or lesser extent, and perhaps just connected sporadically or continuously, thus leading to this large variation.

Since the firewall is protecting me, I don't really care that much, but reported these instances so that the relevant customers could be advised.

So my question is: should we report everything or only the very bad ones? If the later, then what is a sensible threshold to use?

The impression I got from the initial answer on the ticket was that I had gone over the top by reporting them all.
N/A

Can someone explain??

You should report them all, for a start if you don't then how will they know they have a problem. In addition all these attacks from virus infected machines take up network bandwidth and spoil the service for everyone else.

Besides if they are stupid enough to surf the net without a virus checker and a software firewall then they deserve to suffer a little.

XP SP2 should hopefully prove a wakeup call when it finally get's released. I've been running the RC1 version on one of my PC's and it checks for a virus checker, firewall etc and pops up a box if you don't have either enabled. You can ignore it, but if you do 5 mins later it pops up again and again. It can be really anoying but that's how it should be!

There's a lot more SP2 does but I won't bore everyone with detail.
N/A

Can someone explain??

Quote
You should report them all, for a start if you don't then how will they know they have a problem...
That was what I thought, so I was a bit surprised to get as part of the response:

Again, because of the amount of Internet activity Abuse Departments, including our own, can be inundated with reports and firewall logs. This means that having to look into every instance creates a backlog and it can take longer to get around to the serious offenders. With this in mind we would ask you to report each xseriousx offender as a separate instance instead of forwarding the full firewall log.

I took this as a mild rebuke, even though I had not sent the whole log - just the PN stuff, had listed the IPs in the covering ticket and identified the two main problem IPs that accounted for about 95% of the activity.
It also seems to be suggesting that they only want 'serious' instances reported.
Perhaps I have misunderstood what they are trying to say?
Community Veteran
Posts: 14,469
Registered: 30-07-2007

Can someone explain??

It all comes down to resourses available in the abuse dept. They want to maximise the impact by going after those systems/IPs that generate the most traffic.

There does not appear to be any clear guidlines on what to report and how so until that is made available all you can do is report those IP addresses that you think are causing a problem. Clearly if you have an IP address that generates a few scans a day they are not worth the effort of investigation so don't forward those to abuse.
N/A

Can someone explain??

I have 1 particular plusnet IP that accounts for around 90% of the entries in my firewall logs. I recently set the router to mail the logs to me when full. I was surprised to see the user concerned was on occasion completely filling the log within a period of around 20 minutes.

I forwarded the logs to Abuse and raised a ticket, Like pacaya, I received the same response and also took this as a, thanks, but we have more important things to worry about, type of response. I had thought 2, 3 or even 4 logs a day containing hits mainly from 1 IP was serious. Perhaps I have also misunderstood what they are trying to say.
Community Veteran
Posts: 14,469
Registered: 30-07-2007

Can someone explain??

If you sent large firewall logfiles to abuse they probably have not had time to look through it to discover it's primarily from one IP address.

If you send them a note saying IP x.y.z.a is scanning my systems and filling up my firewall logs frequently then they will be able to act on that 1 IP address quickly. Basically you are saving them a lot of time by isolating the IP for them.
N/A

Can someone explain??

That doesn't mean don't send them the logs attached.

I for one would not act on a hand written e-mail, without some logged info that I can back any actions I had to take with.
Community Veteran
Posts: 14,469
Registered: 30-07-2007

Can someone explain??

I agreee but not a log that may contain say 500 entries, just the lines that prove how frequently the scans are occuring for the IP - 20 or 30 entries are probably enough - backed up by your observations..