cancel
Showing results for 
Search instead for 
Did you mean: 

Plus Net customers trying to attack me.....

N/A

Plus Net customers trying to attack me.....

Hello people,

Well from that inflamatory title you might think I am not a customer of plus net (which I am) and that I am unhappy with the service (which I am not).

I use Zone Alarm pro and as such it records all of the attack, attempts etc that have been made on my machine. Well for the most part I am not worried as the firewall seems to do its job. But the thing is I have noticed an increase in the number of plus net users attacjking me. Well how do I know they are plus net customers? Well ZA pro tells me so giving there details.

Some time ago I spent ages trawlling through my logs with zonelog (very good btw) and compiled a list of fifteen or so and duely sent it to plus net themselves. They said they had contacted the mentioned people and thak you blah blah blah.

So am I being paranoid, should I just let it go? I have a theory that these people don't even know that they are doing it and that the machine are infected somehow, so lovely users out there in net land what should I do?

Cassian
18 REPLIES
Community Veteran
Posts: 4,729
Registered: 04-04-2007

Plus Net customers trying to attack me.....

Paranoid.

Most of the attacks will be caused by virus’s and sypware.
The reason they are from other Plus.Net uses, is because Plus.Net block incoming virus traffic.

It the intrusion attempts that your firewall does not log that should concern you !!!

Chilly
N/A

Plus Net customers trying to attack me.....

Doesn't mean they're not all out to get me!

*hears a creak* eek a spider

*runs away screaming* they are all after me..............

Cassian
MysteryFCM
Grafter
Posts: 528
Registered: 30-08-2007

Plus Net customers trying to attack me.....

This one's certainly not paranoia....

TCP Packet - Source:80.229.144.82,1515 Destination:[My IP],445 - [DOS]

There's several alerts such as the above, for the above mentioned IP (resolves to host: davesmithec.plus.com), attempting a DDOS attack against port 445 (thankfully my router automatically stops DDOS and blocks port 445).

I don't have any packet data as my router doesn't log the data itself, just the access/attack attempts so errr.... suggestions anyone?
N/A

Plus Net customers trying to attack me.....

I've also seen a recent number of scans/hits from PlusNet against my IPs, mostly on 137/139.

It was my impression that PlusNet locked those accounts sending every web page they went to to a 'Your machine is showing virus-like activity' page as I found out when I attempted to port scan another user at their request.

And as I type this I just got a hit from fluffyrabbit on port 139 ...

Regards,
Andrew D Wiles
N/A

Plus Net customers trying to attack me.....

I knew it, I I knew there was some reason it was happening, is there anything that can be done?

Cassian
N/A

Plus Net customers trying to attack me.....

Hi,

These aren't DDoS attacks, rather just infected machines trying to find other machines to infect. You will only get this traffic from PlusNet customers, because it is blocked at the gateway routers (the devices connecting the PlusNet network to the outside world).

If your firewall's blocking them, I wouldn't worry - this is considered normal internet noise. Unless this traffic is having an adverse effect on your connection (e.g. slowing it down noticably), I would just ignore it. If it is affecting you, you need to email abuse@plus.net with detailled firewall logs.
N/A

Plus Net customers trying to attack me.....

As per Chris's mail.

I would also make sure you filter your firewalls logs, so they only contain the lines related to the customer with the infected connection and if needed, send multiple requests.

It makes the abuse teams job so much easier, and also makes sure they look at every infected customer, rather than just one or two in a log of say 10.

Connections on ports 137 to 139, and port 445 are not uncommon. There are also quite a number of other regular port numbers were you would expect to see such connections.

If your firewall is reporting that you are being DDOS's by a single IP address on a single port, I would suggest changing firewalls or at least look at a total reconfiguration.

DDOS standards for "Distributed Denial of Service". Distributed means the job of the attack is given to 2 or more systems, to make an attack more effective.

You can distribute an attack to one machine, as this would just be a DOS attack.

Can I also ask how many of these probes you see per minute?

If you receive 6 or less for every 60 seconds, then I can't quite understand what the problem is. 360 probes per hour is very small and will very likely represent a smaller amount of data than you transfer from a single webpage.

Less than 6, and you have less to worry about. More than 6 and it would likely be more than normal, but it still wouldn't signal an attack.

For a real attack, you should be expecting in the region of 50 plus per 60 seconds.
Community Veteran
Posts: 1,112
Registered: 30-07-2007

Plus Net customers trying to attack me.....

I am also getting scanned by other plus.net users. I haver been scanned by a dozen or so this evening, out of interest I have sent the following two (ianf83.plus.com & foxys.plus.com) an email asking them why they are scanning me?

I am interested to see what the answer is... "what the hell are you talking about" is the reply I expect to get.

So what is the story do you think? They all have a virus/trojans running their machines? They are all hackers / script kiddies? This is all totaly normal and my PC is routinely scanning other users?

Cheers Peter
holdtight
Grafter
Posts: 1,634
Registered: 15-06-2007

Plus Net customers trying to attack me.....

Something like this ??
although this log shows this is not coming from plusnets side its similar and i get them all the time and just ignore them even the +net ones as my hardware is doing its job
Chris and Phil have explained it perfectly

P1970-01-01T23:18:24 Hacker Attack TCP: From: 207.33.111.35:59366 To: 81.174.xx.xx:25
P1970-01-01T23:18:24 Hacker Attack TCP: From: 207.33.111.35:59366 To: 81.174.xx.xx:53
P1970-01-01T23:18:24 Hacker Attack TCP: From: 207.33.111.35:59366 To: 81.174.xx.xx:22
P1970-01-01T23:18:25 Hacker Attack TCP: From: 207.33.111.35:59367 To: 81.174.xx.xx:25
P1970-01-01T23:18:25 Hacker Attack TCP: From: 207.33.111.35:59367 To: 81.174.xx.xx:53
P1970-01-01T23:18:25 Hacker Attack TCP: From: 207.33.111.35:59367 To: 81.174.xx.xx:22
P1970-01-01T23:18:25 Hacker Attack TCP: From: 207.33.111.35:59368 To: 81.174.xx.xx:53
Community Veteran
Posts: 1,112
Registered: 30-07-2007

Plus Net customers trying to attack me.....

Well.. My point isnt really that I feel they represent a danger to me... clearly they don't as my firewall is blocking them Cheesy

My point is that if these scanning machines originating from within the plusnet network are clearly infected with a virus or trojan shouldn't we as a community be trying to let these people know that they are infected?

I can of course troll through my logs everyday and mail people that scan me in the hope they will fix their machines... But I am wondering if there is any way that plusnet can detect machines that are scanning and advise their owners they have a problem......

After all plusnet are able to count every byte we upload and download and keep a complete record of every web site we visit and when.... It doesn't seem too far fetched to think they might be able to detect internal network scanning and warm users of a potential problem..... just at thought! :roll:
N/A

Plus Net customers trying to attack me.....

Quote
My point is that if these scanning machines originating from within the plusnet network are clearly infected with a virus or trojan shouldn't we as a community be trying to let these people know that they are infected?



Indeed and agreed. This has been discussed many times on the boards and it always boils down to the same thing, education. Trouble is, how do we educate. News bulletins, magazine and newspaper articles, general discussion. None of these approaches have wiped out zombie machines or end user ignorance.

People have suggested that Plus Net email all such customers, but so many dont even monitor their postmaster accounts.

We all know what should be done, its doing it that is the problem.
N/A

Plus Net customers trying to attack me.....

Quote

and keep a complete record of every web site we visit and when


I would be very concerned if plusnet were going to the trouble of transparently sniffing all HTTP traffic and logging it.
Community Veteran
Posts: 1,112
Registered: 30-07-2007

Plus Net customers trying to attack me.....

I think you will most certainly find they do..... Unless they would care to deny it?

How do you think ISP's assist the police unless they are able to say at any given time what your IP address was and where you visited....

There is no anonymity on the net... and anyone who thinks there might be is deluding themselves.


[Moderator's note by Mark (pcsni): Full quote of preceeding post removed as it is unnecessary and against the rules.]
N/A

Plus Net customers trying to attack me.....

They can log everything, but the disk space requirements would be absolutely massive. The logs most ISPs keep are of DHCP assignments and old e-mails. But logging all HTTP traffic seems like a massive task to do for all users. Perhaps if a search warrant is issued for a specific user it might be more realistic.

There is no law which states an ISP must log all traffic, the only reason most log DHCP assignments is to protect themselves.

I know that some ISPs put everything through a transparent proxy, but plusnet do not - therefore making the task of logging HTTP traffic a lot more difficult.

Quote

I think you will most certainly find they do..... Unless they would care to deny it?

Have they specifically said they do either?