cancel
Showing results for 
Search instead for 
Did you mean: 

Under constant attack from PLUS user - help please!

N/A

Under constant attack from PLUS user - help please!

Hi, yes I have reported it to Abuse Wink
What is this all about? it is constant and sooner or later they are gonna break my door down, if they haven't already without me knowing.
So, how do I find out who this is?

help, please, you can see they are every 3 minutes!!
and all from a PLUS account.

Thanks

Rab


11.03.2005 21:10:15 DCOM Exploit attack
from 80.229.149.72:135
11.03.2005 21:10:48 LSASS Exploit (SXP) attack
from 80.229.149.72:445
11.03.2005 21:13:36 LSASS Exploit (SXP) attack
from 80.229.149.72:445
11.03.2005 21:14:13 LSASS Exploit (SXP) attack
from 80.229.149.72:445
11.03.2005 21:21:37 LSASS Exploit (SXP) attack
from 80.229.140.116:445
11.03.2005 21:28:07 LSASS Exploit (SXP) attack
from 80.229.141.41:445
11.03.2005 21:28:33 LSASS Exploit (SXP) attack
from 80.229.140.116:445
11.03.2005 21:30:41 LSASS Exploit (SXP) attack
from 80.229.233.90:445
11.03.2005 21:31:33 LSASS Exploit (SXP) attack
from 80.229.141.22:445
11.03.2005 21:32:56 LSASS Exploit (SXP) attack
from 80.229.141.41:445
21 REPLIES
Community Veteran
Posts: 4,729
Registered: 04-04-2007

Under constant attack from PLUS user - help please!

It looks like a viral attack, rather than a targeted cracking attempt.
Your firewall is stopping the traffic, and unless the `fatdeeman` picks up any more virus’s its unlikely to get any more sophisticated.

Quote
It’s not the intrusion attempts that are logged by your firewall that you should be concerned about. It’s the ones that get through that should concern you.


Chilly
N/A

Under constant attack from PLUS user - help please!

As chilly says, this is most likely a blaster etc infected machine hitting your firewall and not a deliberate attempt by the user to attack your machine.

The culprit is probably ingnorant of the fact his or her macihne is infected.

Your firewall is clearly doing its job and you have nothing to worry about.

With any luck the abuse team will attempt to notify the customer.
N/A

Under constant attack from PLUS user - help please!

hmmmmmmm

but it''s 5 different URL's ,within a short period, and ALL Plus customers.
so that would mean 5 PC's all picking on me (be it person or virus) all from within the network and yet none from outwith!!

spooky

Oh dear ..........
just checked my traffic logs and he is in , lots of traffic in and out, seems to be using my Antivirus as the program/gateway (avast)

ooh err........ not a clue what to do now
off to look for a virus I suppose, and try and get the door closed.

later

Rab
N/A

Under constant attack from PLUS user - help please!

From memory plus net block all such attacks on their borders so it makes sense that any such reports will or should only be from within Plus Nets network.

You are quite right that these attacks come from different plus net customers and this is common.

If your firewall is correctly configured and your AV definitions are up to date you should have nothing to worry about.

A full system scan should put your mind at rest. Rem if you are running Win ME or XP, if a virus is detected on your system, turn off system restore to ensure any virus is completely removed.
N/A

Under constant attack from PLUS user - help please!

ok.......... things have now got worse.
tonight I am shut out from my own site, when i try to get my homepage via my favourites link, my logs show it is really trying tio get Mr d**kmatter.

please test bossbob.plus.com

is my site still there??

this is getting torrid

a desperate

Rab
Community Veteran
Posts: 14,469
Registered: 30-07-2007

Under constant attack from PLUS user - help please!

If you mean www.bossbob.plus.com (Bossbob presents) it's fine for me.
N/A

Under constant attack from PLUS user - help please!

phew........

thank you Cheesy

at least it is still in one piece!!

right, how am I shut out, and why do my logs show Mr D**kmatter coming and going at will??
and when I try to get my site I can't

bah........ to late at night for all this

thanks for the peacee of mind

Rab
Treborvfr
Grafter
Posts: 25
Registered: 23-09-2007

Under constant attack from PLUS user - help please!

I can see you website as well Rab

Bob
(off BikersOracle)
N/A

Under constant attack from PLUS user - help please!

FWIW: I check my f/w logs every couple of days and 80% of port scans come from PN accounts, mostly on ports 139 and 445. The remainder of blocked scans come from outside the PN network looking for open high ports (1024....).

It's not affecting performance as far as I can tell, but it is annoying. I used to perform reverse lookups on the PN IP's and notify those users I could find. About 1 out of every 10 replied with a 'thankyou, I never realised' message but most didn't. I got sick of doing it though as it's like trying to empty a bucket of water using a fork.

One day, it would be great if PN could dynamically identify persistent port scanners and temporarily block them. Then if the external user tried to use a web browser to any PN website they'd be re-directed to a 'Your IP was blocked due to excessive port scanning. Please run a virus scan blah blah...' just as they do now for their own customers. And for continuous attempts, increase the temporary block (based on MAC address, not IP to help reduce DHCP assigned clients being unfairly blocked).

One day.... maybe.....
pebbles
Grafter
Posts: 69
Registered: 13-08-2007

Under constant attack from PLUS user - help please!

dont worry about ports 139 and 445, there the tcp ports microsoft use for network neighbourhood browsing, ports 137 and 138 use udp to do the same thing. What your picking up is people who are broadcasting their neighbourhood on the pn network by accident.
m063
Grafter
Posts: 166
Registered: 11-08-2007

Under constant attack from PLUS user - help please!

I'm also getting lots of blocked inbound TCP connections to port 445 (and a lesser number to port 135).

Out of interest, why do these only come from Plusnet (they are always from Ip addresses 84.93.*.* which Whois reports as the PlusNet ADSL Dynamic IP Pool)
Does Plusnet block any such requests from outside of PlusNet?

Also, is there some way to identify the PlusNet user these are coming from?

Thanks

Martin
Community Veteran
Posts: 14,469
Registered: 30-07-2007

Under constant attack from PLUS user - help please!

Quote
Does Plusnet block any such requests from outside of PlusNet?


Yes.
Quote
Also, is there some way to identify the PlusNet user these are coming from?


Just ping the IP address.

start->run->cmd (or command for win9x/Me)

c:> ping IP
N/A

Under constant attack from PLUS user - help please!

PlusNet also block them between customers.

The block takes place at the network boundry for incoming data, and at the Ellacoya units for between customer traffic.

Traffic between customers that are connected to the same gateway uinit, is not however filtered by the Ellacoya units, because the traffic never leaves the gateway.

So almost all ciral related scans are now from customers.
m063
Grafter
Posts: 166
Registered: 11-08-2007

Under constant attack from PLUS user - help please!

Quote


Just ping the IP address.

start->run->cmd (or command for win9x/Me)

c:> ping IP


Doesn't help. Possibly because theyhave a dynamic IP?

[Edited to remove IP address]