|
|
Author |
Thread |
cyoung
Paranoid (IV) Inmate
From: The northeast portion of the 30th star Insane since: Mar 2001
|
posted 06-28-2001 19:53
Just had an access attempt to my machine.. I'll paste what Norton had to say below. My question- is this some sort of malicious attempt to get into my machine? If so, should I report them... sic a thousand hackers on 'em.. laugh cause I'm on Mac OS or what? Trojan Horses.. those are bad right?
>>Access Details
Service: unknown
Port: 27374 Access: Denied
Time: 06/28/01 12:03:38
Host name: 24-240-200-85.hsacorp.net
IP: 24.240.200.85
Firewall action: This access attempt was denied. To allow access in the future, use Norton Personal Firewall to allow all access to the port and service listed above or specifically allow access to the IP address listed above.
Type of access: This access attempt was made to a Windows "Trojan horse" named Sub7. One of the major advantages of using a Macintosh is that there are many fewer such viruses and Trojan horses that can be used to access your computer.
Access Mode: TCP
Host name information: The accessing machine's name ends with the code net (usually indicating a network affiliation). While not guaranteed to be an active link, there's a good chance you can find out more about this host at http://www.hsacorp.net.<<
hsacorp is a cable hosting company if anybody needs to know.. beyond that I haven't a clue.
-cyoung
|
cyoung
Paranoid (IV) Inmate
From: The northeast portion of the 30th star Insane since: Mar 2001
|
posted 06-28-2001 19:55
oh yea... this happened about every twenty seconds for a couple minutes. 5 attempts all together.
|
Dracusis
Maniac (V) Inmate
From: Brisbane, Australia Insane since: Apr 2001
|
posted 06-28-2001 19:59
Well, if it's an ISP they should have server logs that will have that IP logged to one of their user names. I'd send them an e-mail with that Info on it, as their logs should also confirm that that IP tried to access you PC at that time. ISP's usualy don't take kindly to their users hacking.
If it was malicious then the ISP should take appropiate action. And you should report this as this person may do harm to someone else.
But, I don't know much about hacking, just my thouts on the matter...
everybody needs a swamp bear
|
GRUMBLE
Paranoid (IV) Mad Scientist
From: Omicron Persei 8 Insane since: Oct 2000
|
posted 06-28-2001 20:02
yes, this is a hack-attempt.
Sub7 is a trojan horse that, if installed on your computer, allows someone else to remotely control your machine.
most times it is send to you by email, like a lot of other virii.
the only strange thing is, that you are using a mac. and i cant think of a macversion of sub7.
btw: there have been some threads about subseven, hacks, security in the asylum. just search a bit around.
|
WarMage
Maniac (V) Mad Scientist
From: Rochester, New York, USA Insane since: May 2000
|
posted 06-28-2001 20:21
Think script kiddy...
He got his hands on the Sub7 administration GUI and is looking to use it. Turn him in for being stupid.
He is not online as of my writing this, but you can contact the host at : http://www.hsacorp.net/pages/pcu/mcu.html
I am not sure where he is located... Sheboygan is a county in Wisconsin (ala WI) so being in the US could run into trouble with the ISP. Send them an email, or call them toll free.
Don't let stupid people get away with this kind of stuff... and in the same light, don't let smart people do it either.
-mage-
|
bitdamaged
Maniac (V) Mad Scientist
From: 100101010011 <-- right about here Insane since: Mar 2000
|
posted 06-28-2001 20:43
You'll be suprised to find how many of these hits you will get.
here's the thing, most of these attempts are simply broadcast to blocks of IP addresses. something like
110.111.111.xxx
And these guys are just looking for any possible hit. I doubt this guy is hitting you directly I get about 50-100 such hits a day on my home firewall. Most aren't actually associated with a specific app such as this Trojan, they are just looking for susceptible ports
Oh yeah the hsa is just probably this kids ISP not a player.
Walking the Earth like Kane
[This message has been edited by bitdamaged (edited 06-28-2001).]
|
cyoung
Paranoid (IV) Inmate
From: The northeast portion of the 30th star Insane since: Mar 2001
|
posted 06-28-2001 20:46
Whoa... WarMage! You just blew my mind! Sheboygan county is about 15 miles south of me! Also happens to be the home of my ISP.. could this be somebody at my ISP? Where did you come up with this info? Oh man am I hooked on this now..
hehe.. I could go knock on his door if I could figure out who he is.. imagine the suprise a poke in the nosse would bring. lol Serious... how'd you get this info, could it be me you're looking at?
-cyoung
p.s- tried searching around a bit.. no luck yet.
edit: typo
[This message has been edited by cyoung (edited 06-28-2001).]
|
WarMage
Maniac (V) Mad Scientist
From: Rochester, New York, USA Insane since: May 2000
|
posted 06-29-2001 16:52
Well that makes a lot of sence, he was probabally scanning the network. And doing to the peepz on the network.
I am on a win sys and I simple ran tracert on the addy you gave. The peep was offline, yet I got to the block in front of him which would be the WI host.
Contact them and let them know about it.
I couldn't really get you his house number, but the logs your ISP keep could. But they probabally won't give those out to you.
-mage-
|
Ducati
Paranoid (IV) Inmate
From: in your head Insane since: Feb 2001
|
posted 06-29-2001 17:04
cy... when you have an IP addy of someones computer you can find out a lot from it.
Just go to your prompt command and do ping, tracert and all that good stuff.
|
GRUMBLE
Paranoid (IV) Mad Scientist
From: Omicron Persei 8 Insane since: Oct 2000
|
posted 06-29-2001 17:14
...ping, tracert and all that good stuff.
??? whats there else besides ping and tracert? and actually, what can you find out about a person with a ping?
|
oZoNe_bOi
Bipolar (III) Inmate
From: RigHt NeXt tO tHe sPeAKeR! Insane since: Jun 2001
|
posted 06-29-2001 17:58
I had something similar to that. But yes, subseven is bad LoL
Although, hits that keep happening are just port scans. Does it happen when you log on to MIRC?
<--self portrait
|
Ducati
Paranoid (IV) Inmate
From: in your head Insane since: Feb 2001
|
posted 06-29-2001 19:17
by doing ping -a you can resolve the name to the IP address...
Type in ping /? and you should see all the options.
|
cyoung
Paranoid (IV) Inmate
From: The northeast portion of the 30th star Insane since: Mar 2001
|
posted 06-30-2001 07:08
OK... time for my ignorance to shine bright. I'm running Mac OS 9.1, where do I find the prompt command? Hmm.. I also have VPC but I never access the web with windows running. Too many PC nasties (though I have to wonder how effective they would be) and I haven't bought security software for the dark side. I've heard something about a Mac ping tester or something but can't remember the name. How about a little how to fellas? Maybe some good links to get me up to speed? On another note I reported the attempt through doshelp.com but haven't yet heard anything back from that. Also found an on-line port scan to run.. said I had no security probs. Cool. Oh.. don't do MIRC. Just IM on occasion. Never figured a firewall would make me wanna learn this stuff.. kinda cloak and dagger, maybe even a little fun. So tell me, do you hackers hack back when somebody tries to get in your machine, or am I just seeing movie scenes. Oh #2.. and I would never really go poke him in the nose over it, might have some fun with a phone call though.
-cyoung
|
galaxal
Paranoid (IV) Inmate
From: Insane since: Oct 2000
|
posted 07-02-2001 03:49
I had BlackICE, but it blocked my ftp and www services as well, so I just removed it. I was tired to figure out how to open a specific port.
|
cyoung
Paranoid (IV) Inmate
From: The northeast portion of the 30th star Insane since: Mar 2001
|
posted 07-03-2001 01:29
I have Norton Personal Firewall. I have to either specify the IP to allow or disable the firewall (easily accomplished through the control strip) to allow ftp access. It doesn't interfere with my web browsers/ mail clients at all.
On another note, if anybodies interested.. I found a Mac program that does ping, trace route, finger, whois, query, monitor and address scans. It's called WhatRoute and it's freeware! There are all kinds of options I don't yet understand but will with a little free time. The coolest thing I've found so far is the map window. If you trace a server it will show you the route taken to the server on a world map (The Asylum seems to be in California) and not only that but if you mouse over the map it will show the latitude and longitude of your cursor and the distance to the nearest hop and the city it's located in with it's latitude and longitude. Did that make sense.. ts. :P
I'm sure I'll be back with more questions at some point but for now I'll just rtfm. Oh yea. here's the link: http://homepages.ihug.co.nz/~bryanc/
edit: tyop
[This message has been edited by cyoung (edited 07-03-2001).]
|
WarMage
Maniac (V) Mad Scientist
From: Rochester, New York, USA Insane since: May 2000
|
posted 07-03-2001 01:39
If you want to get things achomplished you need to go to the police and not the helpdesk. They attempt to cover the stuff up, while the police actually have to do something about it.
Ping first trace next. Lets you get a bit more information out of the person. The map can be helpful, but you usually only need to worry about the last couple of hops.
Unless they are flying the wingate magic you sould be able to easily find them with a simple reference to the last hop or 2.
-mage-
|
cyoung
Paranoid (IV) Inmate
From: The northeast portion of the 30th star Insane since: Mar 2001
|
posted 07-03-2001 01:57
Wow.. that's interesting because calling the cops never once entered my mind. Guess I figured they'd be of no use in cyberspace.. whose jurisdiction is that? The guy hasn't scanned me yet today.. first day since the original post, think we're up to twenty some times now. I filed one complaint through doshelp and sent a nasty to the isp referenced by nortons the second day. Maybe one of them worked? Maybe he's searching for a new isp? Cops huh...
~shakes head and moseys toward the library~
-Mad Cow Stank Ho
|
hyperbole
Paranoid (IV) Inmate
From: Madison, Indiana, USA Insane since: Aug 2000
|
posted 07-04-2001 15:45
His netbios is hanging out!
I just did a NetScan on his ports and it reports that the netbios responded.
|
AdamD1
Nervous Wreck (II) Inmate
From: Toronto, ON, Canada Insane since: Jul 2001
|
posted 07-04-2001 17:54
Just in case anyone wanted to know about these tools, this is a very useful site:
<a href="http://www.gogettem.com/dns_tools.htm" target="_blank">http://www.gogettem.com/dns_tools.htm</a>.
It handles not just ping, traceroute and finger, but also deeper pings and traces. Particularly useful for overseas requests - something I usually end up needing whenever I receive spam.
Hope that helps.
Macs (at least up until OSx) have never had a "command prompt.". Even in OSx it's kinda buried.
Whatroute is an okay product but it's not as fast or reliable as any of the hundreds of PC tools. (most notably Network Toolbox.)
My $0.02...
ad
--
Because I can!
|
Gallienus
Nervous Wreck (II) Inmate
From: Spain Insane since: Jul 2001
|
posted 07-05-2001 00:54
I would send a sub-viral right back at him............
|
cyoung
Paranoid (IV) Inmate
From: The northeast portion of the 30th star Insane since: Mar 2001
|
posted 07-05-2001 02:49
Netbios hanging out, fingers, deeper pings and traces, sub virals.. wow. Could hacking actually be sexy?
Ya know.. recent experimentation has shown that I ~can~ run pc apps through my Mac firewall via VPC.. it's like having a slowish PC living in a sizable partition of my Mac's hard drive with the two OS' nicely networked.. Network toolbox ya say? hmm.. How would one send something to a specific IP, all this intrigues me greatly though I've had no more scans from him... just remote procedure calls from china and such.
Oh yea.. I was gonna ask what the value of pinging the IP was, seems to me like all it does is time the connection. No doubt I'm missing something major.. isn't having the ip and date/time enough for whoever to track them down, and would their route to your machine necessarily be the same as the route taken from your machine to theirs with a tracert? Oh.. and I don't know enough about it to feel confident enough to laugh, though I haven't yet upgraded (?) to OSX. Figure I'll let 'em work the bugs out for at least a year first.
-cyoung
|