1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Problem dos

Discussion in 'Computer Security' started by miflandia, Feb 17, 2010.

  1. miflandia

    miflandia Byte Poster

    105
    0
    31
    Hi all.

    Yesterday evening i had a bit of problem. Denial of service attack after several single port scan.
    The reason why i write here because i never had that amount before. I never had more than 1 DoS. I was about to shut down my laptop anyway, when my Security Suite went mad...
    Any experience?
    Any advice appreciated.
    thx

    16/02/2010 20:15:50 92.249.231.95 Host blocked for 5 min DOS
    16/02/2010 20:15:50 81.182.29.244 Host blocked for 5 min DOS
    16/02/2010 20:15:50 83.20.91.30 Host blocked for 5 min DOS
    16/02/2010 20:15:49 212.244.85.146 Host blocked for 5 min DOS
    16/02/2010 20:15:49 78.51.135.244 Host blocked for 5 min DOS
    16/02/2010 20:15:49 89.215.86.151 Host blocked for 5 min DOS
    16/02/2010 20:15:49 88.238.211.9 Host blocked for 5 min DOS
    16/02/2010 20:15:49 79.116.99.224 Host blocked for 5 min DOS
    16/02/2010 20:15:49 98.167.240.116 Host blocked for 5 min DOS
    16/02/2010 20:15:48 86.101.166.167 Host blocked for 5 min DOS
    16/02/2010 20:15:05 85.175.233.7 Detected attack, host not blocked SINGLE_SCAN_PORT (32227)
    16/02/2010 20:15:05 94.10.233.1 Detected attack, host not blocked SINGLE_SCAN_PORT (32227)
    16/02/2010 20:15:05 82.131.192.50 Detected attack, host not blocked SINGLE_SCAN_PORT (32227)
    16/02/2010 20:15:05 89.133.99.240 Detected attack, host not blocked SINGLE_SCAN_PORT (32227)
    16/02/2010 20:15:04 75.137.105.255 Detected attack, host not blocked SINGLE_SCAN_PORT (32227)
    16/02/2010 20:15:04 87.229.111.203 Detected attack, host not blocked SINGLE_SCAN_PORT (32227)
    16/02/2010 20:15:04 79.166.104.214 Detected attack, host not blocked SINGLE_SCAN_PORT (32227)
    16/02/2010 20:15:04 87.223.80.126 Detected attack, host not blocked SINGLE_SCAN_PORT (32227)
    16/02/2010 20:15:04 94.21.58.172 Detected attack, host not blocked SINGLE_SCAN_PORT (32227)
    16/02/2010 20:15:04 86.101.132.12 Detected attack, host not blocked SINGLE_SCAN_PORT (32227)
     
    Certifications: Comptia A+
    WIP: Comptia N+
  2. SimonD

    SimonD Terabyte Poster Moderator

    3,463
    397
    199
    That's a whole load of different countries you had port scanning you there, Spain, Hungary and Greece just to name a few.

    Are you or anyone on your network running any kind of P2P software? The reason I ask is that's what it looks like with the scan of 32227, it looks like they were trying to connect to you (or at least that address, on that particular port). Usually I would expect multiple port requests rather than a single port.
     
    Certifications: CNA | CNE | CCNA | MCP | MCP+I | MCSE NT4 | MCSA 2003 | Security+ | MCSA:S 2003 | MCSE:S 2003 | MCTS:SCCM 2007 | MCTS:Win 7 | MCITP:EDA7 | MCITP:SA | MCITP:EA | MCTS:Hyper-V | VCP 4 | ITIL v3 Foundation | VCP 5 DCV | VCP 5 Cloud | VCP6 NV | VCP6 DCV | VCAP 5.5 DCA
    WIP: VCP6-CMA, VCAP-DCD and Linux + (and possibly VCIX-NV).
  3. miflandia

    miflandia Byte Poster

    105
    0
    31
    I believe that time i had no P2P running at all.
    The only thing what we been doing that time is checking the ebay(we are about to buy couple of staff).
    And i have not change anything in my laptop for a while now.

    Edit: I had a look on the p2p i have on the laptop. That has a fixed port, which is not the above mentioned.
    Hungary would ring a bell, but the rest i have nothing to do....

    (I think about the migration to linux, and this is the only issue left,(this problem just get my attention)
    the security, my Security Suite will not run on linux. As far as i know linux coming out with all port closed. but must be some firewall for linux as well?? Or this is just the chronic win user point of view??
     
    Last edited: Feb 17, 2010
    Certifications: Comptia A+
    WIP: Comptia N+
  4. SimonD

    SimonD Terabyte Poster Moderator

    3,463
    397
    199

    Unless you're running public ip addressing on your laptop (ie issued directly to your laptop by the ISP rather than a private 192.168.x.x address) then it could simply be that the request came into your router and that forwarded to your laptop.

    As I said above, there were a lot of different ip's coming from all over the place.

    You may want to run some malware scan's just to see if you have been infected by a bot but.. well you may just have to live with it. If it happens again you should investigate the running processes on your machine to ensure nothing spurious is running.
     
    Certifications: CNA | CNE | CCNA | MCP | MCP+I | MCSE NT4 | MCSA 2003 | Security+ | MCSA:S 2003 | MCSE:S 2003 | MCTS:SCCM 2007 | MCTS:Win 7 | MCITP:EDA7 | MCITP:SA | MCITP:EA | MCTS:Hyper-V | VCP 4 | ITIL v3 Foundation | VCP 5 DCV | VCP 5 Cloud | VCP6 NV | VCP6 DCV | VCAP 5.5 DCA
    WIP: VCP6-CMA, VCAP-DCD and Linux + (and possibly VCIX-NV).
  5. miflandia

    miflandia Byte Poster

    105
    0
    31
    Ok.
    I could not find any dodgy process running, and the anti virus give a negative report.
    At the moment everything running well, so i hope i do not have to live with it:)
    Thank you the help.
     
    Certifications: Comptia A+
    WIP: Comptia N+

Share This Page

Loading...