Everytime I open a thread from "Cafe SETI" I recieve a message from my firewall, that there is a "hacking attack". I A. you (Seti- Staff) , why and what that means:

one of those entries (meanwhile over 90) from my firewall:

2004/12/20 10:12:14 80.161.96.46:80 x.x.x.x:1688 Connection 1688 (TCP)

What has this IP 80.161.96.46 to do with Seti, and/or Cafe SETI ?

Can I trust them?

---

> Everytime I open a thread from "Cafe SETI" I recieve a message from my
> firewall, that there is a "hacking attack". I A. you (Seti- Staff) , why and
> what that means:
>
> one of those entries (meanwhile over 90) from my firewall:
>
> 2004/12/20 10:12:14 80.161.96.46:80 x.x.x.x:1688 Connection 1688 (TCP)
>
> What has this IP 80.161.96.46 to do with Seti, and/or Cafe SETI ?
>
> Can I trust them?
>
>

A quick Nettools smartwhois scan reveals this address belongs to
TDC Net
Sletvej 30, A039
DK-8310 Tranbjerg
Denmark
So i think it's from the many statistic signatures linked/embedded in the threads.

---

Aloha, Uli

> Everytime I open a thread from "Cafe SETI" I recieve a message from my
> firewall, that there is a "hacking attack". I A. you (Seti- Staff) , why and
> what that means:
>
> one of those entries (meanwhile over 90) from my firewall:
>
> 2004/12/20 10:12:14 80.161.96.46:80 x.x.x.x:1688 Connection 1688 (TCP)
>
> What has this IP 80.161.96.46 to do with Seti, and/or Cafe SETI ?
>
> Can I trust them?
>
>

No! I just checked my firewall for incoming events, and there a lot of activity involving Ã…rhus (or Tranbjerg)at the moment! 6 in about 5 minutes!

---

[root@localhost root]# nslookup 80.161.96.46
Server: 192.168.1.1
Address: 192.168.1.1#53

Non-authoritative answer:
46.96.161.80.in-addr.arpa name = 0x50a1602e.kd4nxx12.adsl-dhcp.tele.dk.

Authoritative answers can be found from:
96.161.80.in-addr.arpa nameserver = auth02.ns.tele.dk.
96.161.80.in-addr.arpa nameserver = auth01.ns.tele.dk.

[root@localhost root]# dig 80.161.96.46

; DiG 9.2.3 80.161.96.46
;; global options: printcmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 26260
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;80.161.96.46. IN A

;; AUTHORITY SECTION:
. 10800 IN SOA A.ROOT-SERVERS.NET. NSTLD.VERISIGN-GRS.COM. 2004121901 1800 900 604800 86400


;; Query time: 45 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Mon Dec 20 05:01:49 2004
;; MSG SIZE rcvd: 105[/pre]Someone else will have to take it from here - I'm a bit busy...

[EDIT] Just checked ipfw.log - No unusual (Though highly suspicious) activity from here. FWIW I'm at 141.155.23.70 right now. Definitely BLOCK :1688 - IANA port reg. says:[pre]nsjtp-data 1688/tcp nsjtp-data
nsjtp-data 1688/udp nsjtp-data
# Orazio Granato
firefox 1689/tcp firefox
firefox 1689/udp firefox
# Mark S. Edwards

[EDIT] Removed <pre> tags

---

As NA has already posted, that ip (according to the windoze tracert command) belongs to whoever has been allocated the dns name of 0x50a1602e.kd4nxx12.adsl-dhcp.tele.dk, somewhere in holland, whose webserver (port 80) is trying to send you a packet, this behaviour, unless I'm being deceived, is consistent with viewing a web page that contains one or more stats signatures, if the relevant images for each of the sigs appears ok, then I can't imagine what else a stats site is trying to do, this does need some serious answers from the likes of boincdk, etc.

As a side note using windoze xp sp2, whenever I view any of these fora with internet explorer 6, I keep getting a blocked cookie alert, even if I allow the offending cookie, my cookie enabled viewing preferences are working ok, so I don't know what that's about either.

Bit of a useless post really, but there you go! We can't all know everything :-0

---

Ken Phillips

BOINC question? Look here



"The beginning is the most important part of the work." - Plato

> As a side note using windoze xp sp2, whenever I view any of these fora with
> internet explorer 6, I keep getting a blocked cookie alert, even if I allow
> the offending cookie, my cookie enabled viewing preferences are working ok, so
> I don't know what that's about either.
>

Using Windows XP sp2, I have disabled the firewall feature in it, as I don't trust it! I have my own payed for MacAfee firewall and virusprotection, so I don't suffer from the problems, you mention. So I guess my MacAfee override a lot of these little points of annoyance!

---

> I have my own payed for MacAfee firewall and virusprotection,
> so I don't suffer from the problems, you mention. So I guess my MacAfee
> override a lot of these little points of annoyance!
>
=====

I have McAffee too, and what I don't understand why He (80.161.96.46) wants to open a port on my PC (he tries allways a other #, over 100 times)

I have checked by "whois", before I posted, I knew it's came from DK, but the question was, why it appears after reading some threads in "Cafe SETI" (and only this Site).

Thanks a lot for all replies !!!

[EDIT:12.20.04 16:00 UTC] The "signaturs" marked as "cookie" isn't the problem.

---

>
> I have McAffee too, and what I don't understand why He (80.161.96.46) wants to
> open a port on my PC (he tries allways a other #, over 100 times)
>
> I have checked by "whois", before I posted, I knew it's came from DK, but the
> question was, why it appears after reading some threads in "Cafe SETI".
>
> Thanks a lot for all replies !!!
>
>
I don't know what they are doing out there! But I think it is accidental. Last summer I had LOTS of attacks, involving most of the world, and I became so irritated (Yes, I flame easy!) about it, that I took a screendump and sent it to the Danish Police, the IT crime department, and I got the answer that "they" out there just probes, but if I get attacks from the same IP-adress, they would be happy to be briefed about it! And after a while, the number of attacks dropped, some weeks to none!

So the same information must go to you: If you persistently get attacks from the same, contact your local police, IT- crime department!

I was trying to find an e-mail adress to BOINC.DK, but couldn't see any on their [url=http://www.boinc.dk/index.php] website<a>. Try to google them or search here on their teamsite! But I don't even know if they can explain anything?

---

> So the same information must go to you: If you persistently get attacks from
> the same, contact your local police, IT- crime department!
>
> I was trying to find an e-mail adress to BOINC.DK, but couldn't see any on
> their [url=http://www.boinc.dk/index.php] website<a>. Try to google them
> or search here on their teamsite! But I don't even know if they can explain
> anything?
>
@ Lena!

Thanks for your reply.

I posted 3times at its hostmaster, and announced to make contact with police, but nothing happens. Now I will do as you suggest.

---

When I started using Zonealarm Pro I tried to track the incoming probs using the Whois function. There is not much that can be done, the hackers uses scanning programs that run through many IP addresses until the find one that responds. You have to set your firewall to block and allow what you want using Expert Rules. A good idea is to test your protection from time to time by test tools available such as on SYMANTEC web site and block the opennings.

Even as I write this down I can see on the Zonealarm tray Icon traffic signs, some of it is my own, some is my ISP provider trying to establish who is connected and who isn't, and some are unsolicited probes. As long as my computer does not respond to the probes I'm fairly safe.

I no longer look at the ZA logfile, ZA, McAfee AV, and anti pests progams all combine to provide a reasonable protection.

Yair

P.S. One of the most dangerous "attacks" out there nowdays, is the Phishing EMails that try to make you give up sensitive information. Never give up any sensitive info unless you initiated the connection and you trust the website.

---

Yair

Thanks for pitching in, Ken. FTR: It was nslookup and dig only because my modem/router blocks traceroutes and pings (Damn built-in firewall!). Also I'm using YDL4 which is a Fedora ppc port - No MS here! (OK, except for Excel... that's Microsoft's best product ever.)

---

> Everytime I open a thread from "Cafe SETI" I recieve a message from my
> firewall, that there is a "hacking attack". I A. you (Seti- Staff) , why and
> what that means:
>
> one of those entries (meanwhile over 90) from my firewall:
>
> 2004/12/20 10:12:14 80.161.96.46:80 x.x.x.x:1688 Connection 1688 (TCP)
>
> What has this IP 80.161.96.46 to do with Seti, and/or Cafe SETI ?
>
> Can I trust them?
>
>

Look [url=http://setiweb.ssl.berkeley.edu/forum_thread.php?id=7533#57176]here<a>

---

---

---