Message boards :
Cafe SETI :
Firewall Alert!
Message board moderation
Author | Message |
---|---|
littleBouncer Send message Joined: 28 May 99 Posts: 151 Credit: 666,283 RAC: 0 |
Everytime I open a thread from "Cafe SETI" I recieve a message from my firewall, that there is a "hacking attack". I A. you (Seti- Staff) , why and what that means: one of those entries (meanwhile over 90) from my firewall: 2004/12/20 10:12:14 80.161.96.46:80 x.x.x.x:1688 Connection 1688 (TCP) What has this IP 80.161.96.46 to do with Seti, and/or Cafe SETI ? Can I trust them? |
Ulrich Metzner Send message Joined: 3 Jul 02 Posts: 1256 Credit: 13,565,513 RAC: 13 |
> Everytime I open a thread from "Cafe SETI" I recieve a message from my > firewall, that there is a "hacking attack". I A. you (Seti- Staff) , why and > what that means: > > one of those entries (meanwhile over 90) from my firewall: > > 2004/12/20 10:12:14 80.161.96.46:80 x.x.x.x:1688 Connection 1688 (TCP) > > What has this IP 80.161.96.46 to do with Seti, and/or Cafe SETI ? > > Can I trust them? > > A quick Nettools smartwhois scan reveals this address belongs to TDC Net Sletvej 30, A039 DK-8310 Tranbjerg Denmark So i think it's from the many statistic signatures linked/embedded in the threads. Aloha, Uli |
. Send message Joined: 3 Apr 99 Posts: 410 Credit: 16,559 RAC: 0 |
> Everytime I open a thread from "Cafe SETI" I recieve a message from my > firewall, that there is a "hacking attack". I A. you (Seti- Staff) , why and > what that means: > > one of those entries (meanwhile over 90) from my firewall: > > 2004/12/20 10:12:14 80.161.96.46:80 x.x.x.x:1688 Connection 1688 (TCP) > > What has this IP 80.161.96.46 to do with Seti, and/or Cafe SETI ? > > Can I trust them? > > No! I just checked my firewall for incoming events, and there a lot of activity involving Ã…rhus (or Tranbjerg)at the moment! 6 in about 5 minutes! |
N/A Send message Joined: 18 May 01 Posts: 3718 Credit: 93,649 RAC: 0 |
[root@localhost root]# nslookup 80.161.96.46 Server: 192.168.1.1 Address: 192.168.1.1#53 Non-authoritative answer: 46.96.161.80.in-addr.arpa name = 0x50a1602e.kd4nxx12.adsl-dhcp.tele.dk. Authoritative answers can be found from: 96.161.80.in-addr.arpa nameserver = auth02.ns.tele.dk. 96.161.80.in-addr.arpa nameserver = auth01.ns.tele.dk. [root@localhost root]# dig 80.161.96.46 ; DiG 9.2.3 80.161.96.46 ;; global options: printcmd ;; Got answer: ;; -HEADER- opcode: QUERY, status: NXDOMAIN, id: 26260 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;80.161.96.46. IN A ;; AUTHORITY SECTION: . 10800 IN SOA A.ROOT-SERVERS.NET. NSTLD.VERISIGN-GRS.COM. 2004121901 1800 900 604800 86400 ;; Query time: 45 msec ;; SERVER: 192.168.1.1#53(192.168.1.1) ;; WHEN: Mon Dec 20 05:01:49 2004 ;; MSG SIZE rcvd: 105[/pre]Someone else will have to take it from here - I'm a bit busy... [EDIT] Just checked ipfw.log - No unusual (Though highly suspicious) activity from here. FWIW I'm at 141.155.23.70 right now. Definitely BLOCK :1688 - IANA port reg. says:[pre]nsjtp-data 1688/tcp nsjtp-data nsjtp-data 1688/udp nsjtp-data # Orazio Granato firefox 1689/tcp firefox firefox 1689/udp firefox # Mark S. Edwards [EDIT] Removed <pre> tags |
Ken Phillips m0mcw Send message Joined: 2 Feb 00 Posts: 267 Credit: 415,678 RAC: 0 |
As NA has already posted, that ip (according to the windoze tracert command) belongs to whoever has been allocated the dns name of 0x50a1602e.kd4nxx12.adsl-dhcp.tele.dk, somewhere in holland, whose webserver (port 80) is trying to send you a packet, this behaviour, unless I'm being deceived, is consistent with viewing a web page that contains one or more stats signatures, if the relevant images for each of the sigs appears ok, then I can't imagine what else a stats site is trying to do, this does need some serious answers from the likes of boincdk, etc. As a side note using windoze xp sp2, whenever I view any of these fora with internet explorer 6, I keep getting a blocked cookie alert, even if I allow the offending cookie, my cookie enabled viewing preferences are working ok, so I don't know what that's about either. Bit of a useless post really, but there you go! We can't all know everything :-0 Ken Phillips BOINC question? Look here "The beginning is the most important part of the work." - Plato |
. Send message Joined: 3 Apr 99 Posts: 410 Credit: 16,559 RAC: 0 |
> As a side note using windoze xp sp2, whenever I view any of these fora with > internet explorer 6, I keep getting a blocked cookie alert, even if I allow > the offending cookie, my cookie enabled viewing preferences are working ok, so > I don't know what that's about either. > Using Windows XP sp2, I have disabled the firewall feature in it, as I don't trust it! I have my own payed for MacAfee firewall and virusprotection, so I don't suffer from the problems, you mention. So I guess my MacAfee override a lot of these little points of annoyance! |
littleBouncer Send message Joined: 28 May 99 Posts: 151 Credit: 666,283 RAC: 0 |
> I have my own payed for MacAfee firewall and virusprotection, > so I don't suffer from the problems, you mention. So I guess my MacAfee > override a lot of these little points of annoyance! > ===== I have McAffee too, and what I don't understand why He (80.161.96.46) wants to open a port on my PC (he tries allways a other #, over 100 times) I have checked by "whois", before I posted, I knew it's came from DK, but the question was, why it appears after reading some threads in "Cafe SETI" (and only this Site). Thanks a lot for all replies !!! [EDIT:12.20.04 16:00 UTC] The "signaturs" marked as "cookie" isn't the problem. |
. Send message Joined: 3 Apr 99 Posts: 410 Credit: 16,559 RAC: 0 |
> > I have McAffee too, and what I don't understand why He (80.161.96.46) wants to > open a port on my PC (he tries allways a other #, over 100 times) > > I have checked by "whois", before I posted, I knew it's came from DK, but the > question was, why it appears after reading some threads in "Cafe SETI". > > Thanks a lot for all replies !!! > > I don't know what they are doing out there! But I think it is accidental. Last summer I had LOTS of attacks, involving most of the world, and I became so irritated (Yes, I flame easy!) about it, that I took a screendump and sent it to the Danish Police, the IT crime department, and I got the answer that "they" out there just probes, but if I get attacks from the same IP-adress, they would be happy to be briefed about it! And after a while, the number of attacks dropped, some weeks to none! So the same information must go to you: If you persistently get attacks from the same, contact your local police, IT- crime department! I was trying to find an e-mail adress to BOINC.DK, but couldn't see any on their [url=http://www.boinc.dk/index.php] website<a>. Try to google them or search here on their teamsite! But I don't even know if they can explain anything? |
littleBouncer Send message Joined: 28 May 99 Posts: 151 Credit: 666,283 RAC: 0 |
> So the same information must go to you: If you persistently get attacks from > the same, contact your local police, IT- crime department! > > I was trying to find an e-mail adress to BOINC.DK, but couldn't see any on > their [url=http://www.boinc.dk/index.php] website<a>. Try to google them > or search here on their teamsite! But I don't even know if they can explain > anything? > @ Lena! Thanks for your reply. I posted 3times at its hostmaster, and announced to make contact with police, but nothing happens. Now I will do as you suggest. |
Ubdaddy Send message Joined: 24 Aug 02 Posts: 15 Credit: 695,355 RAC: 0 |
When I started using Zonealarm Pro I tried to track the incoming probs using the Whois function. There is not much that can be done, the hackers uses scanning programs that run through many IP addresses until the find one that responds. You have to set your firewall to block and allow what you want using Expert Rules. A good idea is to test your protection from time to time by test tools available such as on SYMANTEC web site and block the opennings. Even as I write this down I can see on the Zonealarm tray Icon traffic signs, some of it is my own, some is my ISP provider trying to establish who is connected and who isn't, and some are unsolicited probes. As long as my computer does not respond to the probes I'm fairly safe. I no longer look at the ZA logfile, ZA, McAfee AV, and anti pests progams all combine to provide a reasonable protection. Yair P.S. One of the most dangerous "attacks" out there nowdays, is the Phishing EMails that try to make you give up sensitive information. Never give up any sensitive info unless you initiated the connection and you trust the website. Yair |
N/A Send message Joined: 18 May 01 Posts: 3718 Credit: 93,649 RAC: 0 |
Thanks for pitching in, Ken. FTR: It was nslookup and dig only because my modem/router blocks traceroutes and pings (Damn built-in firewall!). Also I'm using YDL4 which is a Fedora ppc port - No MS here! (OK, except for Excel... that's Microsoft's best product ever.) |
. Send message Joined: 3 Apr 99 Posts: 410 Credit: 16,559 RAC: 0 |
> Everytime I open a thread from "Cafe SETI" I recieve a message from my > firewall, that there is a "hacking attack". I A. you (Seti- Staff) , why and > what that means: > > one of those entries (meanwhile over 90) from my firewall: > > 2004/12/20 10:12:14 80.161.96.46:80 x.x.x.x:1688 Connection 1688 (TCP) > > What has this IP 80.161.96.46 to do with Seti, and/or Cafe SETI ? > > Can I trust them? > > Look [url=http://setiweb.ssl.berkeley.edu/forum_thread.php?id=7533#57176]here<a> |
Captain Avatar Send message Joined: 17 May 99 Posts: 15133 Credit: 529,088 RAC: 0 |
|
. Send message Joined: 3 Apr 99 Posts: 410 Credit: 16,559 RAC: 0 |
|
©2024 University of California
SETI@home and Astropulse are funded by grants from the National Science Foundation, NASA, and donations from SETI@home volunteers. AstroPulse is funded in part by the NSF through grant AST-0307956.