Ive been using Norton Internet Security 2004 on my 1.5mb ntl cable connection as a firewall and antivirus all in one solution for over a year now, but since last night ive been getting hammer'ed by intrusion attempts, I must have had more then 60 since last night ive started keeping a log of them if that might be of any use.

I tried ntl's cable internet support line today but they just said that they dont support norton products and suggested I use "broadband medic".

I dont use any p2p software or chat programs and norton internet security has got the latest definitions, messenger has also been disabled through msconfig, ive also done a complete scan with adaware.

Any help in figuring out how to do something about this would be greatly appreciated.

have you got any details from the intrusion attempts? this may help to figure out what is happening

Was it something like "Incoming LSASS buffer overflow exploit attempt detected"

There seems to be alot of that about at the moment.

W32.Korgo is one of the worms that uses the LSASS exploit, as is Sasser.

My NAT firewall generally blocks these worms :)

I tried ntl's cable internet support line today but they just said that they dont support norton products and suggested I use "broadband medic".Since when has Broadband Medic been a firewall ?

*Moved to Security & Virus Troubleshooting forum*

I tried ntl's cable internet support line today but they just said that they dont support norton products and suggested I use "broadband medic"

*Sigh* :dozey:

... since last night ive been getting hammer'ed by intrusion attempts, I must have had more then 60 since last night ive started keeping a log of them if that might be of any use.

Wouldn't lose any sleep myself about this. Since March Zonealarm's blocked 72724 inbound accesses for me.

That's broadband for you .... ;)

Wouldn't lose any sleep myself about this. Since March Zonealarm's blocked 72724 inbound accesses for me.

That's broadband for you .... ;)Ditto, although I was getting worried about my figures, untill i saw yours :p: as long as nortons is blocking them, why worry :shrug:

Yep, just worry if you start seeing no entries for blocked attempts ;)
If you are consistantly seeing one particular IP address which cannot be traced back to your own pc, SACM/ STB or DNS server then you could always post it here for more advice :)

Thanks for all the responses so far, I'll post the addresses ive managed to make a note of so far, again any advice or info would be appreciated.

All of these occured between 11:30 and 4:30

80.120.209.11 : 1164
219.154.105.254 : 2171
222.158.59.195 : 2398
222.158.59.195 : 2711
216.200.170.136 : 2750
218.108.158.185 : 4309
80.200.137.233 : 3535
205.166.140.76 : 24586
205.250.29.19 : 29385
61.168.42.118 : 7370
12.241.18.14 : 5746
211.220.76.2 : 4018
222.97.136.132 : 2793
221.127.110.213 : 3339
221.127.110.213 : 3626
216.88.47.76 : 22947
70.48.93.16 : 3463
70.48.93.16 : 3870
205.187.123.201 : 8935
205.87.98.171 : 5625
61.140.34.173 : 1180

Well you have a few of our friends from the orient in there ;) Nothing unusual in that though lol When I used to run without a router and there was a new virus out my firewall used to take 100's sometimes even 1000's of hits a day. You get used to it after a while ;) Unless one IP is constantly attempting entry to your system I wouldn't worry about it, I only reported 1 IP to NTL and that was after 124 attempts in an hour :erm: It went very quiet after the offending NTL customer ran a virus sweep ;)

Well you have a few of our friends from the orient in there ;) Nothing unusual in that though lol When I used to run without a router and there was a new virus out my firewall used to take 100's sometimes even 1000's of hits a day. You get used to it after a while ;) Unless one IP is constantly attempting entry to your system I wouldn't worry about it, I only reported 1 IP to NTL and that was after 124 attempts in an hour :erm: It went very quiet after the offending NTL customer ran a virus sweep ;)

Australia too

11/15/04 22:27:02 Fast traceroute 80.120.209.11
Trace 80.120.209.11 ...
1 hop 158ms * 43ms TTL: 0 (No rDNS)
2 hop * * 40ms TTL: 0 (No rDNS)
3 80.4.47.225 * * 38ms TTL: 0 (nott-t2cam1-b-v128.inet.ntl.com ok)
4 80.1.79.205 * * 30ms TTL: 0 (nott-t2core-b-ge-wan73.inet.ntl.com ok)
5 62.253.188.37 181ms 69ms 28ms TTL: 0 (nth-bb-b-so-300-0.inet.ntl.com ok)
6 62.253.185.102 177ms * 17ms TTL: 0 (lee-bb-a-so-600-0.inet.ntl.com ok)
7 62.253.185.238 179ms 167ms 20ms TTL: 0 (pop-bb-b-so-100-0.inet.ntl.com ok)
8 62.253.185.82 173ms 161ms 23ms TTL: 0 (tele-ic-1-so-000-0.inet.ntl.com ok)
9 212.250.14.50 169ms 135ms 25ms TTL: 0 (No rDNS)
10 195.22.215.22 192ms 181ms 68ms TTL: 0 (ge6-1-vie8-vieb.vie.seabone.net fraudulent rDNS)
11 195.22.215.34 202ms 169ms 62ms TTL: 0 (customer-side-telekom-aus-1-at-vie8.vie.seabone.net ok)
12 195.3.70.162 * 173ms 64ms TTL: 0 (No rDNS)
13 195.3.78.53 * 171ms 61ms TTL: 0 (aum3-aux3.highway.telekom.at ok)
14 195.3.78.45 * 165ms 63ms TTL: 0 (No rDNS)
15 195.3.78.46 * 159ms 64ms TTL: 0 (No rDNS)
16 195.3.76.226 * 153ms 65ms TTL: 0 (No rDNS)
17 195.3.90.214 * 156ms 84ms TTL: 0 (No rDNS)
18 172.17.67.118 * 151ms 74ms TTL: 0 (No rDNS)
19 80.120.209.11 * 149ms 88ms TTL: 48 (mail1.netconsol.biz ok)

21 80.120.209.11 148ms TTL: 48 (mail1.netconsol.biz ok)

23 80.120.209.11 147ms TTL: 48 (mail1.netconsol.biz ok)
24 80.120.209.11 97ms TTL: 48 (mail1.netconsol.biz ok)



#9 & #10 seem to be the key replies :)

Yes, it does seem noisier than usual, maybe a new exploit is about.

Not spotted any particular concentration yet, though a bias of 80.x.x.x suggests that there is a class A address targeting group on some of it.

Thanks for all the responses so far, im considering using NOD32 and ZoneAlarm Pro instead of NIS2004, reccomendations would be appreciated.

Thanks for all the responses so far, im considering using NOD32 and ZoneAlarm Pro instead of NIS2004, reccomendations would be appreciated.
Why change progs when you know your being protected ??? if you don't wanna see all the ' hits ' turn off the option :shrug: just my two pennies worth...

As the saying goes, don't try and fix what's not broken :tu:

Thanks for all the responses so far, im considering using NOD32 and ZoneAlarm Pro instead of NIS2004, reccomendations would be appreciated.
Why change progs when you know your being protected ??? if you don't wanna see all the ' hits ' turn off the option :shrug: just my two pennies worth...

As the saying goes, don't try and fix what's not broken :tu:
Yep, the firewall is doing what it is designed to do so why change it? If you want to see less activity in your logs (ooer) then either turn off notification as Bop says or get a router, you get far fewer hits on your firewall that way :D

Even if you only have a single system, a router can make a very effective "garbage filter" - especially if you don't use anything that requires port forwarding.

Whilst I don't worry about firewall logs, I have noticed a recent upsurge in alerts from local Ntl customers, in the past week or so I have had large numbers of hits from the same 5 or 6 users, I suspect that they are eminating from infected PC's. It is not yet quite as bad as it was before Ntl started port blocking but it is on the increase.At least 4 of them are not very well protected, even a simple tool such as VizualZone reveals MAC address, node etc.