View Full Version : Someone traceroute for me please
Hey,
im under all day TCP attack on port 1084 (NOT MSBlast) from 195.157.100.129. :mad: :mad: :mad:
can someone please find out as much as possible on this for me please. I can barely even load this page & browsing or FTP is well out of the question :mad:.
it may be some other virus, i'll give whoever it is the benfit of the doubt until i see the results etc.
thankyou in advance,
§talker
The_real_dj
21-08-2003, 21:09
Heres the location of the attacker!!!
pop an email to the abuse address!!
Cheers
DJ
role: Netscalibur UK Hostmaster
address: Netscalibur UK Ltd
address: 9 Selsdon Way
address: Cityharbour
address: London E14 9GL
address: UK
phone: +44 (0)870 887 8800
fax-no: +44 (0)870 887 8867
e-mail: hostmaster@netscalibur.co.uk
admin-c: CSP3-RIPE
admin-c: SY131-RIPE
tech-c: NSUK1-RIPE
tech-c: NSUK3-RIPE
nic-hdl: NSUK2-RIPE
remarks: Hostmaster
remarks: ****
remarks: * All abuse reports to abuse@netscalibur.co.uk
tyvm The_real_dj, i'll give em a ring tommorow, always works better than abuse emails as they never get followed up :rolleyes:
§talk
How do you do a trace route
Originally posted by tomw
How do you do a trace route
From a command prompt, type "tracert", followed by the address, such as:-
tracert www.nthellworld.co.uk
or
tracert 195.157.100.129
Richard M
22-08-2003, 05:05
lmao...
http://195.157.100.129/
It's just a webserver... :D
both PC's turned off last night, router was being hit HARD till 3am. Either thats an infected webserver or.....i dunno! :(
seems ok now though, but it was so bad yesterday that i couldn't use the net well at all :(
§talk
Stalker do you still want a traceroute? I've done one if you want it.
Seb
i'll take anything you have Seb, this is looking very strange from my point of view :( , even more so after finding out its a webserver :confused:
§talk
Lord Nikon
22-08-2003, 11:54
Has anyone thought it could have been a Spoofed IP?
It isn't a IIS webserver though lol
Server nc3-0028.web.uk.netscalibur.com on port 80 is running:
Apache/1.3.20 Sun Cobalt (Unix) mod_jk mod_ssl/2.8.4 OpenSSL/0.9.6 PHP/4.0.6 FrontPage/5.0.2.2510 mod_perl/1.26
Other information returned by server...
Requested path: /
HTTP/1.1 302 Found
Date: Fri, 22 Aug 2003 10:15:08 GMT
Location: http://nc3-0028.web.uk.netscalibur.com/
Connection: close
Content-Type: text/html; charset=iso-8859-1
Server Response time: 0.839056 seconds
Stalker, have you called them ?
ive taken that into consideration but for a DOS attack, what would they hope to acheive apart from pi$*in me off :confused:
The IP resolves to netscalibur.co.uk/ (http://www.netscalibur.co.uk/) which offers hosting services.
i personally dont think that a company would do anything like that as it reflects back on them, so something more sinister is looking more likely.
I think i'll leave it as long as it dosen't happen again :shrug:
§talk
bloody hell Lord Nikon
what did you use for that???!!!!!!:eek:
§talk
PS. no, i haven't called them, you think i should?
Lord Nikon
22-08-2003, 12:02
Port Authority Database
Port 1084
Name:
ansoft-lm-2
Purpose:
Anasoft License Manager
So, no idea what would be using that IP really.
Here you go
Tracing route to nc3-0028.web.uk.netscalibur.com [195.157.100.129]
over a maximum of 30 hops:
1 <10 ms <10 ms <10 ms 192.168.0.1
2 10 ms 10 ms 10 ms 10.132.39.254
3 <10 ms 10 ms 10 ms cmbg-t2cam1-b-ge95.inet.ntl.com [80.1.202.161]
4 <10 ms 11 ms <10 ms cmbg-t2core-b-ge-wan61.inet.ntl.com [80.1.201.153]
5 10 ms 10 ms 10 ms nth-bb-b-so-210-0.inet.ntl.com [62.253.188.197]
6 10 ms 10 ms 21 ms nth-bb-a-ae0-0.inet.ntl.com [62.253.185.117]
7 10 ms 20 ms 20 ms gfd-bb-b-so-400-0.inet.ntl.com [62.253.185.98]
8 20 ms 10 ms 10 ms tele-ic-2-so-100-0.inet.ntl.com [62.253.185.74]
9 10 ms 40 ms 20 ms linx-gw2.uk.netscalibur.net [195.66.226.47]
10 10 ms 20 ms 30 ms g2-1.br1.th.rtr.uk.netscalibur.net [195.157.6.225]
11 10 ms 20 ms 40 ms g1-1.dist1.th.rtr.uk.netscalibur.net [195.157.6.178]
12 10 ms 20 ms 20 ms 511.cr11.th.rtr.uk.netscalibur.net [195.157.7.98]
13 10 ms 20 ms 10 ms nc3-0028.web.uk.netscalibur.com [195.157.100.129]
Trace complete.
Seb
ty Seb, that shows it as a direct hop from the NTL network onto theirs :confused:
port 1024 uses;
port 1024 trojan port for latinus and net spy
port 1025 trojan port for fragle rock and net spy
port 1026 port for Mstask planner
port 1027 ICQ port trojan
port 1028 nil
port 1029 ICQ port trojan
grrrrrrrrrrrrr
vBulletin® v3.8.11, Copyright ©2000-2024, vBulletin Solutions Inc.