Hey,

im under all day TCP attack on port 1084 (NOT MSBlast) from 195.157.100.129. :mad: :mad: :mad:

can someone please find out as much as possible on this for me please. I can barely even load this page & browsing or FTP is well out of the question :mad:.

it may be some other virus, i'll give whoever it is the benfit of the doubt until i see the results etc.

thankyou in advance,

§talker

Heres the location of the attacker!!!
pop an email to the abuse address!!

Cheers

DJ


role: Netscalibur UK Hostmaster
address: Netscalibur UK Ltd
address: 9 Selsdon Way
address: Cityharbour
address: London E14 9GL
address: UK
phone: +44 (0)870 887 8800
fax-no: +44 (0)870 887 8867
e-mail: hostmaster@netscalibur.co.uk
admin-c: CSP3-RIPE
admin-c: SY131-RIPE
tech-c: NSUK1-RIPE
tech-c: NSUK3-RIPE
nic-hdl: NSUK2-RIPE
remarks: Hostmaster
remarks: ****
remarks: * All abuse reports to abuse@netscalibur.co.uk

tyvm The_real_dj, i'll give em a ring tommorow, always works better than abuse emails as they never get followed up :rolleyes:

§talk

How do you do a trace route

Originally posted by tomw
How do you do a trace route
From a command prompt, type "tracert", followed by the address, such as:-

tracert www.nthellworld.co.uk
or
tracert 195.157.100.129

lmao...

http://195.157.100.129/

It's just a webserver... :D

both PC's turned off last night, router was being hit HARD till 3am. Either thats an infected webserver or.....i dunno! :(

seems ok now though, but it was so bad yesterday that i couldn't use the net well at all :(

§talk

Stalker do you still want a traceroute? I've done one if you want it.

Seb

i'll take anything you have Seb, this is looking very strange from my point of view :( , even more so after finding out its a webserver :confused:

§talk

Has anyone thought it could have been a Spoofed IP?


It isn't a IIS webserver though lol

Server nc3-0028.web.uk.netscalibur.com on port 80 is running:

Apache/1.3.20 Sun Cobalt (Unix) mod_jk mod_ssl/2.8.4 OpenSSL/0.9.6 PHP/4.0.6 FrontPage/5.0.2.2510 mod_perl/1.26

Other information returned by server...

Requested path: /
HTTP/1.1 302 Found
Date: Fri, 22 Aug 2003 10:15:08 GMT
Location: http://nc3-0028.web.uk.netscalibur.com/
Connection: close
Content-Type: text/html; charset=iso-8859-1

Server Response time: 0.839056 seconds

Stalker, have you called them ?

ive taken that into consideration but for a DOS attack, what would they hope to acheive apart from pi$*in me off :confused:

The IP resolves to netscalibur.co.uk/ (http://www.netscalibur.co.uk/) which offers hosting services.

i personally dont think that a company would do anything like that as it reflects back on them, so something more sinister is looking more likely.

I think i'll leave it as long as it dosen't happen again :shrug:

§talk

bloody hell Lord Nikon

what did you use for that???!!!!!!:eek:

§talk

PS. no, i haven't called them, you think i should?

Port Authority Database

Port 1084

Name:
ansoft-lm-2

Purpose:
Anasoft License Manager


So, no idea what would be using that IP really.

Here you go


Tracing route to nc3-0028.web.uk.netscalibur.com [195.157.100.129]
over a maximum of 30 hops:

1 <10 ms <10 ms <10 ms 192.168.0.1
2 10 ms 10 ms 10 ms 10.132.39.254
3 <10 ms 10 ms 10 ms cmbg-t2cam1-b-ge95.inet.ntl.com [80.1.202.161]
4 <10 ms 11 ms <10 ms cmbg-t2core-b-ge-wan61.inet.ntl.com [80.1.201.153]
5 10 ms 10 ms 10 ms nth-bb-b-so-210-0.inet.ntl.com [62.253.188.197]
6 10 ms 10 ms 21 ms nth-bb-a-ae0-0.inet.ntl.com [62.253.185.117]
7 10 ms 20 ms 20 ms gfd-bb-b-so-400-0.inet.ntl.com [62.253.185.98]
8 20 ms 10 ms 10 ms tele-ic-2-so-100-0.inet.ntl.com [62.253.185.74]
9 10 ms 40 ms 20 ms linx-gw2.uk.netscalibur.net [195.66.226.47]
10 10 ms 20 ms 30 ms g2-1.br1.th.rtr.uk.netscalibur.net [195.157.6.225]
11 10 ms 20 ms 40 ms g1-1.dist1.th.rtr.uk.netscalibur.net [195.157.6.178]
12 10 ms 20 ms 20 ms 511.cr11.th.rtr.uk.netscalibur.net [195.157.7.98]
13 10 ms 20 ms 10 ms nc3-0028.web.uk.netscalibur.com [195.157.100.129]

Trace complete.


Seb

ty Seb, that shows it as a direct hop from the NTL network onto theirs :confused:

port 1024 uses;

port 1024 trojan port for latinus and net spy
port 1025 trojan port for fragle rock and net spy
port 1026 port for Mstask planner
port 1027 ICQ port trojan
port 1028 nil
port 1029 ICQ port trojan

grrrrrrrrrrrrr