I have just been warned by my firewall (Norton) that there was a recent attempt to hack my computer. Having folloed the trace it has taken me to NTLs nottingham site. What is this about?

inetnum: 62.254.0.0 - 62.254.31.255
netname: NTL

descr: NTL Internet

descr: Nottingham site

country: GB

admin-c: NNMC1-RIPE

tech-c: NNMC1-RIPE

status: ASSIGNED PA

mnt-by: AS5089-MNT

changed: hostmaster@ntli.net 20010108

changed: hostmaster@ntli.net 20020815

source: RIPE

:welcome: to nthellworld.co.uk Mickmc :)

What type of trafic has it blocked ?

It could be belated dhcp or dns acks that have set off the alarm....

Can you post the log please.

Hi, and :welcome: , Ntl are not hacking you, you need to configure your firewall to allow certain servers trusted access, See Robon Walkers excellent website, a link is near the bottom of the home page.
Edit. B***Y Hell Stu, you are fast,:pp

Hi & Welcome to nthw.

ntl are not attacking you at all. It's more than likely an ntl customer with a PC that hasn't been properly protected, & is infected with a virus/trojan that is sending out traffic to random I.Ps.

Not much you can do really except make sure that you have a decent firewall, & make sure your O/S is fully patched up. :)

Thanks folks but this happened repeatedly yesterday and has again happened twice today. Why would anyone from NTL want to access my computer?

Thanks folks but this happened repeatedly yesterday and has again happened twice today. Why would anyone from NTL want to access my computer?

You need to post the details m8...... There are thousands if not millions of diferent types of attack's.....

See if you can post the event log or at least give the details of the scan/probe.

Thanks folks but this happened repeatedly yesterday and has again happened twice today. Why would anyone from NTL want to access my computer?

They wouldn't.

As I said it probably a user whose PC is infected, & they don't even know about it.

Details:

Attempted Intrusion "HTTP_IIS_ISAPI_Extension" against your machine was detected and blocked
Intruder: 62.254.0.12(16370)
Risk Level: High
Protocol: TCP
Attacked IP: mickmc(**.***.**.***).
Attacked Port: http(80)
Click on the address to trace the attacker You can get detailed information about this attack at Symantec Security Response (http://securityresponse.symantec.com/avcenter/nis_ids/)

[Edit]-I've removed your I.P address, Neil.

Dont you all think this is suss

Thanks folks but this happened repeatedly yesterday and has again happened twice today. Why would anyone from NTL want to access my computer?What port is the attack hitting. I have one US based IP that has hit my firewall 129 times in the past week mainly port 1026, this is almost certainly a virus infected PC.
Edit . Port 80. looks like Neil is correct, don't worry about it, just think of it as a burglar that has walked past your house and left you alone because you have an alarm fitted.

Details:

Attempted Intrusion "HTTP_IIS_ISAPI_Extension" against your machine was detected and blocked
Intruder: 62.254.0.12(16370)
Risk Level: High
Protocol: TCP
Attacked IP: mickmc(**.***.**.***).
Attacked Port: http(80)
Click on the address to trace the attacker You can get detailed information about this attack at Symantec Security Response (http://securityresponse.symantec.com/avcenter/nis_ids/)

Are you running a web server ? If not then this is nothing to worry about.

Its an expliot for IIS servers - http://www.microsoft.com/technet/security/bulletin/MS01-033.asp

If your firewall has blocked it then you dont have a problem...

The request apears to have orinated from an NTL proxy.. Someone may be using the proxy to relay the scan.

Dont you all think this is suss
As Neil said, it's probably just a customer with an infected PC. He or she may not even be aware that they are doing it. These things happen nowadays. At one point, my firewall was getting hit 100 times a day by virus infected PCs.

If you are concerned, send a copy of your logs to abuse@ntlworld.com. They can track the user down, and warn him or her.

How are they going to track down the user when the reported IP is a proxy server ?

Well thanks for all the reassurance folks. You have all been great.

How are they going to track down the user when the reported IP is a proxy server ?
You posted while I was typing that..

Anyway, surely it depends if the proxy is logged?

As Neil said, it's probably just a customer with an infected PC. He or she may not even be aware that they are doing it. These things happen nowadays. At one point, my firewall was getting hit 100 times a day by virus infected PCs.

If you are concerned, send a copy of your logs to abuse@ntlworld.com. They can track the user down, and warn him or her.


That addy has an auto reply on it, refering to an faq

Hi - Newbie here with first post.

Over the last 2-3 weeks i have been port scanned on ports 2745, 3127 (TCP) 6129 (TCP) - not just the odd scans but 1000's of times. Over 400 yesterday alone. My macafee alerted me of these scans - and they are in green which means that they are on my LAN.

When i traced the scans back i get the following:-
2005/02/01 19:59:16 80.1.236.218:3837 (cpc1-bror2-3-0-cust218.brom.cable.ntl.com) 80.1.236.xxx :2745 URBISNET

Its the same for the other ports.

Could anyone please tell me why NTL are doing this? or is it a case of an infected pc on my LAN?

Although it seems that my firewall is doing its job, this is rather disconcerting and worrying as im relatively new to computers.

Any help or advice that anyone can provide would be most welcome.

thanks
staffie (alan)

Hi - Newbie here with first post.

Over the last 2-3 weeks i have been port scanned on ports 2745, 3127 (TCP) 6129 (TCP) - not just the odd scans but 1000's of times. Over 400 yesterday alone. My macafee alerted me of these scans - and they are in green which means that they are on my LAN.

When i traced the scans back i get the following:-
2005/02/01 19:59:16 80.1.236.218:3837 (cpc1-bror2-3-0-cust218.brom.cable.ntl.com) 80.1.236.xxx :2745 URBISNET

Its the same for the other ports.

Could anyone please tell me why NTL are doing this? or is it a case of an infected pc on my LAN?

Although it seems that my firewall is doing its job, this is rather disconcerting and worrying as im relatively new to computers.

Any help or advice that anyone can provide would be most welcome.

thanks
staffie (alan)

Hi Alan :welcome: to Cable Forum :wavey:

Firstly if your firewall is picking up the scans, you don't have to worry, as it is doing its job.

Secondly that URL looks like an NTL customer - interesting that you say it appears to be coming from your LAN, you would need to look at the IP of each PC on the LAN to see if it a local problem.
- however it is more likely to be a PC with a trojan, trying to recruit more unsuspecting victims.

as said earlier in the thread, you can send a copy of your firewall log to

abuse@ntlworld.com

- otherwise, using a router with NAT will screen out most port scans before they reach your McAffee firewall

Homealone, - thanks for your reply, it has reassured me that there is nothing to worry about.

This is what Macafee says about scans from pc's on same LAN

"Events can be generated from computers on your local area network (LAN). To show that these events are coming from somewhere "close to home," Personal Firewall displays them in green."

All of the scans that i mentioned are in green, and i believed them to be on the same LAN as per MAcafee.

As you say, my firewall is obviously doing its job, and so in future i will disregard any scans like this.

Thank you once again for your advice, and although this is my first post, i have enjoyed reading the forums for quite a while - and i've learned a fair bit, - very handy being new to pc's.

staffie.

Homealone, - thanks for your reply, it has reassured me that there is nothing to worry about.

This is what Macafee says about scans from pc's on same LAN

"Events can be generated from computers on your local area network (LAN). To show that these events are coming from somewhere "close to home," Personal Firewall displays them in green."

All of the scans that i mentioned are in green, and i believed them to be on the same LAN as per MAcafee.

As you say, my firewall is obviously doing its job, and so in future i will disregard any scans like this.

Thank you once again for your advice, and although this is my first post, i have enjoyed reading the forums for quite a while - and i've learned a fair bit, - very handy being new to pc's.

staffie.

No problem, glad you enjoy the forum - stick around, there are plenty of helpful & friendly folk around here & you can be sure of help & advice on a vast array of subjects - not just computers. :)

Re: your port scans, have you run an adware/spyware scan using Adaware or Spybot (easily found with google if you havn't got either) on your PC's, as even though the firewall appears to be working, you cannot be too careful ;)

Homealone,

Thanks yet again for your reply. I have both adaware and spybot s+d as well as spywareblaster installed on my pc, after running adaware and spybot all i found were two tracking cookies.

I agree, you cannot be too careful with security these days and i keep everything as up to date as poss.

Indeed i intend to stick around, and will ask advice and help from the good people that use this forum, as from what i can see you are all very helpfull.

Being self taught on this thing by trial and error (mostly error) i'm slowly getting the hang of it.

It's good to know that if help is required there is somewhere to get the info needed.

Thanks again

Staffie

Homealone,

Thanks yet again for your reply. I have both adaware and spybot s+d as well as spywareblaster installed on my pc, after running adaware and spybot all i found were two tracking cookies.

I agree, you cannot be too careful with security these days and i keep everything as up to date as poss.

Indeed i intend to stick around, and will ask advice and help from the good people that use this forum, as from what i can see you are all very helpfull.

Being self taught on this thing by trial and error (mostly error) i'm slowly getting the hang of it.

It's good to know that if help is required there is somewhere to get the info needed.

Thanks again

Staffie

It's the only way to learn, really - I define an expert as someone who just happens to have already made all the mistakes that you are about to :D

Good to know you are up to speed with all the anti virus & spyware stuff, though, that is one area where learning the hard way is not recommended ;)

I was originally trained as a Telex Operator way back in the dark distant 1970's. So when i got on a pc, i was surprised how fast the typing speed came back, its like riding a bike you never forggt ho tdoit.

Now im in front of a machine that has more computing power then all the Direct switching systems i've ever worked on - by a long long way.

So at the moment i have spent the last year trying to catch up with the last 20 in technical terms. Ha there's life in the old dog yet!

The reason the logs appear in green, assuming you are connecting direct to the modem or STB rather than through a router, is that you ARE effectively on the same LAN as other customers on the same (80.1.236.xxx) sub-net. I think you'll find that if you go to a command widow and type

ipconfig /all

it will show you have a similar IP address, with just the last bit different.

JohnHorb, thanks for your reply, i did as you suggested and when i typed in ipconfig / all, a black box opened, and closed so fast that i was unable to see what was in it.

I was just checking the incoming events log, and it shows a further 100+ scans from the same ip adds.

But as they are just bouncing off the firewall, im gonna just ignore them.

thanks for your help.

staffie

Sounds like you typed the command into the 'Run' box. You need to open a command window (under start/all programs/accessories/command prompt). It's also a useful command to know to check your PC is picking up settings from NTL if you ever have problems with your connection.

JohnHorb, thanks for your help, i managed to do as you said, it opened a window where i typed ipconfig /all - and sure enough a lot of figures and stuff i didnt understand were there. Afraid a bit too far over my head.

Thanks anyway for your help today from both Homealone, and JohnHorb, it is nice to find such a welcoming forum.


thanks
staffie

JohnHorb, thanks for your help, i managed to do as you said, it opened a window where i typed ipconfig /all - and sure enough a lot of figures and stuff i didnt understand were there. Afraid a bit too far over my head.

Thanks anyway for your help today from both Homealone, and JohnHorb, it is nice to find such a welcoming forum.


thanks
staffie

you're welcome - thanks for the rep :tu:

Hi,
Ntl are not hacking you, you need to configure your firewall to allow

certain servers trusted access,

u can have best information regarding servers having the best acccess by visiting the the following links .


[Admin Edit] (Neil) Spam removed, & user banned (again)

Q5. I've got a firewall and it keeps telling me that I'm being hacked by ntl. It even lists the address of the ntl office from which I'm being hacked and the name of the employee that is hacking me. Is there anything I can do?

A5. When a firewall detects a connection attempt from another computer, the attempt will be recorded in a log file along with the other computer's IP Address. As a company, ntl has been allocated a block of IP addresses that as a company can use and which we can also allocate to our customers. In addition to logging information in a file, some firewalls will attempt to be of further use. Some firewalls or security software will attempt to identify the administrators of an IP address that has been recorded, by a firewall by retrieving the names, work place addresses and contact details of those administrators from publicly available records. If your firewall or security software indicates the names, work addresses or contact details of ntl employees, your firewall is identifying the administrators for that IP address - the administrators are not trying to hack your computer.

We would request that you do not attempt to contact those people listed in such records with network or computer abuse reports. While they will forward your complaints to the relevant department, there may be a delay in processing your report if it has to be forwarded to the abuse department - please direct any abuse reports to ntl AUP Team.

http://www.ntlworld.com/help/aup/aupFAQ.html

To add something here, a few have said that you should report ntl IP abuse to abuse@ntlworld.com. The RIPE information says you should report it via an online form at http://www.ntlworld.com/netreport.

Thought that may help others, maybe not

Surely this cannot be our very own Debs can it,;)

This individual has been banging up against my firewall for the past couple of weeks on a very regular basis. :(




IP address: 213.106.***.*
DNS: spr1-runc1-6-0-cust3.bagu.broadband.ntl.com
Node: DEBBY-0UD0T9MNC
Workgroup: MSHOME
NetBIOS: LEE LYONS
MAC: 0030056****

I wonder if Graham knows about Lee.:D

Surely this cannot be our very own Debs can it,;)

This individual has been banging up against my firewall for the past couple of weeks on a very regular basis. :(




IP address: 213.106.***.*
DNS: spr1-runc1-6-0-cust3.bagu.broadband.ntl.com
Node: DEBBY-0UD0T9MNC
Workgroup: MSHOME
NetBIOS: LEE LYONS
MAC: 0030056****

I wonder if Graham knows about Lee.:D

It's unusual for a computer to be broadcasting it's local hostname like that...

It's unusual for a computer to be broadcasting it's local hostname like that...
I used backtrace in VisualZone, usually only shows up when the offending IP is obviously clueless or a net novice.

I used backtrace in VisualZone, usually only shows up when the offending IP is obviously clueless or a net novice.

I'll say, LOL, should be easy for ntl security to trace that one ;)