Hacking by China on my computer.

[Radio Ham]

I am a radio Amateur and my equipment is connected to the Internet. When
ever an attempt is made to enter my IP address, the ip of the person making
the attempt is registered.

I am constantly having attempts made at a rate of one every few minutes
but because of the unique system they cannot enter..I have also invoked
a filter against them..since I did this they seem more and more determined to
"break in" as it were

They are :
IP 222.208.183.218
IP 221.192.199.48
IP 221.195.73.68
All Chinese IP's

Using programmes at my disposal I find they are using programmes provided
by Microsoft..
TELNET CONNECTED TO 221.192.199.48
220 ddisp 5655341 Microsoft ESMTP MAIL Service,Version:6.0.3790.3959
ready at Fri,12 Feb 2010 07:00:30 +0800

I wrote to Microsoft and their only comment seems to be that they are
sorry my service is being interrupted...Well so am I...Who else are these
people delving into and for what reason.?

[Raistlin]

Ok, if you're exposing any services to the outside world then you can expect people on the Internet to be interested in them. Particularly people from countries such as China which have a known history of engaging in what I will charitably call 'cyber exploration'.

The fact that they are using Microsoft products (if they actually are) is nothing to do with Microsoft, they can't control who does what with their systems/applications.

Best bet is to stick whatever equipment you're using behind a suitable firewall and only allow access to those services from the Internet that absolutely must be available on the Internet. Once you've done that you will have to accept that a certain portion of the population will always be interested in what is on the other side of any services you're making available via your connection.

Quote:

Originally Posted by Radio Ham

Using programmes at my disposal I find they are using programmes provided
by Microsoft..
TELNET CONNECTED TO 221.192.199.48
220 ddisp 5655341 Microsoft ESMTP MAIL Service,Version:6.0.3790.3959
ready at Fri,12 Feb 2010 07:00:30 +0800

I find this very interesting. Am I reading this properly, did you just connect back to an open port on one of the IP addresses that is 'attacking' you using the Telnet program? If they are interested in you then you've just made them doubly so.....

[Radio Ham]

Hi Rob,
Not that daft as to be on the Internet without protection, tripley so as it happens..Double firewall and password. Maybe they will get fed up eventually and go away 'cause they aint going to get in ..!! It's their persistance that annoys me..
Thanks for your comments.

[Raistlin]

Two firewalls are a good start, hopefully they're standalone appliances of different manufacture. As for the 'password', not sure what that achieves as (presumably) it is only asked for when you try to connect out.

Annoying it may be, but something you can control or do something about it certainly isn't.

You could have a look at your appliance's ruleset and see if it allows you the option to drop (rather than block) all traffic from a certain IP range. This would allow you to drop (ie. not perform any processing upon other than a determination of origin) any inbound connection attempts from any Chinese IP. This will lighten the load on your firewalls and will also make it far less likely that they're ever going to gain a foothold on you.

Remember though that if you're exposing any services to the outside as a result of the applications/hardware you're using then you need to make sure that the application/hardware is patched/updated to the latest secure release.

Given that the origin IP seems to be an SMTP server, then its probably spammers looking for open SMTP relay servers.

[Raistlin]

You're probably not wrong.

[Jon T]

Writing to Microsoft because the hackers are using one of their products is the same as writing to Ford because a Fiesta has just run over your dog!

As has already been said, if a port is exposed to the internet, you will get connection attempts and port probes/scans, it's an unavoidable consequence of advertising a service over the internet. That's what firewalls and user/ip level access mechanisms are for!

BTW what particular Ham related service/program are you running?

Jon - M1CBH

[Radio Ham]

Hi All,

Thanks for all your comments and taken on board..All I want to say about the programme
I am running is, TCP/IP over Packet Radio. Filters are possible and in place against the
offenders. AS for writing to Microsoft..Well at least they can't say they didn't know.
Jon thanks and 73's. G3LQC/G3LPC/GB7BA. See qrz.com visit G3LPC.

[Raistlin]

Np, hope you manage to stay good and safe.

From a purely professional point of view I'd be interested to see how your system presents itself ont the network (what banners/services it offers). Might have to find myself a friendly local Radio Ham with a similar setup and have a look-see

[Kymmy]

Quote:

Originally Posted by Radio Ham

Hi All,

Thanks for all your comments and taken on board..All I want to say about the programme
I am running is, TCP/IP over Packet Radio. Filters are possible and in place against the
offenders. AS for writing to Microsoft..Well at least they can't say they didn't know.
Jon thanks and 73's. G3LQC/G3LPC/GB7BA. See qrz.com visit G3LPC.

If you're running tcpip over packet (thought that had gone out of the window since I ran 9K6 in that mode in mid '90s) then it shouldn't effect your internet, not unless you're running a gateway (using GB7BA I presume you maybe).. Just filter out the whole 221.*.*.* and 222.*.*.* subnet and you should be fine though expect the probes to come from everywhere and not just china

73's Kymmy

[Radio Ham]

Hi All,

Paul got to QRZ.com...enter G3LPC you will then get my address if you want to drop me
a line and I'll provide you with my IP address which is all you need. Not even all friendly
Radio Amateurs can access GB7BA.

Kymmy, Hole in one..Exactly as it is..But they still keep trying even after 36 hours of it.
persistant aren't they..

By the way I am 83 and at the Didcot Rally tomorrow for the HARWELL AMATEUR RADIO
SOCIETY.

[eth01]

Quote:

Originally Posted by Radio Ham

Hi All,

Paul got to QRZ.com...enter G3LPC you will then get my address if you want to drop me
a line and I'll provide you with my IP address which is all you need. Not even all friendly
Radio Amateurs can access GB7BA.

Kymmy, Hole in one..Exactly as it is..But they still keep trying even after 36 hours of it.
persistant aren't they..

By the way I am 83 and at the Didcot Rally tomorrow for the HARWELL AMATEUR RADIO
SOCIETY.

83 i say.