Attempted Attacks stopped by firewall

dod

I recently installed (free) Kerio Personal Firewall (http://www.kerio.com/kpf_home.html) and found it easy to set up and use. I was staggered at the frequency and regularity of unauthorised attempted connections to the PC when I am connected to the net.

These are the latest IPs attempting unauthorised connections, any idea how to identify who they are?

213.200.97.37
212.162.1.99
ip-76.uplevel.nl
www.lockergnome.com
194.145.128.1

Attempted connections from these addresses came literally in the last 2 minutes.

There are hundreds of others. Anyone know of a central database where I can find out who it is?

Turner

Using a trace program i got this....



iP Address: 213.200.97.37
Location: San Francisco (37.778N, 122.417W)
Network: DIGISLE-TIN

Registrant contact information is not available.

---

Name: ip-76.uplevel.nl
IP Address: 217.67.237.76
Location: Rotterdam (51.867N, 4.600E)
Network: 217-RIPE

Registrant:
Sqad VOF
Roerdomp 70
4872 PN ETTEN-LEUR
Netherlands

---

Name: ns.esatclear.ie
IP Address: 194.145.128.1
Location: DUBLIN (53.333N, 6.250W)
Network: ESAT-RES

Registrant contact information is not available.

---

www.lockergnome.com

Domain Name: LOCKERGNOME.COM
Registrar: TUCOWS, INC.
Whois Server: whois.opensrs.net
Referral URL: http://www.opensrs.org
Name Server: NS1.DNSCENTRAL.COM
Name Server: NS2.DNSCENTRAL.COM
Status: REGISTRAR-LOCK
Updated Date: 01-apr-2002
Creation Date: 19-oct-1996
Expiration Date: 18-oct-2011

---

Name: Unknown
IP Address: 212.162.1.99
Location: Frankfurt am Main (50.117N, 8.683E)
Network: DIGITAL-ISLAND-DE

Registrant contact information is not available.

Frank Grimes

http://www.ripe.net/perl/whois
http://www.apnic.net/info/network.html
http://www.arin.net/tools/index.html

That 194.145.128.1 address is IOL's primary DNS server, not every connection you'll see in a firewall is someone trying to haX0r you!

Ruu_Old

Whois try that, probably nothing sinister

fisty

thers a few central databases for IP addresses.
however a script i have checks all the main ones,
heres what

arin
ripe
apnic
and lacnic gave me.

They all seem pretty innocent, wouldn't worry too much about it.

---

213.200.97.37 =



person: Ken King
address: 225 W. Hillcrest Dr.
address: Ste 250
address: Thousand Oaks, CA 91360, United States
address: US
phone: +1 805 370 2170
e-mail: cdnhostmaster@exodus.net
nic-hdl: KK1195-RIPE
mnt-by: TISCALI-INT-PERS
changed: tobias@tiscali.net 20030312
source: RIPE

---

212.162.1.99 =

person: Douglas Van Buren
address: DIGITAL ISLAND INC
address: California
phone: +1-415 738 4612
e-mail: dvanbur@digisle.net
nic-hdl: DB10015-RIPE
mnt-by: LEVEL3-MNT
changed: jeff.lekieffre@level3.com 20001128
source: RIPE

---

ip-76.uplevel.nl =

person: Michel Onstein
address: Promera
address: Mauritslaan 18
address: 2741 CH Waddinxveen
address: The Netherlands
phone: +31 619 630 320
e-mail: michel@promera.nl
nic-hdl: MO799-RIPE
notify: michel@promera.nl
mnt-by: GFX-MNT
source: RIPE
changed: michel@promera.nl 20030113

---

www.lockergnome.com=

OrgNOCHandle: VSC-ARIN
OrgNOCName: Verio Support Contact
OrgNOCPhone: +1-800-551-1630
OrgNOCEmail: support@verio.net

OrgTechHandle: VIA4-ORG-ARIN
OrgTechName: Verio, Inc.
OrgTechPhone: +1-303-645-1900
OrgTechEmail: vipar@verio.net

---

194.145.128.0 - 194.145.135.255 =

netname: ESAT-RES
descr: EsatBT ISP Services
descr: Dublin Ireland
country: IE
admin-c: GP1184-RIPE
tech-c: GP1184-RIPE
status: ASSIGNED PI
notify: ripe@esat.net
mnt-by: RIPE-NCC-HM-MNT
mnt-by: IEUNET-NOC
mnt-lower: IEUNET-NOC
mnt-routes: IEUNET-NOC
changed: hostmaster@ripe.net 19981029
changed: dave@esat.net 20030507
source: RIPE

route: 194.145.128.0/21
descr: Esat Residential Network
origin: AS2110
remarks: Aggregated Route for Esat Residential Networks
notify: noc@esat.net
mnt-by: IEUNET-NOC
changed: conor@esat.net 19990614
changed: dave@esat.net 20030220
source: RIPE

person: Gary Petticrew
address: Esat Residential Service
address: 7-13 Cardiff Lane
address: Dublin 2
address: Ireland
phone: +353 1 6724016
fax-no: +353 1 6771477
e-mail: gpetticrew@esat.ie
nic-hdl: GP1184-RIPE
notify: gpetticrew@esat.ie
mnt-by: IEUNET-NOC
changed: gpetticrew@esat.ie 19981031
source: RIPE

dod

wow pretty nifty script. Thanks for the info.

dod.

dod

To some extent, I guess I'm answering my own question above, but I found the tools on the following page useful for identifying who is trying to access my MySQL port and other unsolicited queries to my 'puter when connected to the web:

http://www.samspade.org/t/

herbie747

You can download a program called "Slap!".

It sends a message back to the hacker, using their IP address, and tells them that you're aware of them trying to hack you, and to p*ss off or else...

I've uploaded the software to here:
http://www.dudemasters.com/forum/slap.zip

It's only 500KB.

pdogs

There will be times when there will be a lot of sniffing of your ports by p2p programs; especially if your dynamic IP address was previously being used for this purpose.

When first using a firewall people begin to see just how much traffic is knocking at your door. This is generally fairly normal and mostly innocent - just turn off the alerts, when you get bored with them, and let the firewall do its stuff.

crowbar

Originally posted by herbie747
("Slap!") sends a message back to the hacker, using their IP address, and tells them that you're aware of them trying to hack you, and to p*ss off or else...

is that wise? i mean, drawing a hacker's attention to yourself is like prancing in front of a pack of hungry wolves ...

mneylon

If you've got a fixed IP, or are connected to the net for extended periods you will get scanned etc., I wouldn't lose too much sleep over it, as long as you have a firewall etc. installed

dazberry

I found this little gem this morning in my webserver logs. I wrote the webserver itself - so it can't do any of those things anyway

03:39:29 213.37.160.174 [www] GET \scripts\root.exe - File Not Found
03:39:39 213.37.160.174 [www] GET \MSADC\root.exe - File Not Found
03:39:39 213.37.160.174 [www] GET \c\winnt\system32\cmd.exe - File Not Found
03:39:40 213.37.160.174 [www] GET \d\winnt\system32\cmd.exe - File Not Found
03:39:50 213.37.160.174 [www] GET \scripts\.%5c.\winnt\system32\cmd.exe - File Not Found
03:39:59 213.37.160.174 [www] GET \_vti_bin\.%5c.\.%5c.\.%5c.\winnt\system32\cmd.exe - File Not Found
03:40:03 213.37.160.174 [www] GET \_mem_bin\.%5c.\.%5c.\.%5c.\winnt\system32\cmd.exe - File Not Found

Re: Lockerknome
I was subscribed to the Lockerknome digest for a while after they reviewed a freeware product I had. I would consider them(/him) legit. It might be an idea if you mail them with the details.

D.