whats happening here?

Supercell

Been using indigo for a while with no problems, tonight my firewall went nuts..below is just an example..all of them appear to be irish, i cannot capture it all, here's just a small sample..



[This message has been edited by Longfield (edited 11-08-2001).]

phaxx

I don't see what they're doing, what are they sending to your machine? It must say somewhere in that firewall package.

My first thought was it could be a port scan being hidden with lots of decoys, they just picked indigo's range and threw in lots of ips.

It's probably nothing to worry about. What OS are you using?

Hobbes

Probably code red. It attacks mostly within it's own domain, so most of code red attacks will come from your same ISP. Should of seen my modem last week! poor led light.

Btw.. BlackICE is kack as a protection. It only blocks incoming packets. It will not block outgoing, so if you have a trojan installed on your machine your kind of screwed.


[This message has been edited by Hobbes (edited 11-08-2001).]

phaxx

Yeah if it had said port 80 anywhere I'd have guessed code red. It really ought to show more information... is there anything else under those other tabs longfield?

Supercell

Interesting, since the weekend switch to NTL the Irish attacks appear to have ceased (in the main) which would support the Code Red theory.
It doesnt show what port exactly unfortunately.
I'm running NAV2001,it should treat a trojan as a virus shouldn't it?
I was using the Norton firewall but the updates completely ****ed me off, i have to manually resetup my network every damn week with them, just proved too frustrating.

Carnate

Is it me or are some ppl just plain thick..

Let me educate you.

1. CRW I/II/III does not ,i will say it again NOT attack win95/98/ME. it does attack winnt and win2k, only if you are running IIS
(Internet Information Service/servers). hope this clears up the problem

btw the patch for CRW is found on Ms web site.. you will have to dload the service packs to do it and then run a 241 k file to patch the problem(srv pack is 108 megs so dont try and dload it over modem )


ok now for the doubters.. fire away ppl.. Hobbes u wanna go first?! :-)

phaxx

I'll second what hobbes said earlier - pretty pathetic firewall. I believe that steve gibson guy has a free firewall, www.grc.com, probably.

Before I got into the whole linux thing, I used a firewall called Conseal on my nt box, I remember it being okay, but not free.

Carnate: I read something depressing the other day, about how the admins of most of these code red infected machines probably don't even know they're running IIS...

Supercell

Ehh Carnate, i am running win2k and IIS (doesn't the colour tone of the capture hint win2k?)
Will the patch stop the attacks?
But then, i'm probably one of the thick ppl :P

Carnate

First off yes the patch will protect u from CRW, secondly yes i agree that a lot(not some admins) dont even realise that they have IIs running.. case in point is IBM in mullhuddart.. they got us to go thru all winnt and win2k machines to patch em.. and long ure not thick.. well not as far as i can see..

be aware tho the 19th of august should be a fun day for others!! CRW IV

Hobbes

<font face="Verdana, Arial" size="2">Originally posted by Carnate:
ok now for the doubters.. fire away ppl.. Hobbes u wanna go first?! :-)</font>

Your kind of correct. While it can only infect your machine if you have IIS running it doesn't stop it spamming your connection causing a kind of DoS attack.

It's this that is the problem more then the infection.

The number of attacks on AT+T was so high they blocked off outgoing port 80 on all thier residential customers.

Btw. It is recommended that you install the CR protection patch regardless if you have IIS or not.

Installing the patch, will NOT stop the attacks.

Carnate

see told yahs!! heh heh hobbes!!


ure right sort of 2.. it wont stop the attacks but it will stop ure pc/server resending data to target servers!

back to u