Recomendations for dealing with a presistant attacker

Snowball

I wanna hear what people think.

I have this guy that keeps trying to attack me (I asume that it just one guy). Over the last couple of days I have had over 200 hack attempts.
I use Norton Personal Firewall 2003, all set to max security.
I have XP pro.
The attacks just keep comming. Its starting to do my head in. I know the normal situation to take when u want to report it to the athorites, track IP, look up IP info. Inform company/ISP etc. But its not helping.
I have dissocnnected and rejoined but still happens, I have no trojans/virusus that would allow an attacker to track my IP so I am lost.

The question is that is there any... "proactive" actions that one can take that are legal once the person had attacked you. A kinda self defence thing. If not is there any recomendations?

Also is there a possibility that it is come kinda server??? All attacks originate from Dublin.


**Figured that posting IP's is prob not the right thing to do.
========================
Details: Attempted Intrusion "HTTP_IIS_ISAPI_Extension" against your machine was detected and blocked
Intruder: ***.***.***.***(38847)
Risk Level: High
Protocol: TCP
Attacked IP: ***.***.***.***.
Attacked Port: http(80)

Click on the address to trace the attacker
You can get detailed information about this attack at Symantec Security Response
========================

logic1

Just looks like a server infected with CodeRed.

.logic.

Snowball

huh????

Emmm..... logic, can u elaborate? CodeRed?

ecksor

CodeRed is a worm that was rampant during the summer of 2001. It spreads itself by looking for and infecting vulnerable IIS servers.

There's a massive amount of crap that your machine is exposed to due to this sort of automation when you connect to the Internet. Netbios, the various IIS worms, SQL Slammer, there was an apache ssl one I seem to remember, I've well lost track of them all by now.

Snowball

is there any way to find out who an IP is assigned to. I know when u look up RIPE and all but is there any other way to get more info on the person not the ISP???

ecksor

It depends. In the case of a dialup IP in this country the ISP will release the information if you obtain the relevant court order.

Snowball

yeah, I kinda fingure on that

I was hoping for some kinda system like RIPE or something simular

flav0rflav

Waste of time.
All internet addresses are constantly being scanned by hackers. This one may stop, if it is just one, and another, or ten, will appear.
Just have a secure system.

Snowball

flav0rflav, its kinda what I though but the thing is that when I was down in carlow I never got attacked, not 1 attack in 9 months. Why would I get over 200 attacks in 2 days ion Dublin and not 1 in 9 omnths in carlow? Mind you when I was in Carlow I was not on as long, but still.

Symantec, who own Norton (my Firewall), have a web page that attacks ur system and checks to see how secure it is. It gives you a report. Does anyone know of a better one??

Rew

CodeRed has a search algo that attempts to find other hosts o infect, they tend to go after machines in their own IP range first.

I saw hundreds and ssome times thouusands of these in my logs every day when it was at its worst. I wouldn't worry about it

Tenshot

If you're being attacked by CodeRed, chances are it's from a machine that has a web server of its own. Connect back to the source IP address on port 80 and see what you find.

As mentioned elsewhere, it's highly likely the owner of the machine has no idea they are infected.

jd

Originally posted by Rew
CodeRed has a search algo that attempts to find other hosts o infect, they tend to go after machines in their own IP range first.

I saw hundreds and ssome times thouusands of these in my logs every day when it was at its worst. I wouldn't worry about it

I concur-its probably someone with an affected machine dialling into the same pop as yourself. If you really want to, keep a log of the ip addresses with *accurate* timestamps. Forward any that are coming from your own pop to your isp, maybe support or the abuse desk. TBH I don't bother.
Jd