Keep getting intrusion attemps
CyrixInstead
Stoke-on-Trent, England Icrontian
I keep getting Norton telling me it has blocked a recent intrusion attempt.
The information is characteristic of the Invalid UDP Destination Port attack, whatever that means.
The troubling thing is it always seems to be from IP address XXXXXXXXX.
Can anyone shed any light as to what's going on??
~Cyrix
(IP ADDRESS EDITED OUT BY DEXTER)
The information is characteristic of the Invalid UDP Destination Port attack, whatever that means.
The troubling thing is it always seems to be from IP address XXXXXXXXX.
Can anyone shed any light as to what's going on??
~Cyrix
(IP ADDRESS EDITED OUT BY DEXTER)
0
Comments
Dexter...
http://securityresponse.symantec.com/avcenter/attack_sigs/sigs/invalid_udp_destination_port.html
What does that mean....well, it depends on a couple of things. Do you have a router installed on that system? If so, do you have other computers on that system? Or are you just running one computer with a direct connection and Norton Firewall?
Dexter...
\\edit Well, it would seem that it's nothing to worry about. Thanks for the help Dexter.
~Cyrix
Dexter...
I realize this thread is a month out of date. I hope no one will mind too greatly if I bring it back for a moment, as the trouble I'm having is a bit un-nerving, at least to a newbie.
What brought me here (to Short-Media) was an ongoing problem I am having that resembles the problem CyrixInstead was having, with a slight difference. I know that one thing that was mentioned above may be a neighbor using his computer on the same IP, but this is happening at any given time during the day or night, and never stops.
My computer is also a single unit, no network. I have WinXP Home, 2005 Norton's, and a couple of spyware programs installed...SpyBot and AdAware.
Everything was going along fine for the first few weeks. I would check Norton's Personal Firewall in Statistics, and would possibly have 3 or 4 attacks. Then, a few hours later, maybe 3 more, all from different IP numbers.
All of a sudden in the last three days I am racking up several thousand attacks a day, all from the same IP # 68.119.111.29.
According to the Arin Whois database, this belongs to Charter Communications in St. Louis, MO which is also my own broadband cable company. I have tried to call their tech support people and inquire, but so far have not been able to reach anyone to help me with this inquiry. My local cable office said they were not equipped to deal with a tech issue like this.
My firewall is stopping all this, but it a bit disconcerting to see such a massive attack against my computer, especially in view of the fact that I have used it to go online and do bill paying, etc, at the great urging of my wife who has insisted that I 'join the 21st Century'.
Any help as to what could be causing this will be deeply appreciated, or if anyone has had a similiar experience with no ill effects.
Norm
My guess is that you're not being "targeted" - you are just being hit by someone who probably has a trojan installed on their computer and doesn't even realize it. I wouldn't worry about it at all. If you can see the attempt, that means it is getting blocked, and your firewall is doing its job.
Or a Worm on their system, trying to spread itself.
Like Prime said, notify the ISP, give them all the data you can. They can monitor it from there.
Dexter...
I also e-mailed two different Charter tech support addresses, including the abuse e-mail. So far, I haven't received any replies or callbacks, but then it's only been a short while. The abuse email is very rigid (like the telephone tree) and there are only a few choices that can be made, unfortionately none directly related to my problem.
I have noticed after looking at the address that is doing the attacking (68.119.111.29)
that it is only 3 away from my own IP address which is a .32.
I also noticed that the attacks would come in bursts of 8 or 10, then no activity for as long as four minutes, then another ten or so attacks would rack up.
Primesuspect and Dexter, thanks for your help and advice. Hopefully, I'll eventually hear from Charter and maybe we can get a fix on this.
Personal Firewall..........
You were last attacked on: 12/11/2004 8:01:40 AM
Recent intrusion attempts: 1308
Most frequent attacker: 68.119.111.29
My old buddy is back with a vengence. That was since I booted up this morning about thirty minutes ago.
I can see me now going door to door in my neighborhood with an IP log asking every adult and child if they would run a 'cmd ipconfig' and check their address on Charter to see if it matches, that they probably have a a nasty in their computer and need to get rid of it.
Prime and Dexter made me feel a lot better by explaining what they thought it was and the fact that NIS firewall was at least doing it's job and keeping this thing at bay, but I'd still feel more comfortable if I knew it was permanently gone. Kinda like having a gitchie-goomie just outside your house and knowing that all there is between you and calamity is a piece of sheetrock.
In any event, if I can find out who it is by watching the neighborhood and seeing who goes on vacation and corrolating that with when this thing goes active, I'll make a friendly attempt to ask to clean up their computer. One or two 'attack' attempts from different IPs I could live with, but this is ridicules.
Just set your firewall to not show you them to you and forget about them. If someone gets past your firewall and/or other security features you probably won't know about it until it's to late anyway so stop watching those pop ups and biting your nails.
Dear User
Your router has detected and protected you against an attempt to gain access to your network. This may have been an attempted hacker intrusion, or perhaps just your Internet Service Provider doing routine network maintenance.
Most of these network probes are nothing to be worried about - these types of random probes should NOT be reported, but you may want to report repeated intrusions attempts. Save this email for comparison with future alert messages.
Your router Alert Information
Time: 01/01/2002, 08:50:54
Message: IP Spoofing
Source: 192.168.2.1, 1798
Destination:239.255.255.250, 1900 (from WAN)
Visit the UXN Combat Spam web site to get more detailed information about the intruder - http://combat.uxn.com/
1. Type the intruder's IP address into the IP WHOIS search engine
2. Click the Query Button
3. Detailed network and administration information will be displayed
The Time stamp is incorrect. The Router's log says it fails every 30 secs to get an NTP time. The 192.168.2.1 is the Gateway's IP address. According to IANA, the 239.255.255.250 is a multi-cast ip address. My ISP tech support says it's coincidental that these attempts started when I changed my modem. SMC's tech support says there are attempts on my network but they don't seem concerned. They suggest I turn off the notification but then I think that defeats the purpose of having that option.
My computer is connected via ethernet cable and I share the access with my 2 tenants who connect wirelessly.
Any suggestions would be greatly appreciated.
Thanks,
TOG
Note the destination port #1900. That is SSDP - Simple Service Discovery Protocol. This is part of UPnP - Universal Plug and Play. My guess is that 239.255.255.250 is either your new modem, or a UPnP enabled device trying to connect with the UPnP service. Port 1798 is ETP - Event Transfer Protocol, which can be used for all kinds of things.
I suspect that a UPnP device is active on your LAN, or trying to connect via wireless, on port 1900. The router is responding with an ETP packet on port 1798 to authenticate. Nothing else is connecting. The reason you get IP Spoofing warnings is that the 239 address does not resolve within your LAN, so the firewall thinks something is spoofing an IP address.
A couple of things to try:
- find the control for Universal Plug n Play on your router, and disable it
- if that does not work, try this reg hack on all connected PC's: http://www.winguides.com/registry/display.php/1235/
Let me know if that helps.
Dexter...
I tried what you suggested. I turned off the Plug n Play on the router and that didn't help. I did the registry thing on my computer and told my tenants to turn off their computers over night. That didn't work.
SMC tech support wrote back and had me change some settings and that didn't work. They also had me update the firmware and that didn't help.
I don't know. Maybe I should just turn off the notifications.
Or just kill the notification....really, the firewall is blocking the attempt, do you really need to know about it?
Dexter...
Thanks a lot for the help Dexter, your analysis of the problem is more substantial than any of the two tech support lines I've been calling. I appreciate it.
TOG