Persistant trojan-horse hacker- Need help!

Status
Not open for further replies.
S

simonov jr

New member
Since getting kicked off the british (anti-gun) discussion board in a dispute with the moderator (www.urban75.com), I have had a series of regular and persistant attacks on my computer by various trojan horse programs. These include the "hack-a-tack" program, the sub-seven, and just tonight the something "bus" trojan horse. here is the report from my anti-virus program for the other night:

ALERT

Attempt to connect to local computer using the backdoor/subseven trojan
horse
blocked

At 1:19 pm on 3/25/2002- the following communication was detected:

"A remote computer (12.226.210.51) attempted to connect to your computer
on a
port commonly used by a remote-access trojan horse.

Here is a piece of the report from tonight:

"most frequent attacker: 172.133.30.102

This guy has a hard-on for me and seems will keep trying different th's till he cracks my system. What options do I have in identifying and going after him? Thanks for any help and suggestions...regards, sim jr
:mad:
 
Last edited:
M

mnealtx

New member
Howdy Simonov...

Definitely get a firewall, like the other guys suggested. I've used Zone Alert before and it's pretty good, don't know about the other ones.

Two things to do WHEN you get another hit like that. Go to your command prompt (start menu, run, type "command" and hit enter for 98 and ME)(type "cmd" if you're using win2k and XP). Then, type "tracert <insert offending IP address here>" and hit enter. That'll ping trace to the offender's computer, and will give you an idea of his ISP.

Then, try "nbtstat -A <ip addy>" and hit enter. NOTE: the "-A" MUST be in caps. This doesnt always work, but when it does, it will give you his computer name and login name.

Once you have that info, you can save the virus alert, tracert info and nbtstat info to a document and send it to his ISP. NOTE: IP address are in "<>" above for clarity, don't put brackets around them.

Hope this helps...good luck, and GET A FIREWALL!!!!
 
S

simonov jr

New member
I LOVE this board

Can get advice on damn near anything...working on all the above suggestions. already have a firewall and maybe i'm just seeing the routine attacks that have been there all along. you guys are GREAT...
 
B

bluetoe

New member
I use Ad-aware to remove spyware and trojans off my system. I have that, Norton Ani-Virus and BlackICE Defender firewall running at all times. Ad-aware is free, but they make a pro version for $15 that has a few more features. Hope this helps.
 
J

Jim March

New member
Well whoever it is is coming in off of AOL and/or AT&T. From an MS-DOS prompt, I used "tracert" on IP address 172.133.30.102 and it dead-ends on an AOL proxy server.

172.133.30.100 is another AOL box, so it's definately in AOL territory.

12.226.210.51 is something else...seems to be an ATT box? Something to do with "client.attbi.com", whatever that is. Yup, see also www.attbi.com - you'll get forwarded to AT&T Worldnet.

So...take all the log files you can get, and forward them in EMail to "abuse@aol.com" for the 172.xxx stuff, and "abuse@attbi.com" for the 12.xxx garbage. They have log files that might help.

tracert is a GREAT tool for figuring out what an IP address really is.
 
M

mdlowry

New member
I would contact AOL about this. That IP address is registered to them. More information can be found at Samspade.

Also keeping a log of this will help.
 
T

Thairlar

New member
What it sounds like is some random, or not so random, idiot is trying to connect to your computer, and probably others, looking for one that has a backdoor creating trojan on it. Spend enough time online and it's bound to happen. As long as your computer doesn't have the appropriate process running you should be alright. I believe www.dslreports.com has a quick security check. Firewalls are definitely good to consider if you don't have one.
 
B

bj426

New member
I'll put in another vote for sygate personal firewall.... professional protection for free to personal users....

either way...... don't pi$$ him off.... it's not worth the risk.... he MAY know what he's doing.....
 
G

Gewehr98

New member
Software firewalls are a good idea.

But don't rule out some of the hardware versions out there, too.

I've got the Linksys cable router/firewall, and it's neat, it logs incoming and outgoing connections and pings. The current version of the firmware allows ZoneAlarm and PC-cillin to run on the router, adding an additional layer of protection. When the Code Red worm was doing it's dirty work here on Road Runner, my cable modem was going nuts with all the worm activity. But the Linksys made me feel at least a little better.;)
 
V

Veloce851

New member
I use and love Sygate.. as mentioned before.
But for more information and port scans to test your system
go read up to your hearts content here..
www.grc.com

and yes if you are on a cable/dsl connection.
By a gateway/router 80-120 bucks
I've used the Linksys, Addtron, Netgear, and Dlink.
As long as its a NAT supported then you should be fine.
 
Z

Zundfolge

New member
bluetoe, check out that GRC site Veloce linked

somewhere on that site he shows how ineffective BlackIce defender is ... I'd dump it and get the free Sygate Personal Firewall
 
M

M1911

New member
Get a hardware firewall. Lynksys, or d-link, etc. There's lots of good ones and they're relatively cheap. You can get a 4-port cable router/firewall thingy for less than $100.

Also, don't use MS Outlook as your e-mail.

M1911
 
O

OF

New member
The big three that home users should be covered for:

- hacks/security
- viruses
- spyware

Security: use either a NAT-enabled external router and/or Zone Alarm on the PC. The vast vast majority of hacks are not people/kids trying to get into your machine to steal your stuff. They want to use your bandwidth to attack other, more interesting, systems. I like to run ZoneAlarm even if there is a router in place, as ZoneAlarm will block access the internet from your machine outbound on an application-by-application basis.

Viruses: Norton Anti-Virus, that's all you need to know. If you have SubSeven or other trojans already, NAV will tell you what you have and delete the files - disabling the virus. Then go to the NAV website and download the relevant 'repair' utilities they have there and that will assist you in repairing any damage the virus may have done.

Spyware: Use AdAware. These are mostly advertising-related garbage programs that can cause everything from slowdowns on the internet to major system instability. Becoming more and more of a problem.

Good Luck!

- Gabe
 
U

UnknownSailor

New member
Here's what I would recommend:

Get an old 486 or Pentium box, and put smoothwall on it. Then, add the offending IP addresses to the ban list, and anything coming in from these IPs will be "dropped".

Even better is applying the ultimate Windoze patch, linux. But, that's just the linux geek in me. :D
 
B

bluetoe

New member
bluetoe, check out that GRC site Veloce linked
Click to expand...
I have, and that's why I use BlackICE. Steve Gibson doesn't prove that BlackICE is ineffective, just that it doesn't monitor outbound traffic. And that's fine by me. I've tried ZA, ZA Pro, Sygate, and AtGuard. They're good firewalls, but BlackICE's intrusion detection system is superior in my opinion. Plus, the user interface is easy to manuever and set up. Also, ZA is a pain in the rear on XP boxes, for some reason it likes to tinker with the registry.
The only one I would recommend against would be Norton's firewall. Evidently it's supposed to monitor outbound traffice but GRC's LeakTest would still get through.
M1911 was right though, hardware firewalls are the best. Although I know a guy who has set up a FreeBSD box as his firewall and he likes it a lot.
 
M

Marko Kloos

New member
Good suggestions all around. Personally, I like the software solution...BlackICE seems to do the job just fine.

Closed as OT.
 
Status
Not open for further replies.
Top