Hacker Problems

[Shea]

OK. I'm still on spring break at my relatives house and he has Norton Internet Security 2003. Whenever I'm on the net, it says that there was a hack attemp that was blocked. The most resent hack attempt was from IP: 213.180.126.159. The IP varies, but is usually in that range. I don't think this is a "real" hacker, but more a "script kiddie". The ttack is always with the SubSeven trojan, which is an old wusy trojan used by Script Kiddies. I was wondering how I can figure out who is behind the IP and tell their ISP or send messeges to them and scare the crap out of them. I've already tried reverse DNS, but it says the IP doesn't resolve to anything. I don't think you can spoof your IP when doing attacks like that. At first I thought it might be a false positive, but it happens so frequently. Do any of you have this problem?

PS - It's a Win98 machine, a cable modem and it doesn't matter what browser I'm on when the attack happens.

Update!

IP: 217.43.77.35 Port: 1908

[sidki3003]

Try All Nettools.

[ProxRocks]

Probably only means that his/her machine has a virus and is doing stuff without his/her knowledge...

Doubt I'd go as far as reporting him/her to his/her ISP...

If your firewall was blocking ICMP and running "stealth", this "kiddie" would never find you in the first place...

[Shea]

I did a trace thing on the Symantec website and the first one is said to be coming from Latvia and the second from the UK. The second one I got a website too, Bt.net. I think its his/her ISP in Europe.

[Shea]

ProxRocks Wrote:Probably only means that his/her machine has a virus and is doing stuff without his/her knowledge...

Doubt I'd go as far as reporting him/her to his/her ISP...

If your firewall was blocking ICMP and running "stealth", this "kiddie" would never find you in the first place...

But if its a zombie machine, how come I get attacked by a bunch of different IPs. Usually it would be the same IP, but in almost every attack there's a different one. Also, SubSeven doesn't work that way, it doesn't attack other computers only the one it's loaded on. I probably wont report them, but it is very annoying to happen 4+ times a day.

[ProxRocks]

I was under the impression that one could be infected with a SubSeven without their knowledge...

[Shea]

They could, but its not common anymore. All viruses are very common and spread fast when they are first released. Then after a month or two people update their AV to block them. SubSeven is very old, 1999. Now only ScriptKiddies download it because they think they can hack. All it does is open a backdoor on someones computer and you can take control of it. Thats why people download it. When it was first released it would send itself as an attachment like most viruses, but it wouldn't use the victims computer to send more emails, it would just open a backdoor and be done with it.

If you want info about SubSeven, it's website is SubSeven.ws. Surprisingly, it is perfectly safe and does not have any bad code. It's not even in the HOSTS file. They used to have screen shots of it that I would show you, but the site has changed so now they're offering more than SubSeven. And here is the Symantec write-up on SubSeven 1.0. There are more versions of it, but they all do the general thing.

[ProxRocks]

I know people that surf the internet "naked"... NO firewall, NO antivirus, NO Proxo...

My point is that this "kid" might be 'one of those' - thus my initial mention of not going as far as reporting him/her to his/her ISP...

[Shea]

Thats why I also asked if you could send a message to him/her. So I could find out. Maybe he/she has a virus that sends SubSeven to randomly generated IPs or something.

[Shea]

A new trojan just attacked me, Sockets de Trois v1. IP: 66.139.123.221 Port: 1942. Why are they all attacking me!?

[ProxRocks]

Because you are not "stealth"...

Trust me, go "stealth" and they don't see you...

[besafe]

Shea Wrote:A new trojan just attacked me, Sockets de Trois v1. IP: 66.139.123.221 Port: 1942. Why are they all attacking me!?

Is the computer up to date with all the recent security patches etc.? It sounds like port scanners. Has the pc been scanned for trojans etc.? There could be one on the pc that it is trying to connect to. Is there an option to turn off the messages every time you get scanned? You can't go on the internet without getting scanned.

[JakBeNymble]

Hi "~Shea~",
I think I would try e-mail him first and go for a peaceful resolve. He could be using proxies to surf through which could explain the change in the IP and have a bug and not know it. Yesterday I contacted an ISP about some suspious "activity", I was getting DoS'ed every 30 minutes. But it's best if You can "work" it out without getting the ISP involved. But sometimes that's the next to the "last" resort. I take it real personal when they "draw first blood".

I use to have a partition that contained a "false shell", and behind every door (folder) was every "bug", virilli, trogan, and logic b*mb I could find. And when the "attacker" would not stop, I drop the "wall" and let him in, . .and just watch as he downloaded all those folders "labeled" credit numbers, bank account number, pass-codes. HAHAHAHAHAHA! The last command his CPU heard before it "perished" in the dark, cold and all along, . .was <Remote_Kill disk!> It was a nice "Sand-box" and everyone that really wanted "access" I always had a "real nice Cookie" for him to take back with him! HAHAHAHAHAHAH!

Best Wishes,
"~Virili-JaK~" [smoke]

[Shea]

According to Norton, I've been on stealth the whole time. And great idea Jak!

[Kye-U]

What I would do is just to bulk up on firewalls and antiviruses and not open emails for a whole month.

I like to wait things out

I wouldn't over-react with new hack attempts; with all the worms, trojans and viruses rampant, I just ignore new alert messages.

IPs that are frequent are very suspicious.