Posted 07 August 2008 - 08:26 PM
Thanks in advance to all for reading this post.
It happens that everytime i browse on certain pages, like msdn,hotmail, myspace, facebook, yahoo,etc the pages dont load properly, showing a messy rendered html page, or no content at all on them.
All started sometime ago i noticed that i had a weird socket active using the netstat -ab command, again everytime i browsed to any page, the socket looked like this:
TCP mypc:1027 weird-reverse-dns:80 ESTABLISHED 600
So i downloaded a sniffer called xnetstat, and set a rule to kill the connection everytime it attempted to send a sync packet to start the three way handshake connection protocol. Thats when the messy load of certain pages started, multiple sync packets were then sent by the intruder to random ports of my computer that resulted in the incorrect rendering of those pages, I noticed that the last octect of the intruding IP changed as each connection was killed also i mapped the ports of the intruder and turned out that it had some linux ports opened, what lead me to think that it was/is a linux server with a pool of IP's available that were used accordingly to perform the attack.
Thinking about being infected by spyware, i low level formatted my hard disk, reinstalled the windows and when i got connected to the internet the problem started again.
I downloaded a firewall called comodo setting some rules specifically built for the intruder ips range on all the possible protocols, and also set some filters on my router specifically to discard any packets going/comming for it, but yet the problem continued, it would not let me to update my avg virus database either ussing the same method i mentioned but this time bombing the svchost.exe with packets when attempts to connect with the updating server, i am not updating my windows since i installed it because i am afraid of being redirected from the update servers for a malicious purpose.
I am wondering how is tracking me down to perform the attack, considering that my ISP provider uses dynamic IPs, i think its ussing either my network card or router MAC to identify me everytime i get online.
I have some filter rules set on my router set for the intruding IP's range too but they aren't working either.
I have been reading a lot in order to solve the problem but i cant fix it and i thought that it matches the behaviour of a sync attack, so i was wondering if you guys could please help me, i do study using my computer and is important for me.
Thank you very much for your time and help, i do appreciate it.