Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Smurf Attacked - Been scanned


  • Please log in to reply
No replies to this topic

#1 Shadowdance

Shadowdance

  • Members
  • 314 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:18 PM

Posted 12 April 2011 - 12:00 PM

Hello everyone, and thanks for reading.

At first I'd like to state that my knowledge in IP spoofing, DoS, networks and their security is very limited.

Though, I ve read on Wikipedia and got informed.

So the story is like this.

I ve lost my connection to WAN and ADSL for about 4-5 minutes.
I always want to check my logs on router when this happens so I can diagnose if it's me or the ISP.

But today I saw *SMURF* on my logs.
By my mistake, the log has been cleared :( But I ve made a quick look up on the IP that attempted (succeded?) the scan:

#
# The following results may also be obtained via:
# http://whois.arin.net/rest/nets;q=169.254.255.255?showDetails=true&showARIN=false
#

NetRange: 169.254.0.0 - 169.254.255.255
CIDR: 169.254.0.0/16
OriginAS:
NetName: LINKLOCAL-RFC3927-IANA-RESERVED
NetHandle: NET-169-254-0-0-1
Parent: NET-169-0-0-0-0
NetType: IANA Special Use
Comment: This is the "link local" block. It was set
Comment: aside for this special use in the Standards
Comment: Track document, RFC 3927 and was further
Comment: documented in the Best Current Practice
Comment: RFC 5735, which can be found at:
Comment: http://www.rfc-editor.org/rfc/rfc3927.txt
Comment: http://www.rfc-editor.org/rfc/rfc5735.txt
Comment: It is allocated for communication between hosts
Comment: on a single link. Hosts obtain these addresses
Comment: by auto-configuration, such as when a DHCP
Comment: server cannot be found.
Comment: A router MUST NOT forward a packet with an IPv4
Comment: Link-Local source or destination address,
Comment: irrespective of the router's default route configuration
Comment: or routes obtained from dynamic routing protocols.
Comment: A router which receives a packet with an IPv4
Comment: Link-Local source or destination address MUST NOT
Comment: forward the packet. This prevents forwarding of
Comment: packets back onto the network segment from which
Comment: they originated, or to any other segment.
RegDate: 1998-01-27
Updated: 2010-03-15
Ref: http://whois.arin.net/rest/net/NET-169-254-0-0-1

OrgName: Internet Assigned Numbers Authority
OrgId: IANA
Address: 4676 Admiralty Way, Suite 330
City: Marina del Rey
StateProv: CA
PostalCode: 90292-6695
Country: US
RegDate:
Updated: 2004-02-24
Ref: http://whois.arin.net/rest/org/IANA

OrgTechHandle: IANA-IP-ARIN
OrgTechName: Internet Corporation for Assigned Names and Number
OrgTechPhone: +1-310-301-5820
OrgTechEmail: abuse@iana.org
OrgTechRef: http://whois.arin.net/rest/poc/IANA-IP-ARIN

OrgAbuseHandle: IANA-IP-ARIN
OrgAbuseName: Internet Corporation for Assigned Names and Number
OrgAbusePhone: +1-310-301-5820
OrgAbuseEmail: abuse@iana.org
OrgAbuseRef: http://whois.arin.net/rest/poc/IANA-IP-ARIN

#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#

This log doesnt say much for me who dont have the knowledge so at first I'd like you to tell me what it says in plain english.
I suppose is the anti-forwarding of my router?


Secondly, I google for prevention, and my Firewall (on router) is configured right:

Posted Image


After reconnecting my log has been clear:

04/12/2011  18:58:48 192.168.2.4 login success 
04/12/2011  18:44:53 192.168.2.4 login success 
04/12/2011  18:23:05 NTP Date/Time updated.    
08/01/2003  00:01:21 I/F(ATM1) PPP connection ok !
08/01/2003  00:01:20 ATM1 get IP:94.71.161.252 
08/01/2003  00:01:20 Username and Password: OK 
08/01/2003  00:01:08 ATM1 start PPP            
08/01/2003  00:01:08 ADSL Media Up !           
08/01/2003  00:00:42 192.168.2.4 login success 
08/01/2003  00:00:08 sending ACK to 192.168.2.2
08/01/2003  00:00:08 sending OFFER to 192.168.2.2
08/01/2003  00:00:06 sending ACK to 192.168.2.4



Did Malwarebytes scan but came up clear.

How so we/I know that the hacker didnt succeed?
Where do these scans come from?

Thank you for all your help, and for reading.

:)


Edit:

Also did some netstat -b and netstat -n commands, they came up clear. Can post the log if you wish.

Edited by Shadowdance, 12 April 2011 - 12:02 PM.

WIN 7 ULTIMATE EN, AMD Dual-Core A4-6320, 3.8GHz (Turbo 4GHz), MB: ASUSTeK COMPUTER INC. A55BM-E Rev X.0x, DDR3 SIN 1333 4GB, AMD Radeon HD 8370D, Realtek High Definition Audio,

Seagate ST500DM002-1BD142 500GB


BC AdBot (Login to Remove)

 





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users