Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




4 posts

Wannabe Geek


Topic # 25994 8-Sep-2008 21:21
Send private message

Hi guys ( esp Telstraclear if he's around)

I am getting suspicious activity on Port 445 from the following IP's which a from TC ( customers?)

What should I do? The following 9 are from port 445

9/8/2008 7:53:53 PM    121.14.136.143
9/8/2008 8:00:54 PM    121.73.125.79 lookup from whois below
9/8/2008 8:11:09 PM    121.73.125.43
9/8/2008 8:20:27 PM    121.73.22.193
9/8/2008 8:32:11 PM    121.219.25.195
9/8/2008 8:49:04 PM    121.63.146.18
                                  121.73.135.30
                                  121.73.11.203
                                  121.73.6.147

P Information for 121.73.125.79

IP Location: New Zealand New Zealand Telstraclear Wellington Cable Customers
IP Address: 121.73.125.79
Blacklist Status: Clear





9/8/2008 7:53:53 PM    Intrusion.Win.DCOM.exploit    121.14.136.143    TCP    135
9/8/2008 8:00:54 PM    Intrusion.Win.DCOM.exploit    121.73.125.79    TCP    135
9/8/2008 8:11:09 PM    Intrusion.Win.DCOM.exploit    121.73.125.43    TCP    135
9/8/2008 8:20:27 PM    Intrusion.Win.DCOM.exploit    121.73.22.193    TCP    135
9/8/2008 8:32:11 PM    Intrusion.Win.DCOM.exploit    121.219.25.195    TCP    135
9/8/2008 8:49:04 PM    Intrusion.Win.DCOM.exploit    121.63.146.18    TCP    135
9/8/2008 8:49:38 PM    Intrusion.Win.MSSQL.worm.Helkern    61.134.56.18    UDP    1434
9/8/2008 9:10:17 PM    Intrusion.Win.DCOM.exploit    121.72.241.12    TCP    135



I googled the following  about this ansd is all I could find:


10-Mar-2003
10:45    From approx 21:30 last night, there has been an excessive amount
14710823 undesirable traffic on port 445. Yet another windows XP exploit
         (worm). Have installed port block in ingress to help protect clients.

http://www.albury.net.au/netstatus/status.cgi?netstatus.2003

TIA

Create new topic
BDFL - Memuneh
60250 posts

Uber Geek
+1 received by user: 11306

Administrator
Trusted
Geekzone
Lifetime subscriber

Reply # 163168 8-Sep-2008 21:39
Send private message

If this is in your router than it is being blocked - unless you don't have a router, in which case I suggest you run a firewall (or enable the Windows Vista firewall which should be on by default).

You could contact TelstraClear and ask them to contact the customer to advise of this problem...

 





355 posts

Ultimate Geek


  Reply # 163181 8-Sep-2008 22:37
Send private message

There were a number of worms circulating via exploits in XP a couple of years ago. It seems they're still not dead. How did you get these records? Do you have an existing firewall? If so, you should be fine. If not, just download Zonealarm or something to that extent. As Mauricio says, send TC an email outlining the IP's in question (with time stamp). They'll send the customers a warning. Most likely they don't even know about it.

 
 
 
 


Try Wrike: fast, easy, and efficient project collaboration software


4 posts

Wannabe Geek


  Reply # 163202 9-Sep-2008 00:16
Send private message

Thanx for the replies

Yes I do have a firewall. I used Outpost but it slows my browser down ( Firefox) too much so I use the firewall that comes with Kasperksy which blocks fine.
I know I am blocking these exploits atm but heres the thing. I changed from XTRA adsl to Telstra cable a couple of weeks ago and immediately was inundated with viruses and Malware which took ages to remove without a HD  format etc. It seems having a new IP everytime I boot up with Adsl may thwart attacks and now I'm a sitting duck.
Perhaps  asking for a diff IP would help? I know I am blocking them but I wasn't being attacked before I changed to cable. What do you guys think?

I just sent an email to the admins at Telstra:

list.admin@team.telstraclear.co.nz

Dear sir/s,

I am coming under attack from the following Telstra IP's

Please advise what I should ( or you) should so. I noticed when I changed from Xtra adsl to Telstra cable a couple of weeks ago I received a lot of malware and viruses I didnt have previously.

9/8/2008 11:28:48 PM    Intrusion.Win.DCOM.exploit    121.73.33.240    TCP    135

and the following

9/8/2008 7:53:53 PM    121.14.136.143
9/8/2008 8:00:54 PM    121.73.125.79
9/8/2008 8:11:09 PM    121.73.125.43
9/8/2008 8:20:27 PM    121.73.22.193
9/8/2008 8:32:11 PM    121.219.25.195
9/8/2008 8:49:04 PM    121.63.146.18
                        121.73.135.30
                        121.73.11.203
                        121.73.6.147

121.73.133.1    121.73.133.1    60 bytes    0 bytes
121.73.6.147    121.73.6.147    246 bytes    162 bytes
203.96.152.4    203.96.152.4    11 KB    4.3 KB

Could you please look into this for me

Regards

169 posts

Master Geek
+1 received by user: 1


  Reply # 166369 22-Sep-2008 20:00
Send private message

I am a security engineer -  that is just netbios traffic, windows networking, its not malicious, For example if you plug your PC straight into the cable modem that will appear as just a nomral networking interface, windows sends out netbios traffic. You will be seing port 135, 445, maybe a bit of 139.

It's just noise.
infact nothing there would raise any alarms except the worm traffic. which is outside of the Telstra Range anyway.

836 posts

Ultimate Geek

Trusted

  Reply # 166400 22-Sep-2008 22:40
Send private message

Uh, I thought RPC was TCP 135 and TCP 137-139 were typical netbios over tcp/ip. Mind you I'm only a rocket surgeon :(

169 posts

Master Geek
+1 received by user: 1


  Reply # 166401 22-Sep-2008 22:44
Send private message

tend to just shroud it under the one term. It will be windows sending out its networking crap. :D

Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

UpStarters - the New Zealand tech and innovation story
Posted 21-May-2018 09:55


Lightbox updates platform with new streaming options
Posted 17-May-2018 13:09


Norton Core router launches with high-performance, IoT security in New Zealand
Posted 16-May-2018 02:00


D-Link ANZ launches new 4G LTE Dual SIM M2M VPN Router
Posted 15-May-2018 19:30


New Panasonic LUMIX FT7 ideal for outdoor: waterproof, dustproof
Posted 15-May-2018 19:17


Ryanair Goes All-In on AWS
Posted 15-May-2018 19:14


Te Papa and EQC Minecraft Mod shakes up earthquake education
Posted 15-May-2018 19:12


Framing Facebook: It’s not about technology
Posted 14-May-2018 16:02


Vocus works with NZ Police and telcos to stop scam calls
Posted 12-May-2018 11:12


Vista Group signs Aeon Entertainment, largest cinema chain in Japan
Posted 11-May-2018 21:41


New Privacy Trust Mark certifies privacy and customer control
Posted 10-May-2018 14:16


New app FIXR connects vehicle owners to top Mechanics at best prices
Posted 10-May-2018 14:13


Nutanix Beam gives enterprises control of the cloud
Posted 10-May-2018 14:09


D-Link ANZ launches Covr Seamless Wi-Fi System
Posted 10-May-2018 14:06


Telstra, Intel and Ericsson demonstrate a 5G future for esports
Posted 10-May-2018 13:59



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.