Announcement

Collapse
No announcement yet.

Weird firewall attac problem,,stumped

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Weird firewall attac problem,,stumped

    Hi there

    I was hoping you could help me with a weird attack problem I am having.

    I use Win98se; and my firewall (BlackIce defender 2.1) is reporting about 25-40 attacks a day from the same source, here is the info:

    TIME: 03/27/01
    ATTACK: HTTP Cross Site Scripting
    INTRUDER: 0.0.0.0
    COUNT: 34


    I've blocked the "intruder" on permanant setting; but it attacks keep happening every day.

    Is there some script/hack/bug I can look for in my computer to locate the source of this; is it even coming from me? I have run virus checkers and the report nothing.

    thanks

  • #2
    It is only a guess, actually a whole bunch of guesses, but based on my experience with two different firewalls (Sphinx by Bioware, Personal Firewall by Tiny) i would say that is actually your own firewall producing the "intrusions". Firewalls need to communicate with the OS to learn the port mappings of programms that use the communication connections. And they detect themselves trying to communicate. Create a rule for your firewall and it should be fine.

    AFAIK Black Ice is an Intrusion Detector? Which means that it only monitors incoming traffic but there is a whole lot of traffic coming in constantly. TCP/IP sends packets and expects an answer of the target if it receives the packet. These responses are logged in firewalls but are perhaps not logged by Black Ice and cause an alarm. How to change that i don't know.

    The IP Adress of 0.0.0.0 is a good hint that the origin of the intrusion is your own computer. Change the IP adress for your computer to a C or D segment adress (192.168.0.1-254) and try again.

    Well, like i said, a bunch of wild guesses, but perhaps it helps.

    Regards

    ------------------
    Since my intellect is far superior to your's i will you to [insert appropiate demand here]. Do it. Do it now. Argh!

    Comment


    • #3
      or that could be a hacker spoofing their IP and by making a rule to allow this in BID, you would be the one to open the door wide up!
      "Be who you are and say what you feel, because those who mind don't matter, and those who matter don't mind." -- Dr. Seuss

      "Always do good. It will gratify some and astonish the rest." ~Mark Twain

      Comment


      • #4
        thanks! Changing the info from c drive to drive stopped the attacks.

        I'm either safe; or all my secret files are out ther in cyber space

        regards

        Comment


        • #5
          Hey man... I just got some of your "files" in my e-mail...

          LOL

          ------------------
          Hang Low and Limber

          [This message has been edited by cbman (edited 30 March 2001).]
          AMD Phenom 9650, 8GB, 4x1TB, 2x22 DVD-RW, 2x9600GT, 23.6' ASUS, Vista Ultimate
          AMD X2 7750, 4GB, 1x1TB 2x500, 1x22 DVD-RW, 1x8500GT, 22" Acer, OS X 10.5.8
          Acer 6930G, T6400, 4GB, 500GB, 16", Vista Premium
          Lenovo Ideapad S10e, 2GB, 500GB, 10", OS X 10.5.8

          Comment


          • #6
            I would have thought if it came form your own machine it would display your own IP address.
            Chief Lemon Buyer no more Linux sucks but not as much
            Weather nut and sad git.

            My Weather Page

            Comment


            • #7
              127.0.0.1 is localhost... 0.0.0.0 as well I think

              Comment


              • #8
                Not necessarily. If you don't have an IP selected there is no IP identifiaction of your computer, other than any server might asign to you, of course.

                AFAIK, Zero indicates "target self" in TCP/IP slang and a IP adress of 0.0.0.0 would direct you to yourself. But honestly, i don't really know.

                regards

                [Edit]
                Listen to dZeus. you must have posted while i was writing...
                [/Edit]

                [This message has been edited by Six Of One (edited 31 March 2001).]

                Comment

                Working...
                X