Continuous intrusion attempts



drive55
07-10-2005, 02:08 AM
XP/Home/SP2/NIS/NAV-As I type this, I am experiencing continuous intrusion
attempts from a Korean IP address (as in 800 attempts in 20 minutes). After
logging off for a few minutes, the same address is attacking again (with the
same frequency). I am going to report this to the administrative and
technical contacts of the network involved ; but in the meantime, does anyone
know whether this indicates a breach of security, or is my NIS simply doing
its job and simply reporting ? Thanks in advance.

David H. Lipman
07-10-2005, 02:08 AM
From: "drive55" <drive55@discussions.microsoft.com>

| XP/Home/SP2/NIS/NAV-As I type this, I am experiencing continuous intrusion
| attempts from a Korean IP address (as in 800 attempts in 20 minutes). After
| logging off for a few minutes, the same address is attacking again (with the
| same frequency). I am going to report this to the administrative and
| technical contacts of the network involved ; but in the meantime, does anyone
| know whether this indicates a breach of security, or is my NIS simply doing
| its job and simply reporting ? Thanks in advance.

It is doing its job !

If you are using Cable or DSL Internet access, I suggest getting a Cable/DSL Router such as
the Linksys BEFSR41. It will act as a simplistic FireWall and shift the Korean IP Host from
seeing the WinXP PC to seeing the Router. There are *many* other benefits to using such a
device as well.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Mike Hall \(MS-MVP\)
07-10-2005, 02:08 AM
As David pointed out, the firewall is doing its job.. however, I would
recommend that you go to your firewall settings and turn off all but the
most important alerts.. you will be driven insane by them..

--
Mike Hall
MVP - Windows Shell/User
http://dts-l.org/goodpost.htm





"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:%23d5XXUcWFHA.3676@TK2MSFTNGP10.phx.gbl...
> From: "drive55" <drive55@discussions.microsoft.com>
>
> | XP/Home/SP2/NIS/NAV-As I type this, I am experiencing continuous
> intrusion
> | attempts from a Korean IP address (as in 800 attempts in 20 minutes).
> After
> | logging off for a few minutes, the same address is attacking again (with
> the
> | same frequency). I am going to report this to the administrative and
> | technical contacts of the network involved ; but in the meantime, does
> anyone
> | know whether this indicates a breach of security, or is my NIS simply
> doing
> | its job and simply reporting ? Thanks in advance.
>
> It is doing its job !
>
> If you are using Cable or DSL Internet access, I suggest getting a
> Cable/DSL Router such as
> the Linksys BEFSR41. It will act as a simplistic FireWall and shift the
> Korean IP Host from
> seeing the WinXP PC to seeing the Router. There are *many* other benefits
> to using such a
> device as well.
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>

drive55
07-10-2005, 02:08 AM
"David H. Lipman" wrote:

> From: "drive55" <drive55@discussions.microsoft.com>
>
> | XP/Home/SP2/NIS/NAV-As I type this, I am experiencing continuous intrusion
> | attempts from a Korean IP address (as in 800 attempts in 20 minutes). After
> | logging off for a few minutes, the same address is attacking again (with the
> | same frequency). I am going to report this to the administrative and
> | technical contacts of the network involved ; but in the meantime, does anyone
> | know whether this indicates a breach of security, or is my NIS simply doing
> | its job and simply reporting ? Thanks in advance.
>
> It is doing its job !
>
> If you are using Cable or DSL Internet access, I suggest getting a Cable/DSL Router such as
> the Linksys BEFSR41. It will act as a simplistic FireWall and shift the Korean IP Host from
> seeing the WinXP PC to seeing the Router. There are *many* other benefits to using such a
> device as well.
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
> I'm a relative newbie (7 mos.) and know nothing about a Router. Three questions: Will my Norton firewall not do as well as the Router's simplistic firewall ? Did your links at the end of your reply indicate that a Trojan Horse may already be in place ? My firewall log shows a 48 hr. block of the Unused Windows Services Block Trojan Horse for the offending address (218.152.186.93) . Lastly, at this rate (2500 and counting within the last 45 min.) can a security system be simply overwhelmed ? If any of these questions are naive, please accept my apologies. TIA.
>

David H. Lipman
07-10-2005, 02:08 AM
From: "drive55" <drive55@discussions.microsoft.com>


>> I'm a relative newbie (7 mos.) and know nothing about a Router. Three questions: Will my
Norton
>> firewall not do as well as the Router's simplistic firewall ? Did your links at the end
>> of your reply indicate that a Trojan Horse may already be in place ? My firewall log
>> shows a 48 hr. block of the Unused Windows Services Block Trojan Horse for the offending
>> address (218.152.186.93) . Lastly, at this rate (2500 and counting within the last 45
>> min.) can a security system be simply overwhelmed ? If any of these questions are naive,
>> please accept my apologies. TIA.

The idea of the Router is to not burden the PC with having to deal with multiple intrusions
and alerting. The PC is free to do the work you want it to perform. But most important,
and the reason it is called a Router is that it allows up to 253 nodes to share the one ISP
provided Internet address.

The URLs in my signature are just that. URLs in my signature. They are informative for
those who are infected. If I felt the Original Poster (OP) was infected I would have noted
it in the body.

At those numbers, no the PC will not be overwhelmed. However, it is doing work that is
stealing CPU cycles from you and the work you want to perform.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

Leythos
07-10-2005, 02:08 AM
In article <8EEE85C7-0904-4BB6-B2C1-E16C1AF44015@microsoft.com>, drive55
@discussions.microsoft.com says...
> XP/Home/SP2/NIS/NAV-As I type this, I am experiencing continuous intrusion
> attempts from a Korean IP address (as in 800 attempts in 20 minutes). After
> logging off for a few minutes, the same address is attacking again (with the
> same frequency). I am going to report this to the administrative and
> technical contacts of the network involved ; but in the meantime, does anyone
> know whether this indicates a breach of security, or is my NIS simply doing
> its job and simply reporting ? Thanks in advance.

I agree with the others in this thread - get a router that provides NAT
and you'll be a lot safer and not see those alerts.

Right now I block more than 50 foreign subnets, some in the /8 range due
to exactly what you are seeing (but my firewall lets me set that up).

If you get a router your PC will only see what YOU (your computer)
connects to, and not the background chatter that you are seeing. One
thing about the router, if you get a Linksys, there is a program called
WallWatcher that can tell you what is happening on your internet
connection with great detail (in/out, source, destination, ports...).

While a NAT Router is NOT A FIREWALL, it's nature (NAT) does limit
inbound connections to only those that YOU initiate.

You can keep your personal firewall application, but it will have little
work to do.

--
--
spam999free@rrohio.com
remove 999 in order to email me


Continuous intrusion attempts