Solved

Getting port 80 attacks and Nimba Propagation....questions.

Posted on 2003-10-30
6
362 Views
Last Modified: 2013-12-04
Have Norton Internet Security 2003 and Netgear 814 router running with Windows XP PRO and comcast high speed internet.  Only port 80 open right now as I have a webserver on my machine with Apache.  I got attacked just a while back from two different ip addresses.  Here is what the log says:

Attempted Intrusion "Nimda_Propagation" against your machine was detected and blocked
Intruder: 68.69.247.119(4326)
Risk Level: High
Protocol: TCP
Attacked IP: redbull1(192.168.0.2).
Attacked Port: http(80)
 Click on the address to trace the attacker  

Have also been getting this popup many times a day:

Details: This one time, the user has chosen to "block" communications
Inbound TCP connection
Local address,service is (redbull1(192.168.0.2),http(80))
Remote address,service is (68.86.194.59,2628)
Process name is "C:\WEB\Apache2\bin\Apache.exe"

I know to block the nimda attack but what about this second one.  What could it be?  A few of the ip addresses are from comcast itself.  Is this normal?

Anything I should know about this nimda attack as well?

Thanks,
Jeff

 




0
Comment
Question by:jeffvb9
  • 2
6 Comments
 
LVL 57

Accepted Solution

by:
Pete Long earned 134 total points
ID: 9658486
Nimda, a sophisticated program that spreads through Web sites and e-mail, also targets personal computers. That allows it to spread faster and makes it harder to track, security experts say.

"It is persistent, and we don't see it going away," says Dan Ingevaldson, a researcher at Internet Security Systems. "The potential target is orders of magnitude larger than Code Red. Anyone who uses an Internet Explorer Web browser or e-mail is susceptible."

http://www.usatoday.com/money/tech/2001-09-26-nimba-virus.htm

 Download nimda.zip (Utility and instructions, Zip file)
 Download nimdasfx.exe (Utility and instructions, self-extracting Zip file

From http://www.sophos.com/virusinfo/articles/nimda.html

To Make sure YOUR not infected

But by the sounds of it your machine is getting attacked from an external source and your system is protected.

The second one is a probe from these guys

Comcast Cable Communications, Inc. JUMPSTART-2 (NET-68-80-0-0-1)
                                  68.80.0.0 - 68.87.255.255
Comcast Cable Communications, Inc. PA-METRO-18 (NET-68-86-192-0-1)
                                  68.86.192.0 - 68.86.207.255

Apart from Port 80 they appear to be using

Port 2628 DICT
(TCP) Dictionary Server Protocol (DICT) as defined in http://www.cis.ohio-state.edu/cgi-bin/rfc/rfc2229.html

Pete
0
 
LVL 5

Assisted Solution

by:juliancrawford
juliancrawford earned 133 total points
ID: 9662087
If your getting too many hits you can block the ip or subnet with IPSECPOL.
http://www.microsoft.com/serviceproviders/columns/using_ipsec.asp
0
 

Assisted Solution

by:PrashantArpana
PrashantArpana earned 133 total points
ID: 9700360
Just download the tool known as FSNIMDA3.EXE and clean you computer with it. All you probs regading the Nimda thing will be sorted out.

Also to be on safer end do rescan you pc with some antivirus software once the tool has finished it job.

Also make sure to turn of "system restore" if you are running WinME or XP.
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 11145052
Hello this question has been open a while please take the time to come back and clean it up.

Closing Questions
http://www.experts-exchange.com/help.jsp#hs5


Best Wishes

Pete
www.petenetlive.com
0

Featured Post

Gigs: Get Your Project Delivered by an Expert

Select from freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is a guide to the following problem (not exclusive but here) on Windows: Users need our support and we supporters often use global administrative accounts to do this. Using these accounts safely is a real challenge. Any admin who takes se…
OfficeMate Freezes on login or does not load after login credentials are input.
This tutorial gives a high-level tour of the interface of Marketo (a marketing automation tool to help businesses track and engage prospective customers and drive them to purchase). You will see the main areas including Marketing Activities, Design …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now