Solved

Getting port 80 attacks and Nimba Propagation....questions.

Posted on 2003-10-30
6
356 Views
Last Modified: 2013-12-04
Have Norton Internet Security 2003 and Netgear 814 router running with Windows XP PRO and comcast high speed internet.  Only port 80 open right now as I have a webserver on my machine with Apache.  I got attacked just a while back from two different ip addresses.  Here is what the log says:

Attempted Intrusion "Nimda_Propagation" against your machine was detected and blocked
Intruder: 68.69.247.119(4326)
Risk Level: High
Protocol: TCP
Attacked IP: redbull1(192.168.0.2).
Attacked Port: http(80)
 Click on the address to trace the attacker  

Have also been getting this popup many times a day:

Details: This one time, the user has chosen to "block" communications
Inbound TCP connection
Local address,service is (redbull1(192.168.0.2),http(80))
Remote address,service is (68.86.194.59,2628)
Process name is "C:\WEB\Apache2\bin\Apache.exe"

I know to block the nimda attack but what about this second one.  What could it be?  A few of the ip addresses are from comcast itself.  Is this normal?

Anything I should know about this nimda attack as well?

Thanks,
Jeff

 




0
Comment
Question by:jeffvb9
  • 2
6 Comments
 
LVL 57

Accepted Solution

by:
Pete Long earned 134 total points
ID: 9658486
Nimda, a sophisticated program that spreads through Web sites and e-mail, also targets personal computers. That allows it to spread faster and makes it harder to track, security experts say.

"It is persistent, and we don't see it going away," says Dan Ingevaldson, a researcher at Internet Security Systems. "The potential target is orders of magnitude larger than Code Red. Anyone who uses an Internet Explorer Web browser or e-mail is susceptible."

http://www.usatoday.com/money/tech/2001-09-26-nimba-virus.htm

 Download nimda.zip (Utility and instructions, Zip file)
 Download nimdasfx.exe (Utility and instructions, self-extracting Zip file

From http://www.sophos.com/virusinfo/articles/nimda.html

To Make sure YOUR not infected

But by the sounds of it your machine is getting attacked from an external source and your system is protected.

The second one is a probe from these guys

Comcast Cable Communications, Inc. JUMPSTART-2 (NET-68-80-0-0-1)
                                  68.80.0.0 - 68.87.255.255
Comcast Cable Communications, Inc. PA-METRO-18 (NET-68-86-192-0-1)
                                  68.86.192.0 - 68.86.207.255

Apart from Port 80 they appear to be using

Port 2628 DICT
(TCP) Dictionary Server Protocol (DICT) as defined in http://www.cis.ohio-state.edu/cgi-bin/rfc/rfc2229.html

Pete
0
 
LVL 5

Assisted Solution

by:juliancrawford
juliancrawford earned 133 total points
ID: 9662087
If your getting too many hits you can block the ip or subnet with IPSECPOL.
http://www.microsoft.com/serviceproviders/columns/using_ipsec.asp
0
 

Assisted Solution

by:PrashantArpana
PrashantArpana earned 133 total points
ID: 9700360
Just download the tool known as FSNIMDA3.EXE and clean you computer with it. All you probs regading the Nimda thing will be sorted out.

Also to be on safer end do rescan you pc with some antivirus software once the tool has finished it job.

Also make sure to turn of "system restore" if you are running WinME or XP.
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 11145052
Hello this question has been open a while please take the time to come back and clean it up.

Closing Questions
http://www.experts-exchange.com/help.jsp#hs5


Best Wishes

Pete
www.petenetlive.com
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

As I write this article, I am finishing cleanup from the Qakbot virus variant found in the wild on April 18, 2011.  It was a messy beast that had varying levels of infection, speculated as being dependent on how long it resided on the infected syste…
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now