Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 384
  • Last Modified:

Getting port 80 attacks and Nimba Propagation....questions.

Have Norton Internet Security 2003 and Netgear 814 router running with Windows XP PRO and comcast high speed internet.  Only port 80 open right now as I have a webserver on my machine with Apache.  I got attacked just a while back from two different ip addresses.  Here is what the log says:

Attempted Intrusion "Nimda_Propagation" against your machine was detected and blocked
Intruder: 68.69.247.119(4326)
Risk Level: High
Protocol: TCP
Attacked IP: redbull1(192.168.0.2).
Attacked Port: http(80)
 Click on the address to trace the attacker  

Have also been getting this popup many times a day:

Details: This one time, the user has chosen to "block" communications
Inbound TCP connection
Local address,service is (redbull1(192.168.0.2),http(80))
Remote address,service is (68.86.194.59,2628)
Process name is "C:\WEB\Apache2\bin\Apache.exe"

I know to block the nimda attack but what about this second one.  What could it be?  A few of the ip addresses are from comcast itself.  Is this normal?

Anything I should know about this nimda attack as well?

Thanks,
Jeff

 




0
jeffvb9
Asked:
jeffvb9
  • 2
3 Solutions
 
Pete LongConsultantCommented:
Nimda, a sophisticated program that spreads through Web sites and e-mail, also targets personal computers. That allows it to spread faster and makes it harder to track, security experts say.

"It is persistent, and we don't see it going away," says Dan Ingevaldson, a researcher at Internet Security Systems. "The potential target is orders of magnitude larger than Code Red. Anyone who uses an Internet Explorer Web browser or e-mail is susceptible."

http://www.usatoday.com/money/tech/2001-09-26-nimba-virus.htm

 Download nimda.zip (Utility and instructions, Zip file)
 Download nimdasfx.exe (Utility and instructions, self-extracting Zip file

From http://www.sophos.com/virusinfo/articles/nimda.html

To Make sure YOUR not infected

But by the sounds of it your machine is getting attacked from an external source and your system is protected.

The second one is a probe from these guys

Comcast Cable Communications, Inc. JUMPSTART-2 (NET-68-80-0-0-1)
                                  68.80.0.0 - 68.87.255.255
Comcast Cable Communications, Inc. PA-METRO-18 (NET-68-86-192-0-1)
                                  68.86.192.0 - 68.86.207.255

Apart from Port 80 they appear to be using

Port 2628 DICT
(TCP) Dictionary Server Protocol (DICT) as defined in http://www.cis.ohio-state.edu/cgi-bin/rfc/rfc2229.html

Pete
0
 
juliancrawfordCommented:
If your getting too many hits you can block the ip or subnet with IPSECPOL.
http://www.microsoft.com/serviceproviders/columns/using_ipsec.asp
0
 
PrashantArpanaCommented:
Just download the tool known as FSNIMDA3.EXE and clean you computer with it. All you probs regading the Nimda thing will be sorted out.

Also to be on safer end do rescan you pc with some antivirus software once the tool has finished it job.

Also make sure to turn of "system restore" if you are running WinME or XP.
0
 
Pete LongConsultantCommented:
Hello this question has been open a while please take the time to come back and clean it up.

Closing Questions
http://www.experts-exchange.com/help.jsp#hs5


Best Wishes

Pete
www.petenetlive.com
0

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now