Expiring Today—Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Getting port 80 attacks and Nimba Propagation....questions.

Posted on 2003-10-30
6
Medium Priority
?
375 Views
Last Modified: 2013-12-04
Have Norton Internet Security 2003 and Netgear 814 router running with Windows XP PRO and comcast high speed internet.  Only port 80 open right now as I have a webserver on my machine with Apache.  I got attacked just a while back from two different ip addresses.  Here is what the log says:

Attempted Intrusion "Nimda_Propagation" against your machine was detected and blocked
Intruder: 68.69.247.119(4326)
Risk Level: High
Protocol: TCP
Attacked IP: redbull1(192.168.0.2).
Attacked Port: http(80)
 Click on the address to trace the attacker  

Have also been getting this popup many times a day:

Details: This one time, the user has chosen to "block" communications
Inbound TCP connection
Local address,service is (redbull1(192.168.0.2),http(80))
Remote address,service is (68.86.194.59,2628)
Process name is "C:\WEB\Apache2\bin\Apache.exe"

I know to block the nimda attack but what about this second one.  What could it be?  A few of the ip addresses are from comcast itself.  Is this normal?

Anything I should know about this nimda attack as well?

Thanks,
Jeff

 




0
Comment
Question by:jeffvb9
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
6 Comments
 
LVL 57

Accepted Solution

by:
Pete Long earned 536 total points
ID: 9658486
Nimda, a sophisticated program that spreads through Web sites and e-mail, also targets personal computers. That allows it to spread faster and makes it harder to track, security experts say.

"It is persistent, and we don't see it going away," says Dan Ingevaldson, a researcher at Internet Security Systems. "The potential target is orders of magnitude larger than Code Red. Anyone who uses an Internet Explorer Web browser or e-mail is susceptible."

http://www.usatoday.com/money/tech/2001-09-26-nimba-virus.htm

 Download nimda.zip (Utility and instructions, Zip file)
 Download nimdasfx.exe (Utility and instructions, self-extracting Zip file

From http://www.sophos.com/virusinfo/articles/nimda.html

To Make sure YOUR not infected

But by the sounds of it your machine is getting attacked from an external source and your system is protected.

The second one is a probe from these guys

Comcast Cable Communications, Inc. JUMPSTART-2 (NET-68-80-0-0-1)
                                  68.80.0.0 - 68.87.255.255
Comcast Cable Communications, Inc. PA-METRO-18 (NET-68-86-192-0-1)
                                  68.86.192.0 - 68.86.207.255

Apart from Port 80 they appear to be using

Port 2628 DICT
(TCP) Dictionary Server Protocol (DICT) as defined in http://www.cis.ohio-state.edu/cgi-bin/rfc/rfc2229.html

Pete
0
 
LVL 5

Assisted Solution

by:juliancrawford
juliancrawford earned 532 total points
ID: 9662087
If your getting too many hits you can block the ip or subnet with IPSECPOL.
http://www.microsoft.com/serviceproviders/columns/using_ipsec.asp
0
 

Assisted Solution

by:PrashantArpana
PrashantArpana earned 532 total points
ID: 9700360
Just download the tool known as FSNIMDA3.EXE and clean you computer with it. All you probs regading the Nimda thing will be sorted out.

Also to be on safer end do rescan you pc with some antivirus software once the tool has finished it job.

Also make sure to turn of "system restore" if you are running WinME or XP.
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 11145052
Hello this question has been open a while please take the time to come back and clean it up.

Closing Questions
http://www.experts-exchange.com/help.jsp#hs5


Best Wishes

Pete
www.petenetlive.com
0

Featured Post

Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As I write this article, I am finishing cleanup from the Qakbot virus variant found in the wild on April 18, 2011.  It was a messy beast that had varying levels of infection, speculated as being dependent on how long it resided on the infected syste…
Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA: https://www.percona.com/resources/we…
Want to learn how to record your desktop screen without having to use an outside camera. Click on this video and learn how to use the cool google extension called "Screencastify"! Step 1: Open a new google tab Step 2: Go to the left hand upper corn…
Suggested Courses

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question