Spam On The Forum

[okiwan]

you gotta have some pretty large balls to post spam on a forum full of hackers. or just be really dumb.

[okiwan]

in a possible related event some one tried to access my machine but the firewall stopped it at the same time after i posted this thread. they tried port 38332. whats weird is i noticed it mentioned megaupload. that kind worries me. maybe im downloading too much.

i whois'd them an got this.

okiwan@okiwan-desktop:~$ whois 174.140.157.46

#

# Query terms are ambiguous. The query is assumed to be:

# "n 174.140.157.46"

#

# Use "?" to get help.

#

#

# The following results may also be obtained via:

# http://whois.arin.net/rest/nets;q=174.140....;showARIN=false

#

NetRange: 174.140.128.0 - 174.140.159.255

CIDR: 174.140.128.0/19

OriginAS:

NetName: CIRN-NETBLOCK06

NetHandle: NET-174-140-128-0-1

Parent: NET-174-0-0-0-0

NetType: Direct Allocation

NameServer: NS2.CARPATHIAHOST.NET

NameServer: NS1.CARPATHIAHOST.NET

RegDate: 2008-11-20

Updated: 2009-12-11

Ref: http://whois.arin.net/rest/net/NET-174-140-128-0-1

OrgName: Carpathia Hosting, Inc.

OrgId: CARPA-3

Address: PO Box 2145

City: Ashburn

StateProv: VA

PostalCode: 20146

Country: US

RegDate: 2003-04-24

Updated: 2008-04-10

Ref: http://whois.arin.net/rest/org/CARPA-3

ReferralServer: rwhois://rwhois.carpathiahost.com:4321

OrgTechHandle: CHIA-ARIN

OrgTechName: Carpathia Hosting, IP Administration

OrgTechPhone: +1-703-740-1730

OrgTechEmail: ipadmin@cirn.net

OrgTechRef: http://whois.arin.net/rest/poc/CHIA-ARIN

OrgAbuseHandle: CHAP-ARIN

OrgAbuseName: Carpathia Hosting, Abuse POC

OrgAbusePhone: +1-703-740-1730

OrgAbuseEmail: abuse@carpathiahost.com

OrgAbuseRef: http://whois.arin.net/rest/poc/CHAP-ARIN

#

# ARIN WHOIS data and services are subject to the Terms of Use

# available at: https://www.arin.net/whois_tou.html

#

Found a referral to rwhois.carpathiahost.com:4321.

%rwhois V-1.5:003eff:00 rwhois.carpathiahost.com (by Network Solutions, Inc. V-1.5.7.3)

network:Auth-Area:174.140.156.0/22

network:Class-Name:network

network:ID:NETBLK-174.140.157.0/25

network:Network-Name:NET-174-140-157-0-25

network:IP-Network:174.140.157.0/25

network:Org-Name:Megaupload Limited

network:Street-Address:Room 1204, 12th Floor Shanghai Industrial Investment Building 48-62 Hennessy Road

network:City:Wanchai

network:State:NU

network:Postal-Code:N/A

network:Country-Code:US

network:Tech-Contact;I:CHIA-ARIN

network:Updated:20090727173058000

network:Updated-By:hostmaster@cirn.net

network:Auth-Area:174.140.156.0/22

network:Class-Name:network

network:ID:NETBLK-174.140.156.0/22

network:Network-Name:NET-174-140-156-0-22

network:IP-Network:174.140.156.0/22

network:Org-Name:Carpathia Hosting, Inc

network:Street-Address:21711 Filigree Ct Suite A

network:City:Ashburn

network:State:VA

network:Postal-Code:20147

network:Country-Code:US

network:Tech-Contact;I:CHIA-ARIN

network:Updated:20100826022202

network:Updated-By:hostmaster@cirn.net

Edited August 26, 2010 by okiwan

[VaKo]

Random port scan is random.

[okiwan]

buy why?

[Sparda]

Random port scan is random.

and failed.

[digip]

Its the internet. 99.9% of these are automated, bots, worms, etc. Get yourself behind a router with NAT you will never see them being able to access your machine (unless you are 1, in the DMZ, 2 port forward and leave it open 24/7 or 3 have uPnP enabled which is a no-no.)

Now, as to your firewall, were you doing anything on Megaupload at the time? This could have just been redundant session data from your browser after using that site and closing the page. For example, run tcp dump, wireshark, or even TCP View on windows(which is a really handy tool to end sessions for things like twitter's cloudfront that leaves tons of sessions open, which I think is probably why they always say "over capacity" and give me the fail whale). Then go to some web sites, then close the browser. Watch as you will still see traffic coming in from some of these sites even after the browser has closed. Using TCP for the internet, packets will still come in for an attempt to SYN/ACK/PSH/FIN etc. The sites don't always know you closed your browser and continue to try and keep the session alive until it times out. Browsers don't send the RST or FIN packet when you close them, so until the session times out, you might see traffic still coming in to your machine.

Another thing you may see this from is torrents. Lets say you downloaded something using bit torrent, like the latest BackTrack distro (Cause you only download legal stuff, right? - Don t answer that). After your done downloading the torrent and have gone offline, your IP address is part of the loop. So when people are trying to download their copies of the torrent, your IP will be in the list of seeders automatically. Some trackers are smart enough to remove users when a certain number of days has gone by, but by design, your in their for life. Now you go to log on to your machine, do your normal browsing, internet access, but not seeding this torrent and all of the sudden your firewall says you have 100's if not 1000's of access attempts. This is because the tracker and the people trying to download want to access your copy of the file to be shared, and thus you will see this kind of traffic and session connections on ports not just for your Bit Torrent client settings, but any port range in an attempt to create a new session with you as a node on the farm.

Hope that eases your mind a bit. Scans are just something to be aware of, but so long as you have your stuff flocked down properly, no services open to the internet, not in a DMZ, good firewall and router setup, you shouldn't have to worry about any of this.

Edited August 26, 2010 by digip

[okiwan]

great. thanks for the detailed explanation. that does put my mind at ease.

[cabster21]

There is no such thing as random... Unless someone knows otherwise?

In regards to a computer picking a random number.

Edited August 27, 2010 by cabster21

[okiwan]

now im scared again. :o

[Mr-Protocol]

There is no such thing as random... Unless someone knows otherwise?

In regards to a computer picking a random number.

Ok, we say random because people understand they weren't a target. Maybe systematic is a better choice of words. Systematically scanning all IP's in a given range.

[Infiltrator]

now im scared again. :o

No reason to be scared, that's how the system works.

I too use Torrents, emule and limewire to download stuffs, and this stuff happens to me too

Just make sure you have a good firewall in place and you are behind NAT.

Edited August 28, 2010 by Infiltrator

[okiwan]

i dont use torrents or limewire. i only use direct links.

[manuel]

Careful now... I am stealing your IP and hacking your computer right now.... those direct links are redirects of malware so each one is re-infecting your computer with trojans, hi-jackers and rootkits.

[okiwan]

:o oh noes!

lol

Edited August 28, 2010 by okiwan