Network Attack and Defense

nedal26 · May 25, 2008

Hi all...

Three days ago and I am having a real problem ...

There are those who try to infiltrate the system the fact they succeeded in doing and used my account to upload there files, but after a campaign the new programme kaspersky internet security 8.0.0.357 i stop penetration, but they did not stop the attempt ...

they usu: INTRUSION.WIN.MSSQL.WORM.HELKERN.
there IP: 166.111.86.250 LOCAL PORT 1434
218.241.161.90 LOCAL PORT 1434
61.132.223.14 LOCAL PORT 1434
220.163.43.139 LOCAL PORT 1434

Are there any suggestions to stop them completely?

Is there a programme which I replied attack?

nedal26 · May 25, 2008

new attempt with new IP. with the same port and..

INTRUSION.WIN.MSSQL.WORM.HELKERN

any suggestions ..

Rocknroll · May 25, 2008

Don't think there is much point in retaliating. But you could lookup those ips and report the attack to abuse email listed for them.
They are most probably bots scanning ip ranges. And you are fine as long as you have kaspersky running.
I imagine you are not using a router. If you were that traffic probably wouldn't have gone trough to your pc.

nedal26 · May 25, 2008

they are from china..

here is the problem ... how 2 talke 2 them.

Rocknroll · May 25, 2008

nedal26 said:
they are from china..

here is the problem ... how 2 talke 2 them.

Doubt you can talk to them. But you look up their ip and you come with something like this for example on the ip 218.241.161.90:

Code:

inetnum: 218.241.128.0 - 218.241.255.255
netname: BITNET
descr: Beijing Bitone United Networks
descr: Technology Service Co.,Ltd
descr: No.26 Chaowai Str.,
descr: Chaoyang District,Beijing,P.R.C
country: CN
admin-c: JL2597-AP
tech-c: JL2597-AP
mnt-by: MAINT-CNNIC-AP
mnt-lower: MAINT-CNNIC-AP
mnt-routes: MAINT-CNNIC-AP
changed: [email protected] 20070920
status: ALLOCATED PORTABLE
source: APNIC

person: Jonson Li
nic-hdl: JL2597-AP
e-mail: [email protected]
address: 2nd Floor,BLDG HP No.112 Jian Guo Street,Chaoyang District,Beijing
phone: +86-010-65661862-232
fax-no: +86-010-65660882
country: CN
changed: [email protected] 20060911
mnt-by: MAINT-CNNIC-AP
source: APNIC

inetnum: 218.241.128.0 - 218.241.255.255
netname: BITNET
descr: Beijing Bitone United Networks
descr: Technology Service Co.,Ltd
descr: No.26 Chaowai Str.
descr: Chaoyang District, Beijing,P.R.C
country: CN
admin-c: JS3-CN
tech-c: JS3-CN
status: ALLOCATED PORTABLE
changed: [email protected] 20070920
mnt-by: MAINT-CNNIC-AP
mnt-lower: MAINT-CN-BITNET
source: CNNIC

person: Jie Sun
nic-hdl: JS3-CN
e-mail: [email protected]
address: 2nd Floor,BLDG HP No.112 Jian Guo Street, Chaoyang District,Beijing
phone: +86-010-65661862-232
fax-no: +86-010-65660882
country: CN
changed: [email protected] 20060911
mnt-by: MAINT-CNNIC-AP
source: CNNIC

Then you can try emailing one of those emails like ipas(at)cnnic.cn to report the attack.
But I doubt it will do any good, they don't even seem to have dedicated abuse email listed like most isps do.

ForceMajeur · May 25, 2008

nedal26 said:
they are from china..

here is the problem ... how 2 talke 2 them.

They are not from china, those IP are fake, they are trying to add some advertise post to my forum on several time in a day but I am catching and banning them, Iam afraid you have no this chance,
try to report them to your mail server...
try to close port number 1434 if you can...

nedal26 · May 26, 2008

Win.MSSQL.worm.Helkern:nana::nana::nana:

1)What is Helkern?
Helkern is an internet worm, that exploits a vulnerability in Microsoft SQL server 2000.
You can find more about it here or here

2)Who is attacking me and why?
These attacks are made by the malware which tries to infect other vulnberable PCs. They are automated and target random PCs. The so called attacking PCs are mostly victims of the malware themselves.

3)How can i protect myself?
First of all the Intrusion Detection System (IDS) in KIS blocks it, so you are safe. When the IDS blocks such an attack you will get a notification like this one:

Even without the IDS to block the attack only some PCs are vulnerable to it, PCs running SQL Server 2000 that aren't patched against this vulnerability.
This is why you should keep your pc updated. Not only against this form of malware but also others.

4)How can i get rid of this notification?
If you find this notification annoying then you can easily disable it, by clicking on the arrow pointing downwards in the notification and selecting "Disable this notification".

http://img230.imageshack.us/img230/7562/91213423xh6.gif

from kasper lap..:thum:
thanks for Lucian Bara.:thum:

horn · May 26, 2008

Is possible to close port 1434 and how to do it.

ForceMajeur · May 26, 2008

if port 1434 is Kaspersky's port you can't close it, I don't know which port of kaspersky because I am not kaspersky user.

Rocknroll · May 26, 2008

horn said:
Is possible to close port 1434 and how to do it.

If you are behind a router then you can close it. But it will in most cases be closed by default unless configured otherwise by a user.

Network Attack and Defense

nedal26

Registered

nedal26

Registered

Rocknroll

nedal26

Registered

Rocknroll

ForceMajeur

Registered

nedal26

Registered

horn

Registered

ForceMajeur

Registered

Rocknroll