# Being repeatedly attacked!!!



## NotS0Pro (Jul 8, 2008)

I'm currently running Windows XP, with AVG free and Spybot guarding my PC. As far as I understand, they are protecting my registry, though not my network.

_"Your computer has been attacked from the internet."_

I just recently installed a free version of kasperspy anti-virus, seeing as I only have windows firewall in the way of the big-bad internet. Since installation (about 4 days ago), it has picked up numerous attempts from a helkern worm, and now a TCP SYN Flood.

The flood is actually going on as I write this, with numerous IP addresses from around the world being cited as the source - as expected according to wikipedia.

I'm not exactly the noisiest internet user, and I don't really know anyone whom is capable of doing this. I'm also very careful when downloading files, and don't visit sites I shouldn't be on, or give away information that I'm not supposed to. 

Nonetheless, it would seem that someone or _something_ has it in for me.
This may be coincidental, but I was on TPU forums when the problems started occurring, anyone else having problems?

Is kasperspy feeding me reliable information? I know how difficult it is (or can imagine) to trace bouncing, but is there any way I can find out who or what is causing this?

I'm actually on TPU as I'm learning about Overclocking, and well, hardware in general, and this is proving to be a real pain! If anyone could perhaps offer some advice I would be eternally grateful!

Thanks, Nots0pro


----------



## MKmods (Jul 8, 2008)

I would format the HDD and start over with a clean comp.


----------



## farlex85 (Jul 8, 2008)

Yeah me too, I wouldn't play around w/ it. Sometimes you can hunt and find things in your computer causing problems like that, but I really wouldn't risk it, back up your important stuff and reformat.


----------



## intel igent (Jul 8, 2008)

start fresh, use one good program and limit your pr0n sites to known good one's


----------



## TheMailMan78 (Jul 8, 2008)

MKmods said:


> I would format the HDD and start over with a clean comp.



I agree. Format that thing ASAP. As far as Anti-virus programs go I use Microsoft Onecare and Spybot among others. Also Iv been on this forum for a long time and have never had a problem and believe me Iv pissed people off. 99.9% of the people on this forum are good people with different views. They are also pretty smart people and know how to defend their systems. I think most know who come here its pointless to attack us. Plus from my experience its just not that kind of place.


----------



## calvary1980 (Jul 8, 2008)

if it was a real syn flood you wouldn't be able to post a thread here, it's probably some stupid kid you mouthed off to recently, change your ip (mac) and reboot.

- Christine


----------



## Ravenas (Jul 8, 2008)

calvary1980 said:


> if it was a real syn flood you wouldn't be able to post a thread here, it's probably some stupid kid you mouthed off to recently, change your ip (mac) and reboot.
> 
> - Christine



That's exactly what it is. I wouldn't be worried about finances either, but then again don't go typing passwords all over the place. Chances are if it's a kid, there's a keylogger.


----------



## p_o_s_pc (Jul 8, 2008)

intel igent said:


> start fresh, use one good program and limit your pr0n sites to known good one's



+1


----------



## calvary1980 (Jul 8, 2008)

-1. formatting his computer isn't going to change anything, he is just going to format and reinstall windows on the same ip if he is static. he needs to change his ip then deal with the worm.

- Christine


----------



## Ravenas (Jul 8, 2008)

calvary1980 said:


> -1. formatting his computer isn't going to change anything he needs to change his ip then deal with the worm.
> 
> - Christine



Formatting his HDD will get rid of the worm (-1 for him). However, that doesn't really matter, because he still has your ip. Reset your router & modem.


----------



## p_o_s_pc (Jul 8, 2008)

calvary1980 said:


> -1. formatting his computer isn't going to change anything he needs to change his ip then deal with the worm.
> 
> - Christine



I was saying +1 to limiting the pr0n sites to only ones that are known to be good


----------



## NotS0Pro (Jul 8, 2008)

Thanks for your quick replies 

There's a screenshot here, if you're interested. *sorry http://i303.photobucket.com/albums/nn149/NotS0Pro/TCPSYN.jpg

If you could indulge my interest (or perhaps ignorance), though... I thought that this was external, rather than internal?

I have no idea how to change my MAC address , I thought that they were permanent? >.<


----------



## Ravenas (Jul 8, 2008)

If you have a worm its internal. If he's using something like TELNET or apache its external.

You have a worm.


----------



## calvary1980 (Jul 8, 2008)

wipe your entire hard drive over 1 worm? weak. unplug your modem, scan, remove worm, plug modem back in, change mac address, reboot.

- Christine


----------



## Ravenas (Jul 8, 2008)

calvary1980 said:


> wipe your entire hard drive over 1 worm? weak. unplug your modem, scan, remove worm, plug modem back in, change mac address, reboot.
> 
> - Christine



I never said wipe the whole HDD


----------



## Tatty_One (Jul 8, 2008)

calvary1980 said:


> wipe your entire hard drive over 1 worm? weak. unplug your modem, scan, remove worm, plug modem back in, change mac address, reboot.
> 
> - Christine



Amen to that!


----------



## imperialreign (Jul 8, 2008)

NotS0Pro said:


> I'm currently running Windows XP, with AVG free and Spybot guarding my PC. As far as I understand, they are protecting my registry, though not my network.
> 
> _"Your computer has been attacked from the internet."_
> 
> ...





like others have mentioned, it's prob just some twerp out to annoy you - and to add to it, you might have picked up a trojan or otherwise, or if you're on a wireless connection, some twerp trying to breach your network.  One person can appear as hundreds of attacks if they're using a bot (which points to an unexperienced twerp).

either way, first, update whatever AV softwares your using, also pick up a couple of the freebies (like Windows Defender), get everything updated primo - disabled your internet connection, and have your AV softwares run full scans - this might take a few hours, depending on how big your HDD is, and how in-depth you've configured the scanners to dig; if they turn up anything, remove or quarantine it.

Afterwards, as someone else mentioned, try changing your mac address and see how things go.



One final word of caution, though - although free spyware and AV softwares can typically be good, they still usually fall short of the highly-rated, paid-subscription AV softwares - of which will also usually include a firewall, malware and virus scanner, network monitoring and protection, etc.  You might want to think about a better software suite sometime soon.


----------



## panchoman (Jul 8, 2008)

im with christine on this one... he's best off just downloading a trial version of zone alarm pro and hijackthis and similair and killing the worm, etc while offline and then going back and using proper firewalls etc to block out any other intrustions.


----------



## calvary1980 (Jul 8, 2008)

for XP.

1) start -> run -> "control" -> network and internet connections -> network connections -> right click nic -> properties -> general -> configure -> advanced -> network address -> value 

2) start -> run -> "cmd" -> ipconfig /all -> copy "Physical Address" -> select nic window -> paste into value without dashes -> change last 2 characters -> ok

- Christine


----------



## W1zzard (Jul 8, 2008)

changing your mac address wont do anything to your internet ip. if your isp gives you a static ip you will keep that ip which is bound to your login name/dsl line/cable line. if they give you dynamic ips you will end up with ips from a certain range allocated to some kind of spatial area

mac adresses are an ethernet technology


----------



## calvary1980 (Jul 8, 2008)

if he is receiving a syn flood his ip must be static brainiac I have static and own 5 ip that I can change at will most cable packages allow "up to 5 pc per household" which really means 5 ip even if you only use 1 you can still access them.

- Christine


----------



## W1zzard (Jul 8, 2008)

syn flood can happen to dynamic ips as well. even though if you reconnect to your isp and get another ip you are probably not going to be syn flooded instantly... until the attacker somehow finds out your new ip.

does your software detect the internet background noise as syn flood? 

your neighbour runs a torrent and seeds like a champ. the trackers have his ip and give it out to other leechers. those will try to connect to the ip and port advertised. at some point your neighbour goes offline and you come online, get his ip. so all those torrent users will now try to connect to your box because they still think its your neighbour. since more filesharing protocols than just bt exist, the traffic increases quite a bit. then there are all sorts of people scanning the whole internet for open ports, vulnerabilities etc.

can your software give a more detailed report than just "syn flood from x.x.x.x" ?


----------



## NotS0Pro (Jul 9, 2008)

Hey again, I've just ran spybot S&D, AVG free and Ad-aware SE Pro. Spybot picked up some tracking cookies (11!), Ad-aware picked up some spyware (Mediaplex... generic stuff really), and running AVG last picked up nothing. I did this offline.

I think I was a little skimpy on information beforehand, so to clarify...

I'm using an ADSL modem, which I am using a DUN connection to connect to, due to crappy AOL software. The modem is USB 2.0. The IP address is static.

I realize I was having a bit of a dull moment before... I have an ASUS Striker Extreme v.1 motherboard, which has an in-built NIC, as I understand (2 Gbit Ethernet ports on rear panel). I'm not that clued on networking, although as W1zzard mentioned, MAC addresses are ethernet (I remember now ) so this doesn't apply to me?

The kasperspy window I referred to is real-time protection, which notifies me of "attacks" that were prevented. A series of worms, or a series of the same worm to be precise, named "Helkin" were brought to my attention over the past two days. These were from IP addresses in China. These notifications have actually continued, and I literally just got one :/.

Unfortunately, as one problem seems to have "stopped", another has become apparent to me. This is the constant barrage of "TCP SYN" attacks, which I assume are part of an automated program, due to the short latency between the notifications. The amount of notifications I have received from the Kasperspy software is easily within the hundreds at this point. No further information is available from the program other than the type of attack, the ip address and the fact that it was repelled.

I can turn these notifications off, although it really doesn't solve the problem. The problem that now seems to be someone deliberately attacking my system? I can't afford to buy cigarettes at the moment, let alone any new software 

I'm not sure what you mean by the background noise? Do you mean the noise on the line? I have no idea, either way.

Thanks again, Nots0pro


----------



## candle_86 (Jul 9, 2008)

Ok well if its static contact AOL and request an IP change tell them why you are requesting it and they should honor it. Second of all get windows defender if your broke its a damn decent firewall on the cheap. And if you have 30 bucks to spare go to wal mart and get one care live i use it and love it


----------



## mrhuggles (Jul 9, 2008)

do you go on irc? if you dont go on irc then its probably not a targeted attack.


----------



## Steevo (Jul 9, 2008)

Sounds more like general chicken to me. 


Get Comodo (free) firewall and relax. I get alot of crap reports constantly, false alarms from IANA or from our vendors transfering files. If you are really wanting top notch security get a better modem and hardware firewall.


----------



## JoshBrunelle (Jul 9, 2008)

Go to trendmicro.com and read up sysclean.com. That always does a great job cleaning stuff out. Otherwise, see what ports these attacks are coming from, and close them up, on your router if you can.


----------



## Easy Rhino (Jul 10, 2008)

heh. this reminds me...anyone ever look at their router's log? the amount of random IPs I see trying to connect to my machine is amazing.


----------

