[X4U] Warning received from Network Administrator

Earle Jones earle.jones at comcast.net
Mon Feb 5 17:57:20 PST 2007 

Wow!  6,000 messages in ten minutes!

I had a similar problem a couple of years ago.  It turned out to be a  
"Denial of Service" attack, aimed at my local ISP, who was ATT at  
that time.  It kept up for almost a week, during which my throughput  
was down to nil.  Most of the messages were pretty short -- 3 or 4 k  
bytes.

I chased down the source IP addresses, most of which were in Korea or  
South America.  But those IPs were probably not the real offenders,  
but just 'repeaters' whose systems had been taken over by the true  
offenders.

After Comcast took over from ATTBI, I have never had the problem .

I use a shareware program called "IP Net Monitor" which costs about  
$20.  It constantly monitors all IP traffic both in and out of my  
machine.

It has several tools, including 'Ping', 'Finger', 'WhoIs', and a 'TCP  
Dump'.  I used the 'TCP Dump' to log all traffic over a period of 10  
or 20 seconds.  Then I used 'WhoIs' to identify the IP addresses.  In  
many cases the Admin for the ISP was given with an email address.   
Most of these were innocent users who did not even know that they  
were being used by someone else.

Here's what a little bit of 'TCP Dump' produces:

IP 10.0.1.2.8101 > 10.0.1.4.2646: . 31978:33426(1448) ack 1 win 65535  
<nop,nop,timestamp 141463952 34259372>
IP 10.0.1.4.2646 > 10.0.1.2.8101: . ack 14602 win 18824  
<nop,nop,timestamp 34259372 141463952>
IP 10.0.1.4.2646 > 10.0.1.2.8101: . ack 16050 win 17376  
<nop,nop,timestamp 34259372 141463952>
IP 10.0.1.4.2646 > 10.0.1.2.8101: . ack 33426 win 5792  
<nop,nop,timestamp 34259374 141463952>
IP 10.0.1.2.8101 > 10.0.1.4.2646: . 33426:34874(1448) ack 1 win 65535  
<nop,nop,timestamp 141463952 34259374>
IP 10.0.1.2.8101 > 10.0.1.4.2646: . 34874:36322(1448) ack 1 win 65535  
<nop,nop,timestamp 141463952 34259374>
IP 10.0.1.2.8101 > 10.0.1.4.2646: . 36322:37770(1448) ack 1 win 65535  
<nop,nop,timestamp 141463952 34259374>
IP 10.0.1.2.8101 > 10.0.1.4.2646: . 37770:39218(1448) ack 1 win 65535  
<nop,nop,timestamp 141463952 34259374>
IP 10.0.1.4.2646 > 10.0.1.2.8101: . ack 36322 win 7240  
<nop,nop,timestamp 34259374 141463952>
IP 10.0.1.2.8101 > 10.0.1.4.2646: . 39218:40666(1448) ack 1 win 65535  
<nop,nop,timestamp 141463952 34259374>
IP 10.0.1.2.8101 > 10.0.1.4.2646: . 40666:42114(1448) ack 1 win 65535  
<nop,nop,timestamp 141463952 34259374>
IP 10.0.1.2.8101 > 10.0.1.4.2646: . 42114:43562(1448) ack 1 win 65535  
<nop,nop,timestamp 141463952 34259374>
IP 10.0.1.4.2646 > 10.0.1.2.8101: . ack 43562 win 4344  
<nop,nop,timestamp 34259375 141463952>
IP 10.0.1.2.8101 > 10.0.1.4.2646: . 43562:45010(1448) ack 1 win 65535  
<nop,nop,timestamp 141463952 34259375>
IP 10.0.1.2.8101 > 10.0.1.4.2646: . 45010:46458(1448) ack 1 win 65535  
<nop,nop,timestamp 141463952 34259375>
IP 10.0.1.2.8101 > 10.0.1.4.2646: . 46458:47906(1448) ack 1 win 65535  
<nop,nop,timestamp 141463952 34259375>
IP 10.0.1.4.2646 > 10.0.1.2.8101: . ack 46458 win 5792  
<nop,nop,timestamp 34259376 141463952>
IP 10.0.1.2.8101 > 10.0.1.4.2646: . 47906:49354(1448) ack 1 win 65535  
<nop,nop,timestamp 141463952 34259376>
IP 10.0.1.2.8101 > 10.0.1.4.2646: . 49354:50802(1448) ack 1 win 65535  
<nop,nop,timestamp 141463952 34259376>
IP 10.0.1.2.8101 > 10.0.1.4.2646: . 50802:52250(1448) ack 1 win 65535  
<nop,nop,timestamp 141463952 34259376>
IP 10.0.1.4.2646 > 10.0.1.2.8101: . ack 49354 win 7240  
<nop,nop,timestamp 34259376 141463952>

This was the log for about two seconds.  Nothing of particular  
interest, since I recognize the IP addresses.

IPNetMonitor was written by:

    http://www.sustworks.com/site/sup.html

They seem to be a good bunch.

Good luck!

earle
*






On Feb 5, 2007, at 2:17 PM, Paul Biddlecomb wrote:

>
> I received the notice from my Network Administrator:
>
> Your host connected to yetzirah.org over 6000 times between 09:03  
> and 09:13.  Files over 1 megabytes were transferred.  We suspect  
> that your host may be compromised, or misconfigured.  If so, you  
> may have to reinstall your system, install updated service packs,  
> and any relevant security patches, as other backdoors may have been  
> installed by hackers.  If your host causes network problems, it  
> will be blocked.
>
> How can I verify what may have happened?  What log file might show  
> files that may have been transferred?  I have the IP of the  
> offending computer.  My system is as follows:
>
> Dual 1GHz PowerPC G4Mac OS 10.4.8Safari 2.0.4
>
> Anyone heard of this yetzirah.org?
>
> Any help would be appreciated.
>
> Thanks,
> Paul
> _______________________________________________
> X4U mailing list
> X4U at listserver.themacintoshguy.com
> http://listserver.themacintoshguy.com/mailman/listinfo/x4u
>
> Listmom is trying to clean out his closets! Vintage Mac and random  
> stuff:
>          http://search.ebay.com/_W0QQsassZmacguy1984

More information about the X4U mailing list