I keep getting a warning coming up on my PC from Norton Firewall telling me its blocked an attempt to hack my PC...

Security alert - High risk

Attempted to connect to local computer using the NetBus Trojan horse blocked...

This happens about once an hour, I've run both my anti virus programs and they haven't picked anything up, just about to run Spybot and see if that finds anything, but other than that I'm lost...

Anyone got any ideas?

 

 

I've had them all night mate, nowt to worry about if the firewall has got'em.

 

This can be an attempt by your isp to check you are still online and is not necerserally an attack.
check the i.p address and post here and i can tell you who it is.
most hackers these days wouldnt use this type of atack as it leaves an ip which is tracable.

 

If Norton's blocked it, then it's done it's job. Make sure you keep it uptodate and don't worry about it.

 

agreed, just ignore it... i now turn off all messages, as theyre too frequent.

 

Ok I'll post the IP address next time it happens, cheers

 

keep getting the same on mine, don't think it's anything to worry about

 

IP address will be stored in your log file

 

My router's firewall blocks NetBus scans all the time......basically, it's either an already-infected machine scanning for other machines to infect, or a "central" server looking for already-infected machines to remote-control them.

If your firewall is blocking them, you can either ignore them or you can grab the IP, identify the culprit using something like the third box down in the middle column (assuming it's working now), and report them to their ISP.

 

Fookin hell a different one now....

Attempt to connect to local computer using the Back Orifice Trojan horse blocked

Time: 16:58
Date: 13/11/2004
Protocol: TCP (Inbound)
Remote Address: 80.41.103.205 : 2720

 

Looks malicious to me now.

Server Used: [ whois.ripe.net ]

80.41.103.205 = [ ] This is the RIPE Whois tertiary server.
The objects are in RPSL format.
Rights restricted by copyright.
See http://www.ripe.net/db/copyright.html

 

so someone is knowingly trying to hack my pc then

Ain't they got anything better to do?

 

inetnum: 80.40.0.0 - 80.47.255.255
org: ORG-TUL3-RIPE
netname: UK-TELINCO-20011123
descr: PROVIDER Local Registry
country: GB
tech-c: TU935-RIPE
admin-c: TU935-RIPE
status: ALLOCATED PA
notify: hostmaster@uk.tiscali.com

trouble: Information: http://www.tiscali.com
trouble: Concerning abuse and spam ... mailto: abuse@uk.tiscali.com

Forward that exact log to the above bold-highlighted address...

 

Yes, someone is trying to get into your machine.
What are you doing when the attack comes ?
Are you on a forum ?

 

erm I'm on PF and ebay I think...., not 100%, if it happens again I'll see what sites I'm on

 

Back Orifice trojan-horse, if it works like most other trojans, will just scan a range of IP addresses set by the trojan, for vulnerable machines to which it can spread itself......I doubt what's happened is a manual-attack, more a case of an infected machine automatically trying to spread the trojan to other vulnerable machines.

Report it, all the same, though...

 

This type is malicious though and is used to look for open ports, it will tell people scanning of open ports in a range and give them entry.
I`m not saying this is the case as it also is a spread virus like mentioned above.

 

A port-scan would show up slightly differently to a firewall that's blocking it, though, you'd get LOTS of entries or pop-up windows to show you of the activity hitting sequential ports...

Not saying that the activity noted above isn't a manual attack, but from experience of dealing with this kind of thing in work, it's "normally" the trojan trying to spread itself automatically......you'll probably find, in 99 out of 100 cases, that the person whose computer it is doesn't even know their own computer is doing it.

Also, port-scans tend to go for the more "popular" ports, like 25 (SMTP), 21 (FTP), telnet (23), and so on, as they're more easily abused by someone who knows what to do with them.

 

the more I block the more try to attack....

Time: 22:55
Date: 13/11/2004
Protocol: TCP (Inbound)
Remote Address: 80.108.113.16 : 3052
Local Address: 80.41.212.224 : 27374 (I forgot this bit last time)

The only thing I was logged into was messenger, so it looks like its trying to spread itself through there....

 

good site to check your protection


http://www.grc.com/default.htm