Results 1 to 5 of 5

Thread: Worm Intrusion Detected and Blocked

  1. #1
    Senior Member blackhat's Avatar
    Join Date
    Oct 2005
    Posts
    203

    Worm Intrusion Detected and Blocked

    I get this message from time to time. I'd like to know more about it. Should I be concerned? I'll post the info hoping that Admin will take out anything that shouldn't be posted.

    From: ms asni integer overflow TCP 63.***.**.**(2911)
    Port attacked: netbios-ssn (139)
    Attacked IP: 63.***.**.**
    Risk: High level

    I'm pretty sure that my IP is a 255.xxx.xxx number. I know that some of these blocked things are perfectly legimate routines but how can I spot a bad one and what should be done? DRB
    Last edited by rik; July 4th, 2006 at 04:03 AM.

    "Will Golf for Food"

  2. #2
    Nobody knows I'm a dog. TZ Veteran petard's Avatar
    Join Date
    Feb 2003
    Location
    Newspapastan
    Posts
    1,050
    Quote Originally Posted by blackhat View Post
    I get this message from time to time. I'd like to know more about it. Should I be concerned? I'll post the info hoping that Admin will take out anything that shouldn't be posted.

    From: ms asni integer overflow TCP 63.157.**.**
    Port attacked: netbios-ssn (139)
    Attacked IP: 63.***.**.**
    Risk: High level

    I'm pretty sure that my IP is a 255.xxx.xxx number. I know that some of these blocked things are perfectly legimate routines but how can I spot a bad one and what should be done? DRB
    blackhat: Your IP address isn't a 255.xxx.xxx.xxx number. There are a few ways to get your system's IP address. Open a command prompt (DOS box) and type 'ipconfig /all' (no quotes) and hit return. You'll get your ful TCP/IP information displayed. The IP address displayted might be the one you posted above.

    Hopefully your Internet connection via your ISP is through some sort of firewall and not directly connected to the cable modem. If so, you should be running a host-based firewall like ZoneAlarm.
    Last edited by rik; July 4th, 2006 at 04:03 AM.

    Many thanks to egghead for the cool .sig

  3. #3
    Security Intelligence TZ Veteran cash_site's Avatar
    Join Date
    Jul 2002
    Location
    Software Paradise
    Posts
    3,735
    Well it does seem that he is using a firewall or tracker... as it gave him that warning...

    Also, it specifies the type of attack MS ANSI Overflow orginating from 63.157.x.x
    and it seems that ur IP at the time of the attack was 63.232.x.x --> that means it was someone with the same ISP... you should email ur ISP and give them that log and time of day etc.

    Also, the 255.x.x.x ur referring to is usally the Subnet mask for the TCP/IP connection.

    Petard was correct in saying to check ipconfig for all the finer details

    Also, the safe routines wont be flagged by ur firewall/antiviurs etc.... but unknown or bad connections will... so keep an eye out!

    --- 0wN3D by 3gG ---

  4. #4
    Senior Member blackhat's Avatar
    Join Date
    Oct 2005
    Posts
    203
    Thanks guys. I "searched" the worm and got everything from "it's very serious" to "It's a legit internet routine and should be allowed" to the ridiculous like "you just need to change the oil in your car" or "Have you checked that there no cookie crumbs on top of your Printer?"etc. Some Sites!
    Anyway, in ipconfig /all I found the 255.xxx.xxx subnet mask and the IP address (the last two sets of numbers in the IP ADDRESS are different than in the worm notification. I'm assuming that they are allowed to change?)
    I emailed the ISP with the info. We'll see what they say. I'm learning- THANKS! DRB

    "Will Golf for Food"

  5. #5
    Security Intelligence TZ Veteran cash_site's Avatar
    Join Date
    Jul 2002
    Location
    Software Paradise
    Posts
    3,735
    well sort of good news... yeah, the last two IP digits will usually change if ur on a dynamic IP allocation from your ISP such as PPPoE on broadband or dialup...

    Make sure u do a complete virus/spyware scan tho...

    --- 0wN3D by 3gG ---

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •