Jump to content


Photo

Prevent futurer hacking?


  • Please log in to reply
4 replies to this topic

#1 michaelson

michaelson

    Member

  • Full Member
  • Pip
  • 25 posts

Posted 01 May 2007 - 05:46 PM

Hi,

Yesterday I went to use my computer and saw a ZoneAlarm message that there had been 5 attempts to reach my computer through an IP address that when I entered in the I.P. address look up, would not come up.

172.16.1.33.

Im scared this person is gonna come back. I am not on a network, and I dont share files, so I dont understand why anyone would want access to my computer unless it was for malicious means. Im curious if they are going to try to find away around my firewall, if they already havent. I mean 5 attempts! Seems like they really wanted access. Can anyone give me some advice, or at least help calm me down that people arnt going to remote access my computer to do bad stuff?

#2 Budfred

Budfred

    Malware Hound

  • Administrators
  • PipPipPipPipPip
  • 21,532 posts

Posted 01 May 2007 - 07:44 PM

That IP is from this range:

OrgName: Internet Assigned Numbers Authority
OrgID: IANA
Address: 4676 Admiralty Way, Suite 330
City: Marina del Rey
StateProv: CA
PostalCode: 90292-6695
Country: US

NetRange: 172.16.0.0 - 172.31.255.255
CIDR: 172.16.0.0/12
NetName: IANA-BBLK-RESERVED
NetHandle: NET-172-16-0-0-1
Parent: NET-172-0-0-0-0
NetType: IANA Special Use
NameServer: BLACKHOLE-1.IANA.ORG
NameServer: BLACKHOLE-2.IANA.ORG
Comment: This block is reserved for special purposes.
Comment: Please see RFC 1918 for additional information.
Comment:
RegDate: 1994-03-15
Updated: 2002-09-12

OrgAbuseHandle: IANA-IP-ARIN
OrgAbuseName: Internet Corporation for Assigned Names and Number
OrgAbusePhone: +1-310-301-5820
OrgAbuseEmail: *****@iana.org

OrgTechHandle: IANA-IP-ARIN
OrgTechName: Internet Corporation for Assigned Names and Number
OrgTechPhone: +1-310-301-5820
OrgTechEmail: *****@iana.org

# ARIN WHOIS database, last updated 2007-05-01 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

and there are all sorts of reasons that various programs and services try to access your computer... Some are malware probing for vulnerabilities and some are things like your ISP checking your connection... It doesn't mean you are under attack... 5 attempts is pretty minimal for someone trying to probe your system... It is much more likely to be legit... Also, the fact that your firewall stopped it is a clue that you are using the protection you need... It can be a good idea to use a hardware firewall in addition to your software firewall if you wish, but you are already pretty well protected...
Budfred

Helpful link: SpywareBlaster...

MS MVP 2006 and ASAP Member since 2004

Please read the Instructions for posting requested logs and the article "So how did I get infected in the first place?"

#3 Tuxedo Jack

Tuxedo Jack

    Creator of TuxPE, a Cat5-o'-9-Tails, Etherkillers, and more

  • Expert
  • PipPipPipPipPip
  • 1,758 posts

Posted 01 May 2007 - 08:12 PM

The Internet Assigned Numbers Authority (IANA) has reserved the following three blocks of the IP address space for private internets (local networks):

10.0.0.0 - 10.255.255.255
172.16.0.0 - 172.31.255.255
192.168.0.0 - 192.168.255.255


Don't worry about it. It's your own system creating a loopback.

Question - are you using a 2Wire HomePortal? Those used to use that IP range for their LANs.
Signature file is under revision. This will be back shortly.

#4 kazzoo

kazzoo

    Member

  • Full Member
  • Pip
  • 14 posts

Posted 01 May 2007 - 08:46 PM

In the world of Networking, there are ranges of address that are considered "non routable" These non-routable address fall into three classes and ranges.

Class A 10.0.0.0-10.255.255.255

Class B 172.16.0.0-172.31.255.255

Class C 192.168.0.0-192.168.255.255

These address and ranges are reserved for private use by users when creating LAN (local area networks) and if a True Hardware Router encounters packets with any of these address on them will discard them and not forward them.

For the real geeky types RFC 1918 (go ahead and google it up) Explains what this mean. But here is a brief snip:

Because private addresses have no global meaning, routing information
about private networks shall not be propagated on inter-enterprise
links, and packets with private source or destination addresses
should not be forwarded across such links. Routers in networks not
using private address space, especially those of Internet service
providers, are expected to be configured to reject (filter out)
routing information about private networks. If such a router receives
such information the rejection shall not be treated as a routing
protocol error.


end of snip

So...What does this mean for you and Zone telling you about it? It has to be an internal thing. A server or server like device is trying to make connection with the rest of the computer.

An example would be like setting up a Apache server on your computer and it wanting to have connection with the rest of computers or ports. Did you install something like a Web camera recently? Think of it as a computer in your computer that got its own address.

Its a high possibility it is your own Router doing it.

When you see these alerts, determine whether it is from a computer on your network, or from the machine or router that performs NAT or DHCP (most commonly, if the IP address ends in 1 then it would be the device performing NAT/DHCP). It is possible its trying to multicast and using the range of the 172.16.x.x.

All in all it is interesting, but nothing spooky. Your Zone alarm may need some configuration if the alerts disturb you. But it does bear investigating where in your computer is this comming from.

Good luck
Badgers? I dont need no stinkin Badgers!

Spyware removal tools:
Prevent Spyware:Just how did I get Infected?
Online virus scanners:
Tools-Use Only when instructed:
How to:

#5 michaelson

michaelson

    Member

  • Full Member
  • Pip
  • 25 posts

Posted 02 May 2007 - 06:19 PM

Thank you guys so much. Really, thank you! totally put my mind at ease.




Member of UNITE
Support SpywareInfo Forum - click the button