Under Attack!

[American Patriot]

My network at home is currently under attack.

I've been hit by something, and have managed to block some of the IP addresses so I can get onto the internet.

Here is one of them:

221.192.199.46



Take a wild fucking guess who the fuckers are?

% [whois.apnic.net node-1]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

inetnum: 221.192.0.0[Who Is IP][trace][Reverse IP Search] - 221.195.255.255[Who Is IP][trace][Reverse IP Search]
netname: UNICOM-HE
descr: China Unicom Hebei Province Network
descr: China Unicom
country: CN
admin-c: CH1302-AP
tech-c: KL984-AP
remarks: service provider
mnt-by: APNIC-HM
mnt-lower: MAINT-CNCGROUP-HE
mnt-routes: MAINT-CNCGROUP-RR
status: ALLOCATED PORTABLE
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
remarks: This object can only be updated by APNIC hostmasters.
remarks: To update this object, please contact APNIC
remarks: hostmasters and include your organisation's account
remarks: name in the subject line.
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
changed: [FIND OUT MORE ABOUT THIS EMAIL ADDRESS] 20040329
changed: [FIND OUT MORE ABOUT THIS EMAIL ADDRESS] 20060124
changed: [FIND OUT MORE ABOUT THIS EMAIL ADDRESS] 20060125
changed: [FIND OUT MORE ABOUT THIS EMAIL ADDRESS] 20080314
changed: [FIND OUT MORE ABOUT THIS EMAIL ADDRESS] 20090508
source: APNIC

route: 221.192.0.0[Who Is IP][trace][Reverse IP Search]/14
descr: CNC Group CHINA169 Hebei Province Network
country: CN
origin: AS4837
mnt-by: MAINT-CNCGROUP-RR
changed: [FIND OUT MORE ABOUT THIS EMAIL ADDRESS] 20060118
source: APNIC

person: ChinaUnicom Hostmaster
nic-hdl: CH1302-AP
e-mail: [FIND OUT MORE ABOUT THIS EMAIL ADDRESS]
address: No.21,Jin-Rong Street
address: Beijing,100140
address: P.R.China
phone: +86-10-66259940
fax-no: +86-10-66259764
country: CN
changed: [FIND OUT MORE ABOUT THIS EMAIL ADDRESS] 20090408
mnt-by: MAINT-CNCGROUP
source: APNIC

person: Kong Lingfei
nic-hdl: KL984-AP
e-mail: [FIND OUT MORE ABOUT THIS EMAIL ADDRESS]
address: 45, Guang An Street, Shi Jiazhuang City, HeBei Province,050011,CN
phone: +86-311-86681601
fax-no: +86-311-86689210
country: cn
changed: [FIND OUT MORE ABOUT THIS EMAIL ADDRESS] 20090206
mnt-by: MAINT-CNCGROUP-HE
source: APNIC

[American Patriot]

Ok.

I'm being hit by multiple sites, looking to open port number 27977 from various ip addresses starting at port 12200.

Attempting to find data on it now.

[American Patriot]

I'm getting stuff trying to shut my browser off.

I found this too.

Found attack from 222.186.13.212 in port 27977 => Tue Nov 9 22:06:12 2010

Found attack from 222.186.13.212 in port 9000 => Tue Nov 9 22:06:12 2010

Found attack from 222.186.13.212 in port 3246 => Tue Nov 9 22:06:12 2010

Found attack from 222.186.13.212 in port 8090 => Tue Nov 9 22:06:12 2010

Found attack from 202.102.234.87 in port 9415 => Tue Nov 9 22:06:12 2010

Found attack from 202.102.234.87 in port 9090 => Tue Nov 9 22:06:12 2010

Found attack from 202.102.234.87 in port 2479 => Tue Nov 9 22:06:12 2010

Found attack from 221.192.199.46 in port 8085 => Tue Nov 9 22:06:12 2010

Found attack from 221.192.199.46 in port 27977 => Tue Nov 9 22:06:12 2010

Found attack from 221.192.199.48 in port 27977 => Tue Nov 9 22:06:12 2010

Found attack from 58.53.128.61 in port 8000 => Tue Nov 9 22:06:12 2010

Found attack from 222.133.189.12 in port 27977 => Tue Nov 9 22:06:12 2010

Found attack from 202.102.234.87 in port 27977 => Tue Nov 9 22:06:12 2010

Found attack from 202.102.234.87 in port 2301 => Tue Nov 9 22:06:12 2010

Found attack from 202.102.234.87 in port 73 => Tue Nov 9 22:06:12 2010

Found attack from 222.186.13.212 in port 8085 => Tue Nov 9 22:06:12 2010

Found attack from 221.192.199.48 in port 8085 => Tue Nov 9 22:06:12 2010

[American Patriot]

These are syn attacks.

I'll be back, I need to reboot and rerun some anti-adware stuff, and virus checker.

[American Patriot]

A good portion of those sites above are chinese. I have one russian ip hitting me as well.

87.242.76.68

I've effectively blocked them at the router for now. I'm not sure what hapened, but this morning when I logged in, I couldn't hit the internet with ANY machine. Google was blocked... strange things were happening.

So I disconnected one machine after running wireshark and grabbing IPs, then I logged into the router to block some of them first.

Suddenly, I was able to get to the internet, on all machines.

I suspect this is a syn attack, but not a DDos attack (multiple bots).

Why they are hitting ME specifically, I am not sure.

Perhaps it is this site? Maybe they know I'm an admin? MAYBE they know we're on to them about the fucking missile?

(And since it's no secret who I work for, they are thinking they can slow me down?)

I don't know. Perhaps I'm paranoid. I'm going to go work on my second knife. I hardened it and tempered it last night. Need to reclean it.

back later.

[Aplomb]

This is one of those little reasons that I don't happen to believe in coincidences.

[American Patriot]

I don't either. Logs show the attacks started sometime yesterday. I guess it's not the porn I look at.

/snicker

(Like ham radio porn, sailing porn, and such things) hehe

[Ryan Ruck]

Very interesting. Keep us updated!

I'd be interested in hearing what your ISP has to say.

[American Patriot]

I haven't spoke to them about this. I'm a little hesitant to call the ISP and say "I'm being attacked" because it's Comcast.

They arent the most helpful people in the world and I don't want it "shut down" because I'm a "problem". You know?

[Malsua]

I've been getting bombed by Chinese IPs for a while. There's one particular IP address that floods the entire internet (I mean, literally, everywhere) every 15 minutes. You can set your watch to it.

Occasionally they all come together and crowd me out so I lose connection for a few minutes. It really pisses me off.

[American Patriot]

It's been happening for about 4-5 days from what I can tell now at my end.

We started getting seriously lagged a few days ago in WOW. My son who moved back in for awhile had his PC set up and running and I thought he was doing something weird, so I checked last night when it was happening and he's getting lagged too.

So... this might not be over the "missile" but them fucking trying to see how messed up they can make the internet.

Mother fuckers.

I wish we could get away with bombing the fuckers back.

[Ryan Ruck]

I would talk to them. Yeah I know how helpful tech support is () but they may be able to block the problem on their equipment so it doesn't even get to you.

[American Patriot]

Well...

I found that my main machine (mine) was placed into the DMZ as well. I don't remember doing that, though I might have.

If that is the case they were hitting it because it was not protected.

But - even so, as soon as I blocked a couple of the IPs from the router, it was stopped and I was able to get to the internet.

The odd thing was, I couldn't get there on any of the other machines for some reason.

So, I think it was just hitting my router (as the logs were for the router, rather than my machine specifically).

[American Patriot]

A new approach to China

1/12/2010 03:00:00 PM
Like many other well-known organizations, we face cyber attacks of varying degrees on a regular basis. In mid-December, we detected a highly sophisticated and targeted attack on our corporate infrastructure originating from China that resulted in the theft of intellectual property from Google. However, it soon became clear that what at first appeared to be solely a security incident--albeit a significant one--was something quite different.

First, this attack was not just on Google. As part of our investigation we have discovered that at least twenty other large companies from a wide range of businesses--including the Internet, finance, technology, media and chemical sectors--have been similarly targeted. We are currently in the process of notifying those companies, and we are also working with the relevant U.S. authorities.

Second, we have evidence to suggest that a primary goal of the attackers was accessing the Gmail accounts of Chinese human rights activists. Based on our investigation to date we believe their attack did not achieve that objective. Only two Gmail accounts appear to have been accessed, and that activity was limited to account information (such as the date the account was created) and subject line, rather than the content of emails themselves.

Third, as part of this investigation but independent of the attack on Google, we have discovered that the accounts of dozens of U.S.-, China- and Europe-based Gmail users who are advocates of human rights in China appear to have been routinely accessed by third parties. These accounts have not been accessed through any security breach at Google, but most likely via phishing scams or malware placed on the users' computers.

We have already used information gained from this attack to make infrastructure and architectural improvements that enhance security for Google and for our users. In terms of individual users, we would advise people to deploy reputable anti-virus and anti-spyware programs on their computers, to install patches for their operating systems and to update their web browsers. Always be cautious when clicking on links appearing in instant messages and emails, or when asked to share personal information like passwords online. You can read more here about our cyber-security recommendations. People wanting to learn more about these kinds of attacks can read this Report to Congress (PDF) by the U.S.-China Economic and Security Review Commission (see p. 163-), as well as a related analysis (PDF) prepared for the Commission, Nart Villeneuve's blog and this presentation on the GhostNet spying incident.

We have taken the unusual step of sharing information about these attacks with a broad audience not just because of the security and human rights implications of what we have unearthed, but also because this information goes to the heart of a much bigger global debate about freedom of speech. In the last two decades, China's economic reform programs and its citizens' entrepreneurial flair have lifted hundreds of millions of Chinese people out of poverty. Indeed, this great nation is at the heart of much economic progress and development in the world today.

We launched Google.cn in January 2006 in the belief that the benefits of increased access to information for people in China and a more open Internet outweighed our discomfort in agreeing to censor some results. At the time we made clear that "we will carefully monitor conditions in China, including new laws and other restrictions on our services. If we determine that we are unable to achieve the objectives outlined we will not hesitate to reconsider our approach to China."

These attacks and the surveillance they have uncovered--combined with the attempts over the past year to further limit free speech on the web--have led us to conclude that we should review the feasibility of our business operations in China. We have decided we are no longer willing to continue censoring our results on Google.cn, and so over the next few weeks we will be discussing with the Chinese government the basis on which we could operate an unfiltered search engine within the law, if at all. We recognize that this may well mean having to shut down Google.cn, and potentially our offices in China.

The decision to review our business operations in China has been incredibly hard, and we know that it will have potentially far-reaching consequences. We want to make clear that this move was driven by our executives in the United States, without the knowledge or involvement of our employees in China who have worked incredibly hard to make Google.cn the success it is today. We are committed to working responsibly to resolve the very difficult issues raised.

Update: Added a link to another referenced report in paragraph 5.

Posted by David Drummond, SVP, Corporate Development and Chief Legal Officer

[American Patriot]

Chinese Hackers Attacked Google Through Internet Explorer?

Jan 15 2010, 2:40 PM ET 20
If you follow the news even vaguely, then you've heard about Google's announcement that it may exit the Chinese market in response to hacker attacks originating in China that sought to access the private information of human rights advocates. I've argued that whether Google stays or not, such attacks aren't likely to stop. So I don't really see what Google expects to gain from leaving now, as opposed to months or years ago. But today a new wrinkle emerges: the attacks occurred as a result of an unknown flaw in Microsoft Internet Explorer.

Here's the news blurb, via PCWorld:

Microsoft Security Response Center director Mike Reavey said in an e-mailed statement "This afternoon, Microsoft issued Security Advisory 979352 to help customers mitigate a Remote Code Execution (RCE) vulnerability in Internet Explorer. The company has determined that Internet Explorer was one of the vectors used in targeted and sophisticated attacks targeted against Google and other corporate networks."

Am I the only one that finds this an interesting plot twist? Microsoft provided the window through which the Chinese hackers crawled through. A few thoughts about this:

First, what is Google doing using Internet Explorer? Shouldn't it be running its own Google Chrome browser instead? Or at least Mozilla Firefox?

Maybe the excuse here is that it's impossible for a software company like Google to entirely avoid using Internet Explorer. After all, if it wants to produce browser-agnostic software, then it needs to test its systems in all varieties. So it probably can't avoid IE altogether, but I wonder if it's planning to use it even less now, particularly for its external Internet usage unreleated to product testing.

Second, this story is another blow for Internet Explorer. The Google-China spat is big news right now, and this thrusts Microsoft in the center of it. As I mentioned a few months ago, IE is already beginning to give up small chunks of its market share each month to other browsers like Firefox and Chrome. Could this push firms affected by the Chinese attack to also begin exploring other browser alternatives? Will the rest of the Internet-using public take notice?

If Google really wants to live its "don't be evil" mantra, then it might consider starting an antivirus unit of its own, and/or developing its Chrome browser to be virus proof. In my opinion, other than physical violence, there are few things more evil than computer viruses. They plague unsuspecting Internet users and lead to stolen identities, invasions of privacy, stolen property and incredible inconvenience.

I consider computer viruses technological weapons of mass destruction, and the hackers who create them terrorists. As these foreign-based attacks continue to become more common, the U.S. might want to consider putting more of its defense budget towards preventing them. I don't begin to doubt that millions of dollars are lost each year because of virus attacks. Eventually that tally will reach the billions, if it hasn't already.

[American Patriot]

I'm moving this public.

I think everyone here needs to know about this now.

Rick

[American Patriot]

I spent most of yesterday morning fighting these guys off my machines.

I haven't posted all the data I have here, and likely won't but I will post enough to let you guys know this is serious shit.

[American Patriot]

I can say this...
"Wireshark" get it. Free download.

If you do NOT have one, GET ONE, a router/switch that is CAPABLE of acting as a firewall.

I have a netgear router installed on the network.

USE ONE.

Get an antivirus program. I am using Symantec (I get to use it from work).

Get an anti spyware program. I use Lavasoft's Spybot. Get it.

Run those things a few times a week.

I also have something called "Mailwasher" which I use to remove spam before it gets to my inbox.

I wouldn't have known about these attacks if I hadn't noted the "lag" in-game the other evening and started investigating.

The attack is what is known as a Syn attack... and attempt to cause lockups based on un acknowledged packets.

[samizdat]

Yo Pete! I guess chineze big bruddah not fuck awoun wif you. God thinking.

Any pointers?

Is kapersky still the best ant-virus. (I had it once, but they hacked it down to do remote tricks).

Windows has a free "essentils anti-v" Is it decent and capable?

[American Patriot]

A proxy server won't stop an attack Peterle. My IP address was being hit directly with a DDos (or a DOS really).

I am at work right now, I can't use proxy at work.

At home it's irrelevant.

I don't use windows defender.