Ok I don't know whether I'm being hacked or not. I don't know what's happening at all. All I know is that my Routers security log has been showing an IP address in the 10.X.X.X range continually bombarding me and being blocked by its "DoS protection." I'd post the log but I don't want to get in trouble for distributing others IP addresses. Anyway, the security log has shown that the address has attempted to connect to my router multiple times a second. Now, the main problem I see in this is that the 10.X.X.X range is reserved for private networks. My home network is comprized of between 4 and 8 computers (I lose count) all of which have internal IP addresses in the 192.168.X.X range. My router and modem IP addresses fall into the same range. Since 10.X.X.X are reserved for internal use only, how in the world can I be seeing such an address assaulting my router when I don't even have a portion of my network set up to use said range? The only possibility is that some other network that I am mysteriously connected to has a computer that is attempting to connect.
Now, my father connects to work using a VPN, but even when his work computer (the only computer that uses a VPN) is not turned on, the assaults continue. As a matter of fact the only times it seems to occur is when MY computer is on, and the only thing I do that I can imagine relating to this is torrent. I cannot see, however, how torrenting could somehow show me the internal address of a computer not on my network. I don't even know if using a VPN allows you to see internal addresses of computers not on your network. All in all I'm totally flustered. This has been going on for months, and it seems to be taking a toll on our router, in that it needs to be continuously power cycled (though this may be related to my 16-hour-a-day torrenting).
If any more information is required, I will gladly supply, as I am willing to do near anything to solve this problem.
Name:
Anonymous2006-05-15 23:16
it's possible to send out ip packets with the source ip spoofed to any ip, such as private ones, localhost, whatever. of course, any program receiving those packets can't send data back to a valid address... a hacker who is merely trying to flood or ddos you doesn't care if you can respond.
but first, are you absolutely sure you have nothing in any of your networks trying to send data on 10.0.0.0-10.255.255.255 ?. disconnect your cable/dsl modem and see if the connections continue.
if it's defintely external, have you pissed off anyone recently? does your router says what ports the connections are trying to be made on? provide more information if you get to this point.
Name:
Anonymous2006-05-16 3:50
WHAT?!
Posting IP addresses cant get you in trouble I dont think, especially if you say its an internal address...
It might also be a 1337 h4x0r dude trying to pull a blind attack on random IPs in your wan subnet
Name:
Anonymous2006-05-16 15:04
>>1
I'd lol if the router overreacted and it's just a portscan - which is absolutely legal.
Name:
Anonymous2006-05-16 16:44
>>1
Why the hell does your router log that useless information━━━━━━(゚∀゚)━━━━━━ !!!!!
I would wonder if my net cable was unplugged if I did not get attacked 1000 times a second 24 hours a day━━━━━━(゚∀゚)━━━━━━ !!!!!
Name:
Anonymous2006-05-16 17:12
The only problem here is that it has been occuring every second that my computer is on for months, probably around half a year now. I am absolutely certain that the IP address is in the 10.X.X.X range and that I have NO computers in that range on my home network. I have disconnected and reconnected my cable modem as well as my router and they continue as soon as the network is back up. I know that it is a valid IP address because I have pinged and tracert'd the address (tracert makes two hops - one to my router, then to the destination).
I suppose since it is a NETWORK address there is nothing that you can do with it, so I can post a log with all private addresses censored (I don't wish to risk the wrath of the mods).
Firewall log:
Tue May 16 15:26:50 2006 1 Blocked by DoS protection (private IP A)
Tue May 16 15:26:50 2006 1 Blocked by DoS protection 10.39.112.1
Tue May 16 15:27:52 2006 1 Blocked by DoS protection (private IP A)
Tue May 16 15:27:52 2006 1 Blocked by DoS protection 10.39.112.1
Tue May 16 15:28:44 2006 1 Blocked by DoS protection 10.39.112.1
Tue May 16 15:28:52 2006 1 Blocked by DoS protection 10.39.112.1
Tue May 16 15:29:23 2006 1 Blocked by DoS protection (private IP B)
Tue May 16 15:29:31 2006 1 Blocked by DoS protection 10.39.112.1
Tue May 16 15:29:31 2006 1 Blocked by DoS protection 10.39.112.1
Tue May 16 15:30:01 2006 1 Blocked by DoS protection (private IP A)
Tue May 16 15:30:03 2006 1 Blocked by DoS protection 10.39.112.1
Tue May 16 15:30:24 2006 1 Blocked by DoS protection (private IP C)
Tue May 16 15:30:33 2006 1 Blocked by DoS protection 10.39.112.1
Tue May 16 15:30:33 2006 1 Blocked by DoS protection 10.39.112.1
Tue May 16 15:30:51 2006 1 Blocked by DoS protection (private IP A)
Tue May 16 15:30:54 2006 1 Blocked by DoS protection (private IP A)
Tue May 16 15:30:56 2006 1 Blocked by DoS protection 10.39.112.1
Tue May 16 15:31:51 2006 1 Blocked by DoS protection (private IP D)
Tue May 16 15:32:13 2006 1 Blocked by DoS protection (private IP A)
Tue May 16 15:32:15 2006 1 Blocked by DoS protection 10.39.112.1
Tue May 16 15:32:42 2006 1 Blocked by DoS protection 10.39.112.1
Tue May 16 15:32:42 2006 1 Blocked by DoS protection (private IP A)
Tue May 16 15:32:42 2006 1 Blocked by DoS protection 10.39.112.1
Tue May 16 15:32:42 2006 1 Blocked by DoS protection 10.39.112.1
Tue May 16 15:33:02 2006 1 Blocked by DoS protection (private IP A)
Tue May 16 15:33:02 2006 1 Blocked by DoS protection 10.39.112.1
Tue May 16 15:34:33 2006 1 Blocked by DoS protection (private IP A)
Tue May 16 15:34:33 2006 1 Blocked by DoS protection 10.39.112.1
Tue May 16 15:34:34 2006 1 Blocked by DoS protection 10.39.112.1
Tue May 16 15:34:34 2006 1 Blocked by DoS protection 10.39.112.1
Tue May 16 15:34:59 2006 1 Blocked by DoS protection 10.39.112.1
Tue May 16 15:34:59 2006 1 Blocked by DoS protection 10.39.112.1
Yeah. Funny thing is, yesterday I was mostly seeing the IP address 10.39.252.193, which I didn't see in this log at all. This means that two different hosts, both on 10.39.X.X, have been assaulting my router.
Unfortunately my router DOES NOT tell me what port the connections are being attempted on. Hopefully this extra information will help anyone who thinks they might know what is happening. Thanks again.
Name:
Anonymous2006-05-16 17:52
time for honeypotting
do one of two things
- take an existing machine, backup everything on it, lockdown/delete anything of value, and disconnect it from your network
or
- go to a pawn shop or somewhere, and see if you can get an ancient pentium II or something (perferably with a nic, obviously), and install an os on it.
when you get this machine ready, fix it's ip to 10.39.112.1. then plug your cable modem into it (without the router) and see what the hell this external spoofer is trying to do.
get winpcap or something that can capture the incoming traffic so you can study it.
Name:
Anonymous2006-05-16 20:04
>>8
I have a computer that can do what you say, and I have set it up mostly the way you mentioned. However, I download WinPcap and WinDump, but I do not know how to use them or even really what they do. I understand your meaning but how am I to capture the signals? Can I log them? And I'm getting outputs like:
19:06:52.751532 6c:dc:20:52:41:53 (oui Unknown) 802.1b-gsap > 03:00:00:00:00:02 (oui Unknown) 802.1b-isap ui/C
What does that mean and how does that help me?
Name:
Anonymous2006-05-16 20:23
It could be your cable modem (try finding out its IP), or perhaps something further up the line.
Get something like nmap and go scan 10.* for hosts.
Name:
Anonymous2006-05-16 21:25
It's quite possibly someone on your wireless, or as >>10 said, your cable modem.
Name:
Anonymous2006-05-16 21:39
>>9
Disregard the output part. I was listening on the wrong device. Anyway, I logged a bit of it by typing effectively windump -w log.txt -i 2 to get it to work properly. I thought the -w was a loging thing, and it created a file called log.txt that quickly filled with a bunch of seemingly random characters. I tried every encoding I have installed on my computer, and I have every font that comes with Win2K installed plus some other ones (like a Kanneda font), and yet NO ENCODING showed anything that looked remotely like normal text. So I have this log file that appears totally useless. >>10
My cable modem's IP is 192.168.0.1 IIRC. Anyway, there are actually two IP's in the 10.X.X.X range that have been attacking me now, and many others from outside. What I gathered from the WinDump program was that about half of the sources had IP addresses that were the same as mine for the first two bytes, and the third byte was very close to my IP. About the other half originated from some 66.something addresses. I don't know what that means, but I do know that a vast amount of the signals are coming from other people connected to my ISP now.
Name:
Anonymous2006-05-16 21:43
>>11
My wireless connection is doubly secure, with hidden SSID and 26 digit hex key, and our neighbors have (unsecure) wireless connections of their own. I honestly doubt anyone is using our wireless. And it is not my modem.
Name:
J3ph422006-05-17 9:55
Try logging with Ethereal. It will display results in realtime. Probably runs in whatever OS you have. Displays packet contents in easy to read format. Run that for a bit and then come back and tell us what you get.
http://www.portdress.net/ beach wedding dresses http://www.portdress.net/ short summer dress A designer tie with a nice, understated pattern can lend elegance to any outfit. http://www.portdress.net/ beach wedding dresses under 200 A meeting with the firm’s senior partners or the first date with a woman you really like are the sort of scenarios where you would want to use this necktie. It’s for situations where you want to upgrade your look without going overboard. <br> <br> An expensive designer tie A hair ornament will add romance to any island wedding ceremony, with a tiara, jeweled comb, or flowers completing the ensemble. <br> Wedding dresses If you are looking for a wedding dress to make a memorable appearance for your wedding, you found us. We specialize in offering wedding dresses from the trendiest designers abroad and we offer them at an