Too many hack attempts...

[HydraHeaded]

I have a Huawei SmartAX MT882 modem. I changed the mode of the modem today, so that while earlier when I switched on the modem, it would automatically connect to the net, now I have to manually type in the username and password in windows.

I did this just today, and now I am facing a lot of hack attempts: ZoneAlarm keeps giving messages of having blocked access attempts from different IPs:

193.138.232.17

118.168.135.86

222.216.28.168

10.10.49.220

213.234.219.11

122.116.17.131

218.165.128.76

61.92.52.107

59.95.14.154

59.95.128.161

77.122.203.46

122.116.112.163

61.92.52.107

122.116.17.131

59.95.14.154

118.167.130.5

122.116.17.131

59.95.129.183

Most of these are from somewhere in Taiwan / China / Hong Kong...

I dont have any enemies there; I don't have any enemies anywhere, if I remember correctly :))

1st: Does this have anything to do with my changing the modem mode?

2nd: When the IP is shown as of a particular country, does it really mean that it is someone from that country who is trying to hack? Is it possible that someone from Algeria, etc is using a software that makes it looks as if he / she is in Taiwan? Bcoz there are softwares that change your IP, so that it looks as if you are accessing the net from France or Malaysia. I am not sure if these softwares really do what they claim to do, because I once used a software, and then when I googled for my IP, most sites fell in for the trick and showed that I was in some other country, but one or two sites showed two IPs: one was my real IP, and the other was the fake one, shown as a proxy IP. Does anyone know of any working software that will hide the IP, and more importantly, is there any real need for this?

[+BudMan MVC]

Well sounds like you turned off the NAT feature of that router you have.. It's a modem/router combo - not just a modem. Or you placed yourself in the DMZ of your router.

http://www.huawei.com/products/terminal/pr.../view.do?id=121

Features

Supporting 1483B bridging and routing function

Supporting DHCP server, NAT/NAPT , PAP/CHAP, IP Filter, Firewall, protocol block

Built-in PPPOE/PPPOA dialing

As to "Hack" attempts -- you can take off your tin foil hat.. It's NOISE There are so many computers infected on the net that plugging one in will see a ton of just garbage from all over the planet. No person is trying to hack you.

I would suggest you get behind the NAT again, so you will not be bothered with all of it. Since the NAT will not send any traffic to your machine unless its been forwarded by you specifically, or in answer to something you requested, ie a webpage, etc.

On the other hand -- it could be a prelude to the black helicopters of your enemies coming to get you, just probing your defenses ;)

edit: take a look at the storm reports on SAN for an idea of the amount of junk floating around.

http://isc.sans.org/submissions.html

Edited May 7, 2008 by BudMan

[HydraHeaded]

In the NAT settings, it already says enabled; only UPNP is disabled. Anything else I need to enable?

[+BudMan MVC]

Did you put your computer in the DMZ? Do you have any port forwards configured? Are you connect to the router with USB or ethernet?

Can you post the details of what your firewall is reporting.. It might be your firewall mis reporting/blocking traffic.

A quick check to verify that your behind a NAT.. Is when your computer is connected to the internet, from a command line do a ipconfig /all

if your on a private IP, then your behind a NAT.. if you have an IP that is not a private address -- then your computer is not behind a NAT.

http://en.wikipedia.org/wiki/Private_network

10.x.x.x/8

192.168.x.x/16

172.16.x.x/12

[HydraHeaded]

Did you put your computer in the DMZ? Do you have any port forwards configured? Are you connect to the router with USB or ethernet?

I dont know anything about DMZ; how do I put my compu in DMZ; I looked for it in the modem page, but couldnt find anything.

I had manually portforwarded for Utorrent, but at present I can't find any info about it in the modem page; I had portforwarded quite some time back, after that, I have restored the modem to factory settings; also, the portforwarding was on a different OS (Win XP Pro), while these days, since the old OS had become heavy, I am using another copy of it (same OS; 2 installations in two separates drives). I think the old portforwarding has gone.

The modem connects to the compu through LAN; there is also a USB cable, which I don't use; if it increases security in any way, I'll start using it.

Can you post the details of what your firewall is reporting.. It might be your firewall mis reporting/blocking traffic.

I have made a screenshot of the ZoneAlarm Alerts and Logs page; the page is too long, so the whole thing is not covered, but I'll tell you what all is there after it which cannot be seen in the image: Source DNS list is entirely blank; then there is a Destination DNS, the list of which entirely reads "SKYNET" (probably the name I set for the computer in the beginning); that's all.

A quick check to verify that your behind a NAT.. Is when your computer is connected to the internet, from a command line do a ipconfig /all

if your on a private IP, then your behind a NAT.. if you have an IP that is not a private address -- then your computer is not behind a NAT.

I did the ipconfig /all thing; actually, if I do it from Start > Run, the dialog box goes away in a flash, so I typed command, and then typed ipconfig /all. Now it gave a whole lot of information, what do you want me to look for? How do I find out if I am on a private IP? If you are referring to the three IP ranges given on the Wikipedia page ( 10.0.0.0 – 10.255.255.255 ; 172.16.0.0 – 172.31.255.255 ; 192.168.0.0 – 192.168.255.255 ) : no, my IP doesn't fall under that.

Hey, thanks for all the interest you are taking!

[+BudMan MVC]

yes, start, run, cmd then in the black box ipconfig /all

If your IP is not in one of the those ranges - then your NOT behind a NAT. Since you would have a public IP address..

example here is my output;

Ethernet adapter local:

Connection-specific DNS Suffix . : snipped

Description . . . . . . . . . . . : Broadcom NetXtreme 57xx Gigabit Controller

Physical Address. . . . . . . . . : 00-14-22-D4-7A-9F

Dhcp Enabled. . . . . . . . . . . : Yes

Autoconfiguration Enabled . . . . : Yes

IP Address. . . . . . . . . . . . : 10.40.0.11 <--- This IP is in the private range

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 10.40.0.254

DHCP Server . . . . . . . . . . . : 10.40.0.233

DNS Servers . . . . . . . . . . . : 10.40.0.218

10.40.0.219

Primary WINS Server . . . . . . . : 10.40.0.233

Lease Obtained. . . . . . . . . . : Wednesday, May 07, 2008 8:21:20 AM

Lease Expires . . . . . . . . . . : Friday, May 09, 2008 8:21:20 AM

Not sure what you did, but if your IP is not in those ranges then your not behind a NAT.. Well from your firewall posting, which you left your IP on.. I would suggest you remove that. Your IP starts with 59.95.x.x that is PUBLIC IP!! So yes your firewall is going to be going crazy.

the blocks to the 135 TCP = the MS RPC port, 445 is SMB or TCP are standard window ports.. Yes lots of worms look to exploit things on these ports.. 1080 is the port the mydoom worm opened a back door on I do believe, so yeah your going to see lots of noise on that port as well. 1433 is the SQL, again very common worms looking for SQL server to exploit!

I would highly suggest you fix your router to put you back behind a NAT! Ie your IP address should fall within one of the ranges I listed.

As to your port forward questions -- that has NOTHING to do with the OS on your machine. Port forwards are configured on the router, so what OS your running has nothing to do with it. If you wiped your router back to default - then your port forwards would be gone.

I would have to look to your manual about how to set your machine in the DMZ, but since you clearly have a PUBLIC IP address on your computer that is what you should fix first...

[GeoffNewman]

P.S Your ZoneAlarm is wayyy out of date - havn't seen that colour icon for a while!

[HydraHeaded]

Hey, mine is a dynamic IP, it keeps changing all the time, so does it matter if someone does find out my IP of a particular session?

Ok, so what do I do to get behind a NAT, and what do I do to get a private IP? I have no idea on how to do these things. Also, you have DHCP enabled, I don't, do you suggest I enable it?

And yes, I don't update the firewall, or anything else, much; never thought it was really necessary, it was always working... All I do is check mails, and sometimes download from Rapidshare, so I thought that no one would try to get into my compu, I thought no one would even detect I was there, since I was not visiting any strange sites.

[+BudMan MVC]

Hey, mine is a dynamic IP, it keeps changing all the time

Also, you have DHCP enabled, I don't, do you suggest I enable it?

Which is it??? Your IP can not be changing all the time if your static. Change your router to login to your PPPoE account, and turn on NAT..

If you do not know how to do these things -- did ya think to RTFM!! that came with your router??

Lets get something straight right off -- that is not people trying get in.. Its worms running on other machines on the internet RANDOM looking for other machines to infect.

If your behind a NAT it makes little difference if your running a software firewall or not.. But for not knowing anything about your router, you sure managed to change your setting from it logging into your PPPoE account and being behind a NAT.. To directly connect with asking why your firewall is warning about all stuff when it didn't before.

It didn't before -- because you were behind a NAT!! Change your router to how it was before is what I would suggest! If you can not be bothered with reading the manual -- call your ISP!

[RatherLargeBear]

Which is it??? Your IP can not be changing all the time if your static.

Errr..

read what you quote much?

[+BudMan MVC]

Yeah -- I quoted where he states his IP changes. Then he states he does not have DHCP enabled.. Sorry but it does not work that way.. You either have dhcp enabled.. Or you set a static IP!

So my question is "which is it" Does he have dhcp enabled, and his IP changes.. Or does he not have dhcp enabled.

These are the default settings of creating a PPPoE connection on his PC, which he stated he did.. Look at the dhcp enabled.. Which was the point of my question.

If his IP changes all the time -- then he must have dhcp enabled.. Yet he states he does not.

[wrack]

Oh the hack attempts are nothing new really, I get hundreds of them blocked by my router everyday.

[HydraHeaded]

Alright, I disconnected thrice, and reconnected, and then went to http://www.ip-adress.com/; each time it gave three different results:

59.95.207.63

59.95.221.133

59.95.209.54

This would mean that the IPs keep changing on every reconnect, right?

Second, about the DHCP, in the modem page, it shows as disabled:

Doesn't that mean DHCP is not there?

Alright, now look at this pic; it shows the Network Connections folder; in the settings of "LAN or High-Speed Internet", when you go to the Internet Protocol (TCP/IP) Properties, it shows values already added in (I mean to say that it says "Use the following IP address" and "Use the following DNS server addresses" with values that I probably added a long time back). But in the settings of "Broadband", when you go to the Internet Protocol (TCP/IP) Properties, it shows what you have given in your pic ("Obtain an IP address automatically" "Obtain DNS server address automatically").

I started a thread in a local forum; it is mainly about my modem restarting every few seconds; this was when the modem was configured for direct connect (username and password were saved in the modem). You can take a look at it if you want:

http://www.indiabroadband.net/bsnl-broadba...restarting.html

Alright, now lets wind this up:

[1] If I want to let the connection remain as it is, meaning, the username and password are not saved in the modem, but I enter them thru Windows, does it mean that I cannot have NAT?

[2] Out of the two methods (modem saving username and password vs me entering them thru windows), which is the better, and safer, method?

And hey, do I really need to take out that pic of ZoneAlarm showing my IP?

Please answer all three.

Thanks a lot.

[+BudMan MVC]

That is your routers DHCP "SERVER" that is DISABLED.. Not your client not having dhcp enabled!!

So no your router will not hand out IPs on the 192.168.1.2 to .33 range..

that is LAN settings!!!!! Not your PPPoE interfaces IP!

Post an FULL output of ipconfig /all while your connected to the internet.. You will get your local interface, and the PPPoE interfaces IP and info. Also post the output of route print.

Also please post the settings on your modem. If your IP is changing every time you disconnect and connect -- then no it really does not matter that you posted a public IP.

edit: Ok I read thru that thread, I could not read the third page -- said I needed to register to read more.

Maybe there is something good on 3rd page?? But seems your modem was working fine -- while you still were entering your pppoe settings in your modem! In that thread you mention a "static" route in your router table -- pointing to a 59.95 address..

To use your NAT features of your router, it can not be in bridge mode.. And your computer needs to use it as its gateway.. Its dhcp server does not need to be enabled.. but will make things simpler! You would change your lan interface to dhcp vs static, after you enable the dhcp "server" on your router.

Please post the output of your routers config, and full output of ipconfig /all along with your route print output.

Your clearly not using the nat features of your router, since its bridge mode -- and your making connection to your ISP direct from your computer.. So your getting a PUBLIC IP on your computer vs the private one.

Unless you want your software firewall to get bombarded with noise from the internet -- then you will need to use your routers NAT feature.

edit2: BTW what dns server you use has NOTHING to do with ports being open to utorrent.. But since your not using the nat features of your router -- nothing you sat on the router as anything to do with your connection.. Ie what dns it shows, etc. Your not handing that out -- since its dhcp server is disabled. Those setting are only for when its being used as ROUTER, not a bridge like your using it for..

? Where you running P2P downloads when your router use to reboot on you?? Quite often soho routers can not handle the MANY connections p2p creates in its NAT tables.. Can sure can crash routers!

Edited May 8, 2008 by BudMan

[HydraHeaded]

Post an FULL output of ipconfig /all while your connected to the internet.. You will get your local interface, and the PPPoE interfaces IP and info. Also post the output of route print.

ipconfig /all I know about; whats the "output of route print"? Where do I get that? Here's the ipconfig /all; its exactly as it was shown, I have not edited it a bit:

Windows IP Configuration

Host Name . . . . . . . . . . . . : skynet

Primary Dns Suffix . . . . . . . :

Node Type . . . . . . . . . . . . : Unknown

IP Routing Enabled. . . . . . . . : No

WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : Realtek RTL8139 Family PCI Fast Eth

rnet NIC

Physical Address. . . . . . . . . : 00-19-D1-52-F0-1F

Dhcp Enabled. . . . . . . . . . . : No

IP Address. . . . . . . . . . . . : 192.168.1.2

Subnet Mask . . . . . . . . . . . : 255.255.255.0

Default Gateway . . . . . . . . . : 192.168.1.1

DNS Servers . . . . . . . . . . . : 192.168.1.1

PPP adapter New Net:

Connection-specific DNS Suffix . :

Description . . . . . . . . . . . : WAN (PPP/SLIP) Interface

Physical Address. . . . . . . . . : 00-53-45-00-00-00

Dhcp Enabled. . . . . . . . . . . : No

IP Address. . . . . . . . . . . . : 59.95.231.215

Subnet Mask . . . . . . . . . . . : 255.255.255.255

Default Gateway . . . . . . . . . : 59.95.231.215

DNS Servers . . . . . . . . . . . : 218.248.240.208

218.248.240.135

NetBIOS over Tcpip. . . . . . . . : Disabled

Also please post the settings on your modem.

Which ones?

edit: Ok I read thru that thread, I could not read the third page -- said I needed to register to read more.

Maybe there is something good on 3rd page??

That forum has this problem; there is only one post on the last (third) page, by me, saying that the problem seems to have gone away, and that it is the AC causing the problem: there is a wiring problem in my house it seems, so that every time the AC sort of comes out of powersaver mode and sucks power, the lights of the entire floor flicker for a second, and at this particular time, the modem goes off; it doesn't totally go off, the power lights remain on, but the connection breaks and reconnects. But I have seen after this that even without the AC on, my modem is restarting like anything; it might have got damaged with all those fluctuations, since now it restarts every twenty seconds or so in the beginning, for about ten times or so, and then finally becomes stable; after that, the connection breaks only a few times. Its a strange problem; I've called an electrician, I'll know more only after he changes the wiring.

But seems your modem was working fine -- while you still were entering your pppoe settings in your modem! In that thread you mention a "static" route in your router table -- pointing to a 59.95 address..

Not so sure about the static thing; but I do remember when I was portforwarding, there was a mention that it needed a static route.

To use your NAT features of your router, it can not be in bridge mode..

That is what I need to know. So I'll have to roll back to letting the modem save the username / password. Actually I changed this only because I read in a page that it is not advisable letting the modem store your info, since anyone can get into the modem and retrieve that info. Of course, I have been using the modem in the previous mode for all this time, and there has never been any prob.

Your clearly not using the nat features of your router, since its bridge mode -- and your making connection to your ISP direct from your computer.. So your getting a PUBLIC IP on your computer vs the private one.

Actually, I still can't understand this private vs public IP thing; I know only dynamic vs static, where dynamic means the IP keeps changing (like mine does), and static means it remains the same all the time; I hear many ISP give only static IPs, that would be dangerous, to have a permanent address...

Where you running P2P downloads when your router use to reboot on you?? Quite often soho routers can not handle the MANY connections p2p creates in its NAT tables.. Can sure can crash routers!

At times, yes, but not always; see, right now, the problem is still there, even though I have no P2P running.

A friend of mine told me to shift to Linux, and all problems will go away; I'm thinking about this; a very long time back, I had installed Red Hat Linux, and it had worked fine for a few days, and then something terribly went wrong with the boot info, so that none of the OS (Linus, or Win XP, or Win 98) would start, and I had to reinstall windows again; I never touched Linux after that.

I just downloaded this thing called DefenseWall HIPS; it claims to lock up the whole compu.

I've noticed that the noise has gone down; it was only on the first day that ZoneAlarm was giving popups.

Think I should just roll back to the previous mode, and then learn more about how all these damn things work, before tinkering with it...

[The_Decryptor Veteran]

That is what I need to know. So I'll have to roll back to letting the modem save the username / password. Actually I changed this only because I read in a page that it is not advisable letting the modem store your info, since anyone can get into the modem and retrieve that info. Of course, I have been using the modem in the previous mode for all this time, and there has never been any prob.

That's only if you don't change the username/password.

And just because somebody says to do something (i.e. switch to Linux, which wouldn't solve this) doesn't mean you should (but BudMan is exempt from that :p )

[+BudMan MVC]

As to storing your pppoe info on your router.. How is less safe than storing it on your PC? ;)

As suggested yes you should change your password to access your routers web ui.. But for starters your wireless network should be secured in the first place if your router was a wireless one (ie wpa2 or wpa with a SECURE password). 2nd the webui should not even be available if connecting to the router with wireless (setting on router).

3rd your routers webui should not be available from the public side (setting on router). So how exactly is someone going to get into your router and see your pppoe username and password?

But with it stored directly on your computer, you could become infected with something that sends usernames and passwords somewhere, or opens up your machine to remote control. You could get exploited from a worm that your software firewall allowed thru, your buddy could take a look when you let him borrow your pc to read his email, etc.. etc..

From your ipconfig output.. Yes you have a static setup on your lan interface -- pointing to your routers IP.. But since it is in bridge mode.. thats not going to get you anywhere.. So your pppoe interface makes the connection to your ISP, and gets a IP address using dhcp.. Which is then used to as your connection to the internet.

I would suggest you put your router back in router mode vs bridge, turn on its dhcp server. Set your lan interface on your PC back to dhcp along with its dns to obtain automatic. Remove the pppoe connection from your PC. You will then get the settings from your router, and use the router as your gateway to the internet.

You will then need to setup any forwards you want, ie for P2P to work. And can change the settings on your router to hand out whatever dns you want to use - ie opendns as an example. Or by default it should setup your machine to use the router for dns, and it will forward queries to your ISPs dns.

You will then be on a private IP, behind a NAT -- so NO traffic that you did not forward on your router, or that is not in answer to something your pc requested will get thru your router to your PC..

IE all that noise your software firewall was reporting will go away.

As to what a private address.. I already linked to info about that. http://en.wikipedia.org/wiki/Private_network

These are the IP address routers providing NAT use on the private side.. ie the non-internet side. Here is info about NAT

http://en.wikipedia.org/wiki/Network_address_translation

The router changes the PUBLIC ip given it by your ISP to private ones it uses to talk to your PC(s)

As to changing to linux -- that would in no way remove the issues your having with your software firewall reporting noise.. The noise would still be seen no matter what OS your running if not behind a NAT. Would it be more secure than a windows OS?? That is topic of debate.. But it would bring its own problems to the table as well. What OS your PC is running has nothing to do with your issue - and changing it would not change anything, other then throwing even more stuff at you that you do not understand.

I'm a big fan of linux, and if your interested -- then sure check it out.. But as a suggestion to how to fix your problem(s) That pretty lame advice IMHO..

@ decryptor -- thanks for the kind words. ;)

[HydraHeaded]

Alright, I think I'll roll back to the previous mode of allowing the modem to save the username password. That will still mean I'll retain the dynamic IP, right? Cos I don't want a static one.

I'll come back after a few days maybe, and report here, or if the thread has gone, I'll PM you.

Thanks a lot for all the help you have given me!

[+BudMan MVC]

WTF does your public IP being dynamically assigned have to do with anything?

Did your tinfoil hat slip off again? ;)

Your IP address is dynamically assigned by your ISP yes.. How often that changes? From what you shown, every time you reconnect to your PPPoE it changes.. So sure you can change it anytime you want by forcing a disconnect/reconnect on your router. Depending on how your router is setup to always keep the connection open, or only on traffic, etc.. could determine how often your public IP changes.

But It does not matter!! if that IP changes every hour, 1 a day, once a year.. Unless your worried about the people in the black helicopters coming to get you? ;) Then sure you better cycle it every 10 or 20 seconds or they might find you :rofl:

Why do you feel that a public IP that changes is better than one that stays the same for say 1 day, or week or month or even years.. I have had the same public IP for got to be a year now.. The hackers have not gotten me yet :rofl:

[SuperKid]

Lol... What a cafuffle! Right so your using PPPoE? just switch on DHCP, Save your settings in your router, disable DMZ, Disable UPnP, Turn on NAT and any protection available in the router, apply it all and in your pc just simply enable automatically get the settings instead of manually enter on network card and walla, easy and secure, and all you need then is basically windows firewall its what i use and im safe with router firewall and i get to choose which apps connect to the net!

Read the manual to find out how to do these aswell!

[urjoc]

Sorry being off topic....

....tinfoil hat......

Is it this thing you're talking about? http://en.wikipedia.org/wiki/Tin_foil_hat

[+shift. MVC]

Is it this thing you're talking about? http://en.wikipedia.org/wiki/Tin_foil_hat

Ctrl + F --> Tin foil hats and paranoia

[+BudMan MVC]

Yes I do believe his tin foil hat is loose when it comes to being worried if his public IP is dynamic or static ;)

That article is a start, I always find it strange when people do not understand common phrases.. I thought it might have been since you were from Canada.. But then a fellow Canuck pointed out how to find info on it, so I took that as they knew what the phrase meant, etc..

So its a common phrase in Canada as well? And you know about the Black Helicopters as well then I take it -- since you did not ask about that phrase ;)

[+shift. MVC]

Well I understood what tin foil hat was, and Black helicopters I assume you mean the government (FBI, CIA etc.).

I doubt a NAT or dynamic public IP is going to save you anyway if the government were after you for something :D

[urjoc]

Well, even if those "thin foil hat" and "black hellicopters" expressions are not normally used here, I understood what you wanted to say just by the way you said it...... really the reason why I posted about it is because I was "rolling myself on the floor" after I've found this wiki's page (a picture's worth thousand words)

anyway after reading all this thread, and reading the history of all 19 posts made by the original poster of this thread, I think the best advice I could give to HydraHeaded would be : "Pay a tech to come and set it up for you, and when he's done, pay him for one more hour to take time to talk to you about the << DOs and DON'Ts >> of computers and internet!" ... I think it would be worth it.