Sokets de Trois v1. Trojan horse

A.B.Normal

A.B.Normal

New Member
Anyone else getting this firewall attack ,its getting annoying.The thing I find odd/interesting is that the inbound attack is never from the same IP ,they are close but not exact i.e. 24.169.XXX.XXX where the last two groups of numbers change but the first two sets don't.If anyone one would like to look at the log.txt let me know ,I've edited out my IP ,but left the others.I don't want to post them though as these comps may be comprimised and I don't want to exaserbate a bad situation.This has been going on for 2 days now. :rolleyes:
 
Its port on 5000 on my end, but the ports very for the remote address

Norton Internet Security Version 4.0
5/17/04 4:51 PM (Pacific Standard Time)
Alerts Event Log
5/17/04 16:51:23 Supervisor Security alert displayed for rule Default Block Sokets de Trois v1. Trojan horse.
Remote computer (24.69.xxx.xx, 3611)
5/17/04 16:51:23 Supervisor Rule "Default Block Sokets de Trois v1. Trojan horse" blocked (. Details:
Inbound TCP connection
Local address,service is (xx.xxx.xxx.xx,5000)
Remote address,service is (24.69.xxx.xx,3611)
Process name is "N/A"
5/17/04 16:49:28 Supervisor Security alert displayed for rule Default Block Sokets de Trois v1. Trojan horse.
Remote computer (24.69.xxx.xx, 1743)
5/17/04 16:49:28 Supervisor Rule "Default Block Sokets de Trois v1. Trojan horse" blocked (). Details:
Inbound TCP connection
Local address,service is (xx.xxx.xxx.xx,5000)
Remote address,service is (24.69.xxx.xx,1743)


I've PM'd you the log without the offending IPs edited.
 
Thanks for confirming its a shawcablenet problem(via PM) and its not just me getting hit by them.I wonder if its one of their servers thats infected/"being used" or something, as most of the attacking IPs are pretty close together numerically ,I can't imagine its coincidence. :alienhuh:
 
A.B.Normal said:
Thanks for confirming its a shawcablenet problem(via PM) and its not just me getting hit by them.I wonder if its one of their servers thats infected/"being used" or something, as most of the attacking IPs are pretty close together numerically ,I can't imagine its coincidence. :alienhuh:
Click to expand...
I bet its not one of their servers, just a fellow subscriber (or three). About half of my denies on my business firewall are from others on the same block. When we were on a residential-based account, the number of denies was astronomical. In the thousands per day.

I think a lot of viruses scan for open IPs in the same subnet (people in the same IP range). Faster and easier that way, I'd imagine.
 
I thought you were getting hit by 24.69.xxx.xx (shawcable.net) or were yo usaying your getting hit by those with similar IPs to your own?
 
A.B.Normal said:
I thought you were getting hit by 24.69.xxx.xx (shawcable.net) or were yo usaying your getting hit by those with similar IPs to your own?
Click to expand...
Both. Those denies I was telling you about was for the ports, not just the IPs. The source addresses were all kind of ranges, including those in shawcable.net
 
I'm getting hit with this one now...one hit every 30 seconds, on average..all blocked, but gettin to be a pain.
 
You must log in or register to reply here.
Back
Top