Decided to run BID along side of ZA after a string of entries in my passworded FTP site on IIS. I'm new to BID but what the hell is this idiot doing? I traced it to Russia, pinged him and no response, no http response, nothing. A friend pinged him with success, got a http site (all in Russian), then got a series of ZA alerts and his ping no longer worked, or the http site. My IIS log's entry was a string of entries of him trying the same username and password, over & over &.....

ZA keeps popping up blocking the app blackd from communicating to the IP# in question.

****, trying to link to a geocities site, mine to show some pics and it wont work!!

Anyway, over 1,000 alerts from one IP# doing a FTP port probe. I'll work on the pic links

The IP# is: 212.24.43.172

Does this link work for anyone?
The links will work only if you copy and paste to your browser for some reason
www.geocities.com/pw5599/BID4.jpg (http://www.geocities.com/pw5599/BID4.jpg) www.geocities.com/pw5599/BID3.jpg (http://www.geocities.com/pw5599/BID3.jpg)



[This message has been edited by shadow (edited 04-13-2001).]

I don't have a clue myself, but ZA stops a bunch of port scans, and other pings, ect from an IP that always starts with 24.xxxxx

Here are a few from today:

24.216.176.162
65.196.72.24
24.1.249.121
24.150.41.145
24.217.82.113
24.217.82.113
24.216.176.162
216.142.93.2
24.216.176.162

Almost all of them were TCP port scans. One was this...

The firewall has blocked Internet access to your computer (NetBIOS Name) from 24.150.41.145 (NetBIOS Name)

I get a lot of these, but I don't have a clue what netbios is...do you?..

<snip>
ZA keeps popping up blocking the app blackd from communicating to the IP# in question
<end snip>


blackd is the main "engine" to the BID IDS, you have to allow it(you apparently have it blocked) access from your Program Settings in Zone Alarm. BID does a back trace of intrusions (this is why it is wanting access) and will log the packets for you also. You then can use a packetsniffer to go through the .enc files for the details of the intrusion or for using them for evidence ect.

[This message has been edited by Kruppt (edited 04-13-2001).]

Geocities doesn't allow direct linking to pictures or files anymore. http://www.sysopt.com/forum/frown.gif Only web "html" pages. (the page can display the pic or link to the file).
I guess because a direct link doesn't pop up their little "banner ad", and they were loosing revenue and exposure.

ThiemeMD

Hi all. The ip you posted Shadow 212.24.43.172 I got a trace on it to iran. I used a program called NeroTrace Express. This is a limited free ware. For private use it is free. I'm going to get the full version. It will give you a street address.
Bovon the 24.216.176.161 number comes from Denver by way of SanFransico, Cal.
Here is the web site. http://www.neroworx.com
check it out. With thier home address and isp you could send a nasty note to the isp.
That would be a shame if they lost internet service.

those pesky iranians lol..i used to use smart whois,but scans happen so much to keep on top of them all is lots of work..and mostly it's my own isp anyways..

Hey Philip1952, where to get a copy of NeroTrace Express?... I used to have Smart Whois (still do, but it expired with a note that my evaluation time ran out)

I have time, and like to track these buggers down... I, some times, just get the IP from ZA, and ping the sh** out of them..but, then they harass me for days afterwards...LOL...

Sorry about the link. I'm not on my box right now. when I get it back on line. I'll repost the address. I'm on the box I had posted with the mtx flu. Had to do reformat, bummer. Hope to later on tonight. I'm doing updates and all on this box. The owner needs it tomorrow.

here try <A HREF="http://www.neoworx.com/products/default.aspthis" TARGET=_blank>http://www.neoworx.com/products/default.aspthis</A> link.

This one worked. I checked it myself. Sorry about the other one.

[This message has been edited by Philip1952 (edited 04-16-2001).]