|
06 Jan 05 - 12:05 PM (#1372829) Subject: Tech: Worm detected From: John MacKenzie My Virus Programme detected a worm and gave me the following info. Site 127.0.0.1, Port 1042, Address 213.122.110.187, UDP. Don't know what any of it means, and all I can find out is that every computer seems to think it is 127.0.0.1. I was curious to try tracing the source of this attack, how can I do it? Giok |
|
06 Jan 05 - 01:10 PM (#1372885) Subject: RE: Tech: Worm detected From: JohnInKansas Go to Symantec Security Check and click on the "Trace an Attack" link. There should be enough info there to get you started. Not generally recommended that those of us who have to read the instructions mess with trying to trace them. Better to check on how to report it to the experts and let them do the hard stuff. John |
|
06 Jan 05 - 07:19 PM (#1373340) Subject: RE: Tech: Worm detected From: Dave Wynn 127.0.0.1 is some kind of catch all IP address I think. It occurs all over the place. It appears to be a local loopback address according to the great gods IBM and Microdaft. |
|
06 Jan 05 - 07:35 PM (#1373368) Subject: RE: Tech: Worm detected From: GUEST,Sigurd 127.0.0.1 is the Unix and BSD "loopback" device. Basically its a machine's own address for itself. Microsoft adapted the BSD network stack when it added the internet onto windows. 213.122.110.187 is registerred to: OrgName: RIPE Network Coordination Centre OrgID: RIPE Address: P.O. Box 10096 City: Amsterdam StateProv: PostalCode: 1001EB Country: NL ReferralServer: whois://whois.ripe.net:43 NetRange: 213.0.0.0 - 213.255.255.255 CIDR: 213.0.0.0/8 NetName: RIPE-213 NetHandle: NET-213-0-0-0-1 Parent: NetType: Allocated to RIPE NCC NameServer: NS-PRI.RIPE.NET NameServer: NS3.NIC.FR NameServer: SUNIC.SUNET.SE NameServer: AUTH00.NS.UU.NET NameServer: SEC1.APNIC.NET NameServer: SEC3.APNIC.NET NameServer: TINNIE.ARIN.NET Comment: These addresses have been further assigned to users in Comment: the RIPE NCC region. Contact information can be found in Comment: the RIPE database at http://www.ripe.net/whois RegDate: Updated: 2004-03-16 |
|
06 Jan 05 - 07:35 PM (#1373369) Subject: RE: Tech: Worm detected From: GUEST,Jon 127.0.0.1 is the host itself, localhost if you like. |
|
06 Jan 05 - 07:38 PM (#1373372) Subject: RE: Tech: Worm detected From: The Fooles Troupe UDP is the Universal Data Protocol level of the Data Transfer protocol used in Ethernet - now used for most internet traffic. |
|
06 Jan 05 - 07:40 PM (#1373375) Subject: RE: Tech: Worm detected From: GUEST,Jon RIPE handle the European IP addresses: inetnum: 213.122.0.0 - 213.122.255.255 netname: BT-IMSNET descr: BT-IMSNET country: GB admin-c: BS1474-RIPE tech-c: BS1474-RIPE status: ASSIGNED PA remarks: Please send abuse notification to abuse@btinternet.com mnt-by: BTNET-MNT mnt-lower: BTNET-MNT mnt-routes: BTNET-MNT changed: support@bt.net 20000711 changed: preston.dialip@bt.com 20010523 changed: preston.dialip@bt.com 20010628 changed: preston.dialip@bt.com 20020907 source: RIPE |
|
06 Jan 05 - 07:44 PM (#1373385) Subject: RE: Tech: Worm detected From: GUEST,Jon Thinking about it, the "outside world" IP address we were given may have been Giok's own IP address for his Internet connection. |
|
07 Jan 05 - 12:09 PM (#1373695) Subject: RE: Tech: Worm detected From: John MacKenzie First two groups are the same as mine but the next two are different with one of them having only two digits not three. Giok |
|
07 Jan 05 - 12:52 PM (#1373749) Subject: RE: Tech: Worm detected From: McGrath of Harlow The worms crawl in and the worms crawl out They crawl in thin and they crawl out stout Your eyes fall in and your teeth fall out Your brains come tumbling down your snout Be merry my friends Be merry... |