IP searching and hacking

[~YuckFou~]

Guys,
I need some help. While playing CS tonight it appears that one IP (can't tell you which for reasons that will become obvious) tried to access my PC 38 times, over a period of about an hour and a half. Each time using a different port number. I'm not any kind of expert on this matter but I'm assuming that this was a concerted effort to access my PC. Luckily I run Zone Alarm and as far as I know they didn't get in.

I've traced the IP and it turns out that its my employers. They would know my IP because I have ADSL on a static IP, and use VPN to access our network when working from home.

I'm sick to the stomach about this.

Could "those in the know" please confirm to me two things...

1: This was a serious attempt to access my PC?
2: This is illegal?

Any help would be much appreciated as I obviously need to act on this.

Cheers
Yuck

 

[L_Plates]

1. Are all pc's at your work on the same ip ?
2. Has someone at work got something against you ?

3. Tell teh big cheese what has hapened and then ask for a opay rise IE: use it in your advatage!

all in all hackers are arses and if it is your work WTF i say ..

 

[~YuckFou~]

Yes all my pc's are on the same IP, I'm on Zen ADSL, static IP. The problem is I think it might be the boss.

He's got "issues" with me.

Any more help would help me sleep tonight.

Ta muchly
Yuck

 

[old.Jas]

Is your boss IT literate?

 

[~YuckFou~]

Fairly, but he is thick as thieves with our Network Admin guy as well. I've just checked my ZA logs, this isn't the first time, just the first time I've noticed. I really need to check that this isn't just our network looking for conections, would it do that? I've got to know this is melitious (sp) so that I can do something about it. Previous occasions show up to 60 different ports used and blocked by ZA.

 

[old.Jas]

How would they find your home IP?

Why not just ring Zen and get them to change it? I'm sure they would have not problem doing that

 

[L_Plates]

leave your job he aint worth it .... snoopy bosses need a life injection jab .. has got nowt better to do !

 

[ShockingAlberto]

Is it possable that VPN(i haven't a clue what that is) is sending some packets thatget picked up by ZA?

My netfilter firewall logs everything it drops, and i often see packets being dropped from FTP servers. My only guess is that it's a quirk of certain servers.

 

[bigbb]

Originally posted by ~YuckFou~
...this isn't the first time, just the first time I've noticed. I really need to check that this isn't just our network looking for conections

Tbh, from an uneducated that sounds most likely. If it's happened several times, perhaps even several times a night/day then it might just be it's checking employee's ip's for connections. I dunno. If it happened tonight, what's your boss/network admin doing there on a Friday night anyway?

 

[~YuckFou~]

Theres a background to my boss/worker relationship, too long to go into here. I want to think that its the network just checking , but I don't think thats it.
My reasoning is that last time this happened was on the 5th of this month. Why would it "check" once or twice a fortnight? Why use 50/60 different ports?
Doesn't seem to fit.
VPN is Virtual Private Network. Basically this allows me when conected to the net to log on to our office network as though I was physically connected to the network, giving me full access and functionality.

PS. I use my Laptop for work related stuff, my Desktop is my own personal machine. (Same IP when connected to internet though)

Thanks for the replies so far.

 

[~YuckFou~]

Originally posted by bigbb

what's your boss/network admin doing there on a Friday night anyway?

He's often there late. Expects us to be too.

 

[Disco PhoolCat]

Thank feck I don't have bosses anymore...

 

[WPKenny]

Sounds a bit suspicious.

If it's happening over a specific period of time rather than random intervals during the day then it's even more suspicious.

Do you have a spare box or maybe just a spare HDD that you could install Windows on and set up ZA so it monitors all connections but allows them. That way you could let them think they've got into your computer to poke around, yet there's nothing to find and you can catch them in the act.

Next time you notice it, power down straight away and power up with the spare HDD and see what happens.

What does Zone Alarm tell you these ports being scanned are typically used for?

ZA should be intelligent enough to tell you if it thinks someone's scanning for trojans or whatever.

Anyway. Good luck and it's good to hear that the firewall seems to be doing it's job.

 

[old.Jas]

Originally posted by Disco PhoolCat
Thank feck I don't have bosses anymore...

Me neither - I quit

 

[Skyler]

I have buggerloads of alerts like that some days, and bugger all other days, but they are irregular.

Probably nothing.

and if it is something, they arent getting through.. ?

 

[old.osi-]

What ports were the connection attempts on and what protocol(s)? If you know..

 

[~YuckFou~]

I know they aren't getting in, and if they did theres nothing to see anyway, its just a games machine. I guess I feel kind of violated, hard to express my feelings, anger is one.

I've had more thoughts about this. When I connect via VPN its a 2 step process, first I connect to the internet, then I conect to our server ip, using my "local" win nt user name and password. IF our network server was scanning for connections surely it would be scanning locally, what I am getting is scanned via the net.

I guess its possible that somebody from work could be connected to our server, and then using that as a hop to then scan me, hiding their own IP. It would have to be someone from work though, really only 2 people would want to do this, boss, network admin guy.

If its the network guy I want hellfire to fall on him from the boss, if it's the boss I'm quitting, and if possible pressing charges. Quitting is a major thing, I have a mortgage wife and all that entails, but this shit is unacceptable.

I'm fairly sure some of the forum regulars are network guys, so hopefully they will be able to give a definitive answer here.

The alternative is I email the ZA log and ask for an explanation.

 

[Skyler]

Yuck, its probably nothing

 

[~YuckFou~]

I hope you are right. I'm searching for info atm, google knows all

edit: hmm it does happen http://www.nwfusion.com/net.worker/news/2001/0326firewalls.html

 

[old.D0LLySh33p]

Man, that's scary... employers and all

 

[S-Gray]

Originally posted by ~YuckFou~
I know they aren't getting in, and if they did theres nothing to see anyway, its just a games machine. I guess I feel kind of violated, hard to express my feelings, anger is one.

I've had more thoughts about this. When I connect via VPN its a 2 step process, first I connect to the internet, then I conect to our server ip, using my "local" win nt user name and password. IF our network server was scanning for connections surely it would be scanning locally, what I am getting is scanned via the net.

I guess its possible that somebody from work could be connected to our server, and then using that as a hop to then scan me, hiding their own IP. It would have to be someone from work though, really only 2 people would want to do this, boss, network admin guy.

If its the network guy I want hellfire to fall on him from the boss, if it's the boss I'm quitting, and if possible pressing charges. Quitting is a major thing, I have a mortgage wife and all that entails, but this shit is unacceptable.

I'm fairly sure some of the forum regulars are network guys, so hopefully they will be able to give a definitive answer here.

The alternative is I email the ZA log and ask for an explanation.

If that would make you feel a lot better, then do it i say.
They will reply i guess and tell you in detail whats goin on and tell you if whoever it is, is tryin to do anythin naughty

 

[caLLous]

You could come out of it looking like a paranoid twat if you're wrong tho.

I like Kenny's idea. Catch the basts in the act.

 

[old.Explosive23]

Are your pings good with Zen?

 

[]SK[]

Software firewalls are paranoid, I wouldnt take note of what it says.

 

[Penry]

Which ports are they scanning ?? Is it the same ones each time ?? would give a better idea of what its likely to be !

 

[~YuckFou~]

Heres a small snippet of the report. The first IP is theirs, the second is mine, ** are to hide the numbers. It appears to be the same port on my machine, different ports on the other machine. I've no idea what that means.

FWIN,2002/04/19,19:54:45+1:00
GMT,**.*.66.2:2820,**.*.68.3:2180,UDP
FWIN,2002/04/19,19:57:48 +1:00 GMT,**.*.66.2:2824,**.*.68.3:2180,UDP
FWIN,2002/04/19,20:00:51 +1:00 GMT,**.*.66.2:2827,**.*.68.3:2180,UDP
FWIN,2002/04/19,20:03:56 +1:00 GMT,**.*.66.2:2837,**.*.68.3:2180,UDP
FWIN,2002/04/19,20:06:59 +1:00 GMT,**.*.66.2:2839,**.*.68.3:2180,UDP
FWIN,2002/04/19,20:10:03 +1:00 GMT,**.*.66.2:2843,**.*.68.3:2180,UDP
FWIN,2002/04/19,20:13:07 +1:00 GMT,**.*.66.2:2845,**.*.68.3:2180,UDP
FWIN,2002/04/19,20:16:10 +1:00 GMT,**.*.66.2:2847,**.*.68.3:2180,UDP
FWIN,2002/04/19,20:19:14 +1:00 GMT,**.*.66.2:2849,**.*.68.3:2180,UDP
FWIN,2002/04/19,20:22:17 +1:00 GMT,**.*.66.2:2854,**.*.68.3:2180,UDP
FWIN,2002/04/19,20:25:21 +1:00 GMT,**.*.66.2:2856,**.*.68.3:2180,UDP
FWIN,2002/04/19,20:28:24 +1:00 GMT,**.*.66.2:2858,**.*.68.3:2180,UDP
FWIN,2002/04/19,20:31:36 +1:00 GMT,**.*.66.2:2860,**.*.68.3:2180,UDP
FWIN,2002/04/19,20:34:50 +1:00 GMT,**.*.66.2:2864,**.*.68.3:2180,UDP
FWIN,2002/04/19,20:37:53 +1:00 GMT,**.*.66.2:2868,**.*.68.3:2180,UDP
FWIN,2002/04/19,20:40:56 +1:00 GMT,**.*.66.2:2870,**.*.68.3:2180,UDP

Does this give anyone any clues?

 

[]SK[]

Got a Millicent Vendor Gateway Server?

 

[Cod]

Originally posted by +SA+SerialKilla
Software firewalls are paranoid, I wouldnt take note of what it says.

Ditto, i remember ZA thinking that another computing was trying to hack into mine when it was only trying to access Internet Connection sharing.

Best thing to do is email them but instead of saying i think your trying to hack me, say that the constant pinging from work is causing a problem with another program, like it causes it to crash or something.

See what happens?

 

[~YuckFou~]

Sorry m8 I've no idea what one of those is?
At home all I've got is ZA, the Lite version. At work I've no clue what we have.

 

[luap]

I am a Boss / Net admin and I regularly scan remotes that are for home working to make sure that protection is in place and work stuff is not likely to be compromised. Standard practice


/bofh