Earlier this week a DDoS attack hit my internet connection right after an argument with some people on which OS is better for servers. The attack lasted about 3 days before I could finally get the IP changed as when our router was connected to the cable modem it would not respond at all and had 100% packet loss when pinged.

After the IP change I noticed in the log files of some of the computers that the firewalls were logging strange activity. Such as the computer constantly hitting the router on port 80, such as below:

2006-07-07 20:31:08;;192.168.234.201:3102;192.168.234.1:80;TCP;Allowed 
 2006-07-07 20:31:09;;192.168.234.201:3103;192.168.234.1:80;TCP;Allowed 
 2006-07-07 20:31:09;;192.168.234.201:3105;192.168.234.1:80;TCP;Allowed 
 2006-07-07 20:31:09;;192.168.234.201:3106;192.168.234.1:80;TCP;Allowed 
 2006-07-07 20:31:09;;192.168.234.201:3107;192.168.234.1:80;TCP;Allowed 
 2006-07-07 20:31:09;;192.168.234.201:3108;192.168.234.1:80;TCP;Allowed 
 2006-07-07 20:31:09;;192.168.234.201:3109;192.168.234.1:80;TCP;Allowed 
 2006-07-07 20:31:09;;192.168.234.201:3110;192.168.234.1:80;TCP;Allowed

The first IP is the source follwed by the port then the destination and then the port, protocol and if it was allowed or blocked. These kinds of logs are constant and thats a small snippet of what they look like. 192.168.234.1 is the router, 192.168.234.201 was me at that time. Notice how the outgoing port on my machine increased by one on every attempt?
( More logs at bottom of post, scroll down to look at them )
Now we've tried just about everything except reformatting which I will not be able to do without alot of caffeine and alot of take out pizza as all the computers storage combined tops over 2TB's of storage. Norton AntiVirus was installed on all the machines and has updated def's, picked up nothing...not one trace of a virus.

Here's the information for all the computers:
My main computer has the following:
Windows XP SP1 ( Updating to SP2 only causes issues, its not a fix )
Norton Antivirus 2004 with updated defs
Peer Guardian 2 ( Logs pretty much anything that touches my computer )
Zone Labs Security ( recent version, cannot check at the curret moment )

Parents computer is running
Windows XP SP2
Norton Anti Virus corporate edition
Peer Guardian 2
Zone Labs Security

And finally my brother has:
Windows XP SP1
Norton Anti Virus corporate edition
No firewall

Now for the logs:

First will be the snippet of my computer constantly hammering the router:

2006-07-07 20:31:08;;192.168.234.201:3102;192.168.234.1:80;TCP;Allowed 
 2006-07-07 20:31:09;;192.168.234.201:3103;192.168.234.1:80;TCP;Allowed 
 2006-07-07 20:31:09;;192.168.234.201:3105;192.168.234.1:80;TCP;Allowed 
 2006-07-07 20:31:09;;192.168.234.201:3106;192.168.234.1:80;TCP;Allowed 
 2006-07-07 20:31:09;;192.168.234.201:3107;192.168.234.1:80;TCP;Allowed 
 2006-07-07 20:31:09;;192.168.234.201:3108;192.168.234.1:80;TCP;Allowed 
 2006-07-07 20:31:09;;192.168.234.201:3109;192.168.234.1:80;TCP;Allowed 
 2006-07-07 20:31:09;;192.168.234.201:3110;192.168.234.1:80;TCP;Allowed 
 2006-07-07 20:31:10;;192.168.234.201:3111;192.168.234.1:80;TCP;Allowed 
 2006-07-07 20:31:10;;192.168.234.201:3112;192.168.234.1:80;TCP;Allowed

Next is the strange .255 address which does not exist on our network yet seems to be extremely popular because all the computers connect to it:

2006-07-07 16:23:08;;192.168.234.202:138;192.168.234.255:138;UDP;Allowed 
 2006-07-07 16:23:08;;192.168.234.202:137;192.168.234.255:137;UDP;Allowed 
 2006-07-07 16:23:08;;192.168.234.200:137;192.168.234.255:137;UDP;Allowed 
 2006-07-07 16:23:09;;192.168.234.202:137;192.168.234.255:137;UDP;Allowed 
 2006-07-07 16:23:09;;192.168.234.202:137;192.168.234.255:137;UDP;Allowed 
 2006-07-07 16:23:10;;192.168.234.202:137;192.168.234.255:137;UDP;Allowed 
 2006-07-07 16:23:11;;192.168.234.202:137;192.168.234.255:137;UDP;Allowed 
 2006-07-07 16:23:12;;192.168.234.202:137;192.168.234.255:137;UDP;Allowed

I have no clue what the following address means but I find it odd that 'localhost' was on the source column:

2006-07-07 20:20:27;;127.0.0.1;192.168.234.201;ICMP;Allowed 
 2006-07-07 20:20:27;;127.0.0.1;192.168.234.201;ICMP;Allowed

Dont forget the fact my computer constantly connecting to itself...

2006-07-07 20:21:25;;192.168.234.201:24565;192.168.234.201:1900;UDP;Allowed 
 2006-07-07 20:21:25;;192.168.234.201:24565;192.168.234.201:1900;UDP;Allowed 
 2006-07-07 20:21:25;;192.168.234.201:24565;192.168.234.201:1900;UDP;Allowed 
 2006-07-07 20:21:25;;192.168.234.201:24565;192.168.234.201:1900;UDP;Allowed

Picking up my brothers computer connecting to that .255 address:

2006-07-07 20:25:37;;192.168.234.202:137;192.168.234.255:137;UDP;Allowed 
 2006-07-07 20:25:38;;192.168.234.202:137;192.168.234.255:137;UDP;Allowed 
 2006-07-07 20:25:39;;192.168.234.202:137;192.168.234.255:137;UDP;Allowed 
 2006-07-07 20:25:58;;192.168.234.202:137;192.168.234.255:137;UDP;Allowed 
 2006-07-07 20:25:59;;192.168.234.202:137;192.168.234.255:137;UDP;Allowed

I also get alot of this in the logs:

2006-07-04 00:00:36;;169.254.220.220:21561;169.254.220.220:1900;UDP;Allowed 
 2006-07-04 00:00:36;;169.254.220.220:21561;169.254.220.220:1900;UDP;Allowed 
 2006-07-04 00:00:36;;169.254.220.220:21561;169.254.220.220:1900;UDP;Allowed 
 2006-07-04 00:00:36;;169.254.220.220:21561;169.254.220.220:1900;UDP;Allowed 
 2006-07-04 00:00:36;;169.254.220.220:21561;169.254.220.220:1900;UDP;Allowed 
 2006-07-04 00:00:36;;169.254.220.220:21561;169.254.220.220:1900;UDP;Allowed 
 2006-07-04 00:00:36;;169.254.220.220:21561;169.254.220.220:1900;UDP;Allowed 
 2006-07-04 00:00:36;;169.254.220.220:21561;169.254.220.220:1900;UDP;Allowed 
 2006-07-04 00:00:37;;169.254.220.220:21561;169.254.220.220:1900;UDP;Allowed 
 2006-07-04 00:00:37;;169.254.220.220:21561;169.254.220.220:1900;UDP;Allowed 
 2006-07-04 00:00:37;;169.254.220.220:21561;169.254.220.220:1900;UDP;Allowed 
 2006-07-04 00:00:37;;169.254.220.220:21561;169.254.220.220:1900;UDP;Allowed 
 2006-07-04 00:00:37;;169.254.220.220:21561;169.254.220.220:1900;UDP;Allowed 
 2006-07-04 00:00:37;;169.254.220.220:21561;169.254.220.220:1900;UDP;Allowed 
 2006-07-04 00:00:37;;169.254.220.220:21561;169.254.220.220:1900;UDP;Allowed 
 2006-07-04 00:00:37;;169.254.220.220:21561;169.254.220.220:1900;UDP;Allowed 
 2006-07-04 00:00:38;;169.254.220.220:21561;169.254.220.220:1900;UDP;Allowed 
 2006-07-04 00:00:38;;169.254.220.220:21561;169.254.220.220:1900;UDP;Allowed 
 2006-07-04 00:00:38;;169.254.220.220:21561;169.254.220.220:1900;UDP;Allowed

Both IP's are external from the looks of it but whats strange is why the hell am I picking this up? That is what is filling my logs up extremely fast and it always changed ports after awhile, were talking over 500 lines of that in less than an hour.

Same thing again, different destination address:

2006-07-04 00:03:38;;169.254.220.220:137;169.254.255.255:137;UDP;Allowed 
 2006-07-04 00:03:38;;169.254.220.220:137;169.254.255.255:137;UDP;Allowed 
 2006-07-04 00:03:39;;169.254.220.220:137;169.254.255.255:137;UDP;Allowed 
 2006-07-04 00:03:39;;169.254.220.220:137;169.254.255.255:137;UDP;Allowed 
 2006-07-04 00:03:39;;169.254.220.220:137;169.254.255.255:137;UDP;Allowed

And again:

006-07-04 00:36:10;;169.254.220.220:138;169.254.255.255:138;UDP;Allowed 
 2006-07-04 00:36:10;;169.254.220.220:137;169.254.255.255:137;UDP;Allowed 
 2006-07-04 00:36:10;;169.254.220.220:137;169.254.255.255:137;UDP;Allowed 
 2006-07-04 00:36:11;;169.254.220.220:137;169.254.255.255:137;UDP;Allowed 
 2006-07-04 00:36:11;;169.254.220.220:137;169.254.255.255:137;UDP;Allowed 
 2006-07-04 00:36:12;;169.254.220.220:137;169.254.255.255:137;UDP;Allowed 
 2006-07-04 00:36:12;;169.254.220.220:137;169.254.255.255:137;UDP;Allowed 
 2006-07-04 00:36:15;;169.254.220.220:138;169.254.255.255:138;UDP;Allowed 
 2006-07-04 00:36:15;;169.254.220.220:138;169.254.255.255:138;UDP;Allowed

Heres another snippet of one of them machines hammering that .255:

2006-07-04 04:28:27;;192.168.15.1:3535;192.168.15.255:162;UDP;Allowed 
 2006-07-04 04:28:27;;192.168.15.1:3536;192.168.15.255:162;UDP;Allowed 
 2006-07-04 04:28:27;;192.168.15.1:3537;192.168.15.255:162;UDP;Allowed 
 2006-07-04 04:28:27;;192.168.15.1:3538;192.168.15.255:162;UDP;Allowed 
 2006-07-04 04:28:27;;192.168.15.1:3539;192.168.15.255:162;UDP;Allowed 
 2006-07-04 04:28:27;;192.168.15.1:3540;192.168.15.255:162;UDP;Allowed 
 2006-07-04 04:28:27;;192.168.15.1:3541;192.168.15.255:162;UDP;Allowed 
 2006-07-04 04:28:27;;192.168.15.1:3542;192.168.15.255:162;UDP;Allowed 
 2006-07-04 04:28:27;;192.168.15.1:3543;192.168.15.255:162;UDP;Allowed 
 2006-07-04 04:28:27;;192.168.15.1:3544;192.168.15.255:162;UDP;Allowed 
 2006-07-04 04:28:27;;192.168.15.1:3545;192.168.15.255:162;UDP;Allowed

^ That continues till port 60k.......

I also see this sometimes:

2006-07-04 04:47:24;;127.0.0.1:4103;239.255.255.250:1900;UDP;Allowed 
 2006-07-04 04:47:24;;127.0.0.1:4103;239.255.255.250:1900;UDP;Allowed 
 2006-07-04 04:47:27;;127.0.0.1:4103;239.255.255.250:1900;UDP;Allowed 
 2006-07-04 04:47:27;;127.0.0.1:4103;239.255.255.250:1900;UDP;Allowed 
 2006-07-04 04:47:30;;127.0.0.1:4103;239.255.255.250:1900;UDP;Allowed 
 2006-07-04 04:47:30;;127.0.0.1:4103;239.255.255.250:1900;UDP;Allowed

Anyway, the log file is 8MB's in size and thats from about an hour of the computer being plugged into the connection.
The other log files are smaller since its actually calmed down to the point where the log file isnt scrolling so fast you cannot read the numbers.

My other issue is these machines are doing the same thing to IP's outside of our network such as:

2006-07-05 18:55:46;;192.168.234.201:3107;70.58.142.60:80;TCP;Allowed 
 2006-07-05 18:55:47;;192.168.234.201:3109;70.58.142.60:80;TCP;Allowed 
 2006-07-05 18:55:53;;192.168.234.201:3114;70.58.142.60:80;TCP;Allowed 
 2006-07-05 18:55:55;;192.168.234.201:3116;70.58.142.60:80;TCP;Allowed 
 2006-07-05 18:55:59;;192.168.234.201:3119;70.58.142.60:80;TCP;Allowed 
 2006-07-05 18:56:02;;192.168.234.201:3123;70.58.142.60:80;TCP;Allowed 
 2006-07-05 18:56:03;;192.168.234.201:3125;70.58.142.60:80;TCP;Allowed

Thats just one example.

Now I need some smart people to reply as I am sick of people bashing me saying I know jack about networking on other forums yet not providing answers to the problem. If you know what it is please tell me what it is, what causes it and how to fix it as some of the machines have important data on it that we cannot afford to lose. I left out my other two computers as they run linux and were not connected at the time of the attack.

Hopefully there are network engineers that browse these forums as even our ISP's technician was clueless ( when he called it in to tell his supervisor about how big these log files were and the speed at which connections were flying in and out the supervisor blamed it on a touchy firewall.)
My ISP is hopeless so I cannot count on them, its always the customers fault when something happens or its the equipment.
Classic responses include:
"Your LAN cables are corroded"
"Your computer does not have enough memory for your connection to work"
"Your router is not supported by our service"
"Linux is not a supported operating system and will not work with our internet ( cause I run Debian and Fedora time to time )'

Anyway, thats to show you how stupid my ISP is.

If you need to know any more informatiion feel free to ask as I am lost at the moment, usually theres an article on the internet discussing problems and how to fix those problems but nobody seems to have had the problems I am having.

Thanks

** Router model **
Broadband Router with 2 Phone Ports RT31P2

We use vonage as well

Some general info, which may give you an idea or two:

* Addresses in the range 169.254.0.1 through 169.254.255.254 aren't "outside" addresses, they are private IPs reserved for DHCP autoconfiguration. More on that here.
The 169.254.220.220 address in your logs could very well be the autoconfig IP of the router.

* IP addresses with .255 as the final octet are "broadcast" addresses, meaning that packets with such an address are sent to, and received by, all machines on the local subnet.

* Port 137 and 138 are NetBIOS ports, the traffic you see on those ports is NetBIOS broadcast traffic.

* Your logs are showing two different 192.168. subnets (192.168.234. and 192.168.15.). Any idea what that's all about?

* The 70.58.142.60 IP is assigned to Quest Communicaitons. Are you using any of their services?

* The 239.255.255.250 IP and Port 1900 are used by UPnP devices such as some network printers. This traffic can be normal on Windows networks, but UPnP is also an avenue for external exploits. UPnP should be disabled on your network devices unless you know that you need it.

*The "127.0.0.1;192.168.234.201;ICMP;Allowed" entries: ICMP doesn't, AFAIK, use ports and sockets, hence the above message means that the local machine is sending an ICMP control message to its 192.168.234.201network interface.

Most of the trafffic you're seeing isn't neccessarily indicative of anything malicious; do you know that you were not experiencong such traffic before the DOSing and change of IP?

Norton is obviously not the definitive word in terms of whether or not you've truly been compromised. Have you run any other utilities to check for "unwanted guests"?

Your questions/comments are in italic below with mine in standard, thank you for taking the time to post since I've been going insane the past day or two because of this problem.

* Your logs are showing two different 192.168. subnets (192.168.234. and 192.168.15.). Any idea what that's all about?

192.168.15 was the original subnet until the attack, then it got changed to 234 and then after the attack we changed it back to .15. We were hoping if it was a virus it'd be a dumb one and not be able to figure out a network change.

* The 70.58.142.60 IP is assigned to Quest Communicaitons. Are you using any of their services?
Nope, we use Metrocast cablevision.

* The 239.255.255.250 IP and Port 1900 are used by UPnP devices such as some network printers. This traffic can be normal on Windows networks, but UPnP is also an avenue for external exploits. UPnP should be disabled on your network devices unless you know that you need it.

No such thing as network printers on our network, so yeah thats disabled.


Most of the trafffic you're seeing isn't neccessarily indicative of anything malicious; do you know that you were not experiencong such traffic before the DOSing and change of IP?

None of this ever showed up in my logs before, I would rarely see a connection to or from my computer before the attack. But now the minute I plug my machine in the log files just fill instantly. Most of this might look like non malicious traffic but what about the fact of the speed its coming and going and the increasing port on which it is sent, wouldn't something like this stick to one port instead of switching its port every ms and then connecting again?

Norton is obviously not the definitive word in terms of whether or not you've truly been compromised. Have you run any other utilities to check for "unwanted guests"?

I was told Norton anti virus was the best so no, I figured that since I rarely ever hear of the other anti-virus products that they're all probably small and cannot find as many as Norton would. Do you have any suggestions for an AV scanner that compares regardless of looks as I'd like to have the best protection possible.
And what other utilities exist for looking for such activity?

...but what about the fact of the speed its coming and going and the increasing port on which it is sent...

That's exactly why I said "isn't neccessarily indicative..."; the particular behaviours you point out are definitely suspicious.

1. A few general things to do security-wise:

* Obviously, get all of your machines patched with the most current critical fixes from the Winodws Update site. If your machines are compromised, getting them to current patch levels may close some of the loopholes through which the infection is operating.

* Disable non-critical (and known-to-be-exploited) services such as UPnP, SSPD Discovery, NetBIOS over TCP/IP, etc. A list of Windows services and their recommended settings is here. (Disabling services essentially closes their associated ports).

* Restrict ports on a per-protocol or per-port basis on your router.


2. Free online virus/malware scanners: see this post

3. Free downloadable trojan/rootkit scanners:
BlackLight - https://europe.f-secure.com/blacklight/
RootKitRevealer - http://www.sysinternals.com/Utilities/RootkitRevealer.html


4. Antivirus/anti-malware utility linkage:
http://www.daniweb.com/techtalkforums/thread27570.html


5. This is usually reserved for our malware forum, but since that may be what we're dealing with, please do the following on one of the possibly-infected computers:

* Download the free HijackThis utility. Once downloaded, follow these instructions to install and run the program:
* Create a folder for HJT outside of any Temp/Temporary folders and move the HijackThis.exe file to that folder now. A folder such such as C:\HijackThis or C:\Spyware Tools\HijackThis will do.
* Run HijackThis, but do not have HJT fix anything yet; only have it scan your system! Once the scan is complete, the "Scan" button will turn into an option to "Save log...".
Save the log in the folder you created for HijackThis; the saved file will be named "hijackthis.log". Open the log file with Windows Notepad, and cut-n-paste the entire contents of the Notepad file here.

The log contents will tell us a lot about what "nasties" have crept into your system, and once we analyse the log we can tell you what to do from there.

Well it wasnt a virus because I completely reformatted the partition on which windows was installed and it is still occuring.

Rootkit revealer, blacklight and hijack this revealed nothing.

Gah this is pissing me off so much I just want to mow that idiot down that caused all this -_-

I'm a year late to chime in, however if you are still monitoring this thread, what was your solution?

I'm experiencing the same problem.

So far, it appears that PeerGuardian is blocking the traffic.

What's strange, is that the traffic appears even when I do not have a live connection to the Internet (i.e. I bootup with the Lan cable unplugged).

This indicates to me it's some kind of spyware/malware/virus q'd up trying to transmit.

I've run AVG Anti-Rookit Free (it's found nothing). I've run AVG Anti-Spyware (it's found nothing). and AVG Anti-Virus (it's found nothing).

I did notice something curious in my Sygate firewall packet logs.


10.255.255.1 (remote), and the remote port of 67
255.255.255.255 (local host) and the local port of 68.

(the firewall blocked the traffic).


I Google'd for information on 67-68 and it's listed as Bootstrap Protocol Server and bootpc.'bootp/dhcp client, bootstrap protocol client'

As you can probably tell from the 10.X.X.X address,
I'm on a network that my condo community provides.

Any suggestions, much appreciated.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.