1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

I'm being hacked

Discussion in 'Networking' started by Jeremywilms, Sep 29, 2008.

Thread Status:
Not open for further replies.
Advertisement
  1. Jeremywilms

    Jeremywilms Thread Starter

    Joined:
    Jun 29, 2008
    Messages:
    70
    I was sharing a couple things I had made to my friends, via posting it on a forum, and it seems some extremely stupid people find it entertaining to ping\DDOS(or whatever people call it now) my servers\me. I was running a webserver(Apache), mySql server, IRC server (UnrealIRCD) and a Flash Media Interactive Server, and while I was at school today I wanted to show my friends something i had made when I noticed I couldn't connect to my website, well I could but it was loading at an extremely slow speed. So now I'm at home and I completely removed my port-forwards, and shutdown my server. Although I am still experiencing a slow connection to the internet. What steps should I take and how can I protect myself a little more?
     
  2. avisitor

    avisitor

    Joined:
    Jul 12, 2008
    Messages:
    1,710
    Well, you can call your ISP to see if they can block some of that traffic downstream. You can have your router block anonymous WAN requests (pings). However, unless you're sure that your ISP allows you to run a server on their network, I'd be careful what you say.

    You can always ask for a new IP.
     
  3. Jeremywilms

    Jeremywilms Thread Starter

    Joined:
    Jun 29, 2008
    Messages:
    70
    Well I'm currently blocking anonymous WAN requests, but I don't want to have to constantly change my IP Address every time someone pings me(Which will probably be constant) I was wondering if there were any security feature of some sort that could protect me from this =S
     
  4. Elvandil

    Elvandil

    Joined:
    Aug 1, 2003
    Messages:
    51,988
    Are you positive that this is what is happening? How do you know? What do your firewall logs tell you?
     
  5. zx10guy

    zx10guy Trusted Advisor Spam Fighter

    Joined:
    Mar 30, 2008
    Messages:
    6,130
    Bingo. I was going to ask if the OP has any logs to prove he's being hacked. I would say if the OP was indeed under a DDOS, he wouldn't get squat from his server. Large corporations with huge servers in a server farm with lots of high bandwidth network devices in load balancing configurations can sometimes barely get anything to work when they are under a DDOS attack.

    Also, I wouldn't go to your ISP for a problem like this unless you're willing to have them slap you for running a server on your home service plan. They may not care but then again they might.
     
  6. avisitor

    avisitor

    Joined:
    Jul 12, 2008
    Messages:
    1,710
    If you're truly under a DDoS attack, you likely will have no connectivity without the intervention of your ISP blocking the packets somewhere downstream of you (probably at a trunk).

    GRC went through this and documented it pretty well, you might want to read that. But logs would be nice.
     
  7. Jeremywilms

    Jeremywilms Thread Starter

    Joined:
    Jun 29, 2008
    Messages:
    70
    Well I'm not sure why you want proof, its port 80, are you suggesting I report-forward and endure more of there attack to record some logs =S ?

    I was just curious how I can protect myself a little more, I'm 16 and I sure as hell can't afford a server, and the 'free' ones are too slow for my need.
     
  8. avisitor

    avisitor

    Joined:
    Jul 12, 2008
    Messages:
    1,710
    Not necessarily, your router is happy to produce logs of incoming traffic.

    What kind of traffic are you being bombarded with? The attacks are coming on port 80? Like incomplete TCP sessions or something else? I've had a site on the receiving end of a DDoS and it's not remotely pretty. They managed to crush a dedicated server of mine on a 6mbit pipe.

    Here's that info about GRC: http://web.archive.org/web/20051027174023/grc.com/dos/grcdos.htm

    Thinking further: that doesn't sound like it's too bad if you have any internet connectivity. It's probably coming from one or two IPs, if you can produce those, it might be possible to stop the attack. However, an attack on port 80 will be almost impossible to stop if it's coming from a wide variety of IPs, since you can't block port 80 traffic.
     
  9. Jeremywilms

    Jeremywilms Thread Starter

    Joined:
    Jun 29, 2008
    Messages:
    70
    I attached the log, I'm not sure if this is normal but there seems to be a lot of blocking.

    Edit : Its not a big attack, just enough to slow my internet to a near dead stop.
     

    Attached Files:

  10. avisitor

    avisitor

    Joined:
    Jul 12, 2008
    Messages:
    1,710
    Well, looks as if you have some serious problems.

    You're getting unsolicited, bogus packets to bogus ports that don't have any purpose. They're coming from all over the world.
     
  11. Jeremywilms

    Jeremywilms Thread Starter

    Joined:
    Jun 29, 2008
    Messages:
    70
    I'm going to hope that's sarcasm D: But if thats the case, my only solution is to renew my IP Address or stop hosting my servers?
     
  12. avisitor

    avisitor

    Joined:
    Jul 12, 2008
    Messages:
    1,710
    The majority of those connections are being made to 2222 which is a port exposed by a Trojan. However, it's possible that they're just probing it. You do have up to date versions of your server software as well as antivirus and firewall on all your computers.

    However, you don't necessarily have a Trojan, it could just as easily be a random flood of packets trying to deny service to you. I find it odd that any individual's site/home server would be targeted by a DDoS, but I guess it's possible. Have you given your IP out at shady sites?
     
  13. Jeremywilms

    Jeremywilms Thread Starter

    Joined:
    Jun 29, 2008
    Messages:
    70
    Oh D: Yes well there is a virus currently installed on my computer, the problem being that my anti-virus isn't detecting it. I am aware that its there however i am unable to remove it, I posted my hijackThis log on this site, however no one has responded. My friend earlier suggested the virus may have set up some sort of proxy-server on my computer.

    The good thing is, I've only given a dns I made away to my friends, and on a forum. I am however 100% sure I have a trojan, I just can't find a way to remove it. I can link you to my hijackThis thread if you need it.
     
  14. avisitor

    avisitor

    Joined:
    Jul 12, 2008
    Messages:
    1,710
    Ok, well, I'm not "qualified" to help with that. Once you get that removed, we can see if you're really getting DDoSed or not.
     
  15. zx10guy

    zx10guy Trusted Advisor Spam Fighter

    Joined:
    Mar 30, 2008
    Messages:
    6,130
    I don't see anything which would lead me to believe you're being hacked. The denial logs are showing the router is doing its job.

    What we need to see is the connection successes. If you are really being DDoS'd over your web port of 80, you would see a bunch of successful initiated connections which are don't complete the proper TCP handshake. This leaves the router thinking the session is still open. As more connections like this get established, the router will quickly get overwhelmed as the amount of free memory it has gets consumed by all the open connections and the processing required to maintain those connection. The evil part of this type of attack is that the rogue connections don't timeout quick enough for the consumed resources to be released. Also, it's hard for rudimentary hardware to distinguish between a legitimate incoming http request from a rogue DDoS one.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/754612

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice