Forums > Help! > Can someone trace an IP address for me please?

Login/Join to Participate

UCOF
SILVER Member since Apr 2002

UCOF

Carpal \'Tunnel
Location: United Kingdom

Total posts: 15414
Posted: Every once in a while (much more recently now) my Zonealarm firewall comes up with a red box saying:
"ZomeAlarm Pro with Web Filtering has blocked what appears to be VPN traffic.

Address: 80.146.125.214"

um.. the other computers on the home network are all turned off and we are behind an Adsl Modem router with firewall.

We arent try to set up a VPN so I dont know why this is coming up.

Can someone have a investigation for me as im not going to be with a computer for the next 10 days.

This means at least, if it is a hacker who now has our gateway IP address, no computers will be online for over a week so they will give up.

Thanks guys and I will see you the other side of Christmas.

hug


Delete Topic

mtbeer
GOLD Member since Aug 2004

mtbeer

ARRRR!
Location: Charlotte, NC, USA

Total posts: 529
Posted:It's someone using a T-Online dial up connection in Germany. (one of the largest ISP's there). T-Online has been a hotbed of hacker activity in the past.



Edit:

Here is an easy link to file a complaint directly to the ISP:

https://abuse.t-ipnet.de/cgi-bin/abuse.pl
br>
Give them the IP and time and details.

EDITED_BY: mtbeer (1103288369)


"My skin is singed but it heals my heart and with glowing pride I'll wear my scars." -Davey Havok

Delete

ado-p
GOLD Member since May 2004

ado-p

Pirate Ninja
Location: Galway/Ireland

Total posts: 3882
Posted:oooohhhh

how did you do that?


Love is the law.

Delete

mcp
PLATINUM Member since May 2003

mcp

Flying Water Muppet
Location: Edin-borrow., United Kingdom

Total posts: 5276
Posted:Starting nmap V. 3.00 ( www.insecure.org/nmap/ )

Host p50927DD6.dip.t-dialin.net (80.146.125.214) appears to be up ... good.

Initiating Connect() Scan against p50927DD6.dip.t-dialin.net (80.146.125.214)

(failed)





WHOIS information for t-dialin.net:



[whois.registrar.telekom.de]

[whois.registrar.telekom.de]

% Copyright (c)2003 by Deutsche Telekom AG



domain: t-dialin.net

registrant-hdl: RDT-DTO4

admin-c: RDT-DK25

tech-c: RDT-HM1

zone-c: RDT-HM1

nserver: dns00.sda.t-online.de

nserver: dns00.sul.t-online.de

nserver: dns01.sda.t-online.de

nserver: dns01.sul.t-online.de

status: connected

changed: 2004-05-14

source: DEUTSCHE TELEKOM AG





Damn, mtbeer got there first.



nslookup will give you the name of the ipaddress. But I like nmap. For some reason it is installed on our uni computers. I don't have root priviledges so I can't do a proper scan. Plus the telecom company would probably block it anyway.


"the now legendary" - Kaskade
"the still legendary" - Kaskade

I spunked in my friend's aquarium and the fish ate it. I love all fish. Especially the pink ones. They are my bitches. - Anon.

Delete

mech
BRONZE Member since Jun 2003

mech

Carpal \'Tunnel
Location: "In your ear", United Kingdom

Total posts: 6207
Posted:jon you could use a prog like black ice to block the entry, and then return the attck.


or it could be a piece of software on your hdd trying to update its self, and the products srv trying to get update info?


Step (el-nombrie)

Delete

mech
BRONZE Member since Jun 2003

mech

Carpal \'Tunnel
Location: "In your ear", United Kingdom

Total posts: 6207
Posted:search results

mate i pulled tdilin to

not sure what they are doing, i just dont know


Step (el-nombrie)

Delete

UCOF
SILVER Member since Apr 2002

UCOF

Carpal \'Tunnel
Location: United Kingdom

Total posts: 15414
Posted:Cool cheers lads and lasses.

Ive reported the IP address and changed both the admin and guest passwords on the router. So at least they wont be able to change the modem settings.

*runs off to find his old toolkit devil*


Delete

mech
BRONZE Member since Jun 2003

mech

Carpal \'Tunnel
Location: "In your ear", United Kingdom

Total posts: 6207
Posted:are you running a cables system or are you on a wireless network, or both?

if you are on wireless enable mac address inclusion and accaptance lists, this will stop any mac addresses in the list acessing the network, and ita lot harder for a mac addy to be spoofed than a wep key


is your firewall on your router if its cables active, and stopping threats, if not get your firewall on your router going and that will help, also cycle the password every so often, also if you can get a prog, i cant remebr the name of the one i used to use, but this prog will at a set interval diconnect the adsl and then reconnect you, so that you cant be caught on a statc ip scan....

slows hackers to


Step (el-nombrie)

Delete

UCOF
SILVER Member since Apr 2002

UCOF

Carpal \'Tunnel
Location: United Kingdom

Total posts: 15414
Posted:Its all wired.

and I cant seem to find the firewall settings on the modem setup page...

and the box doesnt say it has one either...

So I reckon im thinking of my old one....

umm


Delete

mech
BRONZE Member since Jun 2003

mech

Carpal \'Tunnel
Location: "In your ear", United Kingdom

Total posts: 6207
Posted:can you acces the router itslef, type the ip of the router into an IE window, and you should be able to acces the internal settings system of teh router

Step (el-nombrie)

Delete

flid
BRONZE Member since Aug 2002

flid

Carpal \'Tunnel
Location: Warwickshire, United Kingdom

Total posts: 3136
Posted:does it really matter?

It's just a connection, it's not illegal and I doubt an ISP will care that much unless the guy is a script kiddie doing blatent port scans regularly. Boxes in data centres get several port scans per hour from people looking for insecure servers to use for whatever, that's life. Boxes on slower connections generally arn't interesting, but with the advent of cable and adsl (and lots of stupid people using it), home users do get scanned these days.

Don't rule out either that it could just be a virus/trojan on the guy's machine which is trying to spread using known exploits and ip ranges of broadband users. In this case thou the guy is running Linux, probably redhat on his daddy's PC.


Delete

UCOF
SILVER Member since Apr 2002

UCOF

Carpal \'Tunnel
Location: United Kingdom

Total posts: 15414
Posted:"In this case thou the guy is running Linux, probably redhat on his daddy's PC."

Howdja know that?

umm


Delete

flid
BRONZE Member since Aug 2002

flid

Carpal \'Tunnel
Location: Warwickshire, United Kingdom

Total posts: 3136
Posted:tcp/ip fingerprinting. You can find to a reasonable degree of accuracy the operating system and uptime (in this case about 10 days) by the way in which machines handle tcp connections

Delete

UCOF
SILVER Member since Apr 2002

UCOF

Carpal \'Tunnel
Location: United Kingdom

Total posts: 15414
Posted:Clever boy... umm...Flid.

adn MEch.....the IE one is the setup page im talking about.

MtBeer: why are t-online such a hotbed? do they offer shell accounts? or are Germans just *************************** (note *'s may not be needed depending on which word you use)


Delete

mtbeer
GOLD Member since Aug 2004

mtbeer

ARRRR!
Location: Charlotte, NC, USA

Total posts: 529
Posted:A lot of hacker activity originates from T-Online mostly due to the sheer number of subscribers. There is also a considerable hacker sub culture in Germany which probably grew on the fame of Aron Spohr who hacked into T-Online back in 98 and stole the majority of the user accounts.

"My skin is singed but it heals my heart and with glowing pride I'll wear my scars." -Davey Havok

Delete

mo-seph


mo-seph

enthusiast
Location: Edinburgh, UK

Total posts: 524
Posted:The guy also shops at walmart, drives a volvo and takes a size 7 shoe (but of course that might be his dad...)

Flid speaks truth - anytime you're on the net, lots of people will fling lots of wierd [censored] at you and most of it is undirected and ineffectual. If you watch server logs for a while it's really easy to end up thinking "who the hell is that? How dare they try and attack my machine". After a while, the feeling goes away.


monkeys ate my brain

Delete

UCOF
SILVER Member since Apr 2002

UCOF

Carpal \'Tunnel
Location: United Kingdom

Total posts: 15414
Posted:The problem is that now it is still coming up....



and when it happens, zonealarm bring up a dialogue box with a massive red top bit and gives me the option of either configuring it to work with this VPN connection, or to not configure it with the VPN connection.





The wierdest thing is that if it is dial up, why is the IP address now changing every time it comes up?



It is the same one everytime....



confused



I got a responce from the complaint:



Dear Sir or Madam.



We received and analyzed your e-mail.

The sender is a customer of T-Online.

Therefore your request was forwarded to the following address:



T-Online International AG

Waldstrasse 3

64331 Weiterstadt

mailto:abuse@t-online.de

abuse-Team



Additional questions or comments should be directed to T-Online.



II.Expedited handling (t-dialin.net only)



1. If the culprit's IP address is allocated to the domain "t-dialin.net", you can expedite processing by contacting the provider directly.

Please send an email with all the necessary data to abuse@t-online.de.



2. The Domain can be determined by issuing the command "nslookup 'ip address'", i.e. nslookup 62.158.127.111.

If you are using Win9x, open a command prompt and issue the command "ping -a 'ip-address'", i.e. ping -a 62.158.127.111.





Kind regards

Security Team



Deutsche Telekom AG

T-Com, Technische Infrastruktur Niederlassung berregional Network Configuration Center (NCC) Projects, Processes and Security

Tel.: 0180 / 533 - 4332

Fax: 0180 / 533 - 4252

mailto:abuse@t-ipnet.de


EDITED_BY: Untimely Calculations Often Fail (1104184839)


Delete

flid
BRONZE Member since Aug 2002

flid

Carpal \'Tunnel
Location: Warwickshire, United Kingdom

Total posts: 3136
Posted:Because not all ISPs give out a different IP each time, especially older ones (like Demon in the UK) or to customers who request it (i.e. script kiddies who don't understand how to configure dhcpd on their redhat machine).



I still don't know why you care? If you're using a firewall and the attack/scan is coming from a static IP, then just firewall it.


Delete

Dunc
GOLD Member since Aug 2003

Dunc

playing the days away
Location: The Middle lands, United Kingd...

Total posts: 7263
Posted:geeks rolleyes I just read the whole page and you know what, it sounds like this.....

blah blah blah IP blah blah blah firewall blah blah blah server blah blah blah figure out Mechs spelling errors blah blah blah Deutsche blah blah flid blah

What is it they say,.....give a hundred monkeys a typewriter and enough time....

kiss


Let's relight this forum ubblove

Delete

UCOF
SILVER Member since Apr 2002

UCOF

Carpal \'Tunnel
Location: United Kingdom

Total posts: 15414
Posted:*pokes his head out to say*

Its now coming from another IP address.

frown

I think they got booted from their ISP and now are trying again with another account.

Will give the new IP when I get home.


Delete

nearly_all_gone
SILVER Member since Aug 2004

nearly_all_gone

Pooh-Bah
Location: Southampton, United Kingdom

Total posts: 1626
Posted:Call them a big smelly poo. Then they might go away.

What a wonderful miracle if only we could look through each other's eyes for an instant.
Thoreau

Delete

UCOF
SILVER Member since Apr 2002

UCOF

Carpal \'Tunnel
Location: United Kingdom

Total posts: 15414
Posted:do you reckon then that it is a hack attack?

Am I then allowed to portscan the IP address to see any open ports.... or is that naughty?

ubbangel / devil


Delete

flid
BRONZE Member since Aug 2002

flid

Carpal \'Tunnel
Location: Warwickshire, United Kingdom

Total posts: 3136
Posted:This is so last year jon tongue

If you care that much, set up a packet logger on that port and send the log to me. I'll be able to tell you if it is an actual connection or just a scan. But i still don't know why you care, people scan networks all the time, you're not special (well, you are, but that's different!), and if you just block the port I doubt the perpetrator will bother you. People who scan home users are generally looking for really obvious holes, not challenges.


Delete

UCOF
SILVER Member since Apr 2002

UCOF

Carpal \'Tunnel
Location: United Kingdom

Total posts: 15414
Posted:The New one is:

81.50.156.181


Delete

shen shui
SILVER Member since Jan 2005

shen shui

no excuses. no apologies.
Location: aotearoa, New Zealand

Total posts: 1799
Posted:i get scared just reading your guy's posts about all this computer stuff...
and i even studied it for four years and got my bachelors degree in it...
guess i'll just stick to meditating and sticking needles into people.
you watch my back and i'll watch yours?
<pleads>
please dont kill my computer...
<gives you stuff not to kill his computer>
sorry if this is "off the topic"...
perhaps i should say:
its impressive to me how much you guys know about all this stuff. computers kinda scare me.


those that know, dont say. those that say, dont know.

Delete

Dunc
GOLD Member since Aug 2003

Dunc

playing the days away
Location: The Middle lands, United Kingd...

Total posts: 7263
Posted:you can come with me meditator, we'll go to the geek free zone wink ubblol

Let's relight this forum ubblove

Delete


Similar Topics

Using the keywords [trace ip addres*] we found the following similar topics.
1. Forums > IP Logged [11 replies]
2. Forums > Profiles and Email addresses [7 replies]
3. Forums > The official list of hotmail addresses for people to contact each othe [397 replies]
4. Forums > the beard i need your email address [3 replies]
5. Forums > fireweavers new e-mail address

     Show more..