[SOLVED] Possible denial of service attack?

Overclocked Doc · 09-23-2007, 02:01 PM

Not sure if this is where I should post this, but it appears to be close.

Is it possible I am expieriencing a "denial of service attack" on one of my machines on my home network?
The machine in questions appears to be sending out large packet amounts to 5 similar IPs all at one. The packet amounts are all the same amount. When this happens, no other machine on my network can access the net until the one in question is removed.

Checking the Ips, I noted on one day, they appeared to be directed to Russia. On another day they appeared to be directed to North America at what appears to be a legitimate business (paynet.no).

I have run virus and spyware scans using multiple software and even scanned the hard drive from another machine. I am quite well versed in dealing with a lot of this stuff but, this appears to have gotten the better of me. I really don't want to reformatt if possible, simply because of the time involved to reinstall all the 80 Gbs worth of software.

Does this scenario ring a bell with anyone?

johnwill · 09-24-2007, 07:15 AM

Actually, this is not a DOS, which would be lots of traffic coming in. You appear to have malware that has taken over the machine and is using it for some purpose. Most likely, it's sending massive amounts of SPAM to us.

You are clearly infected, so I suggest...

Please follow this HJT Log 5 Step Process to post a HijackThis log in the HijackThis Log Help forum here.

Overclocked Doc · 09-26-2007, 01:30 PM

Thanks for your reply!

Yes I had my facts off slightly. I was infact expieriencing high volumes of traffic "outbpound" and not "inbound" as I had previously thought.

In reading several well written articles posted on the net, my symptoms closely matched that of a "zombie attack pc". I spoke to a friend who works as an internet security analyst and explained all the details.

He offered some insight on how to detemine what was happening in part by defining the ports being used to transfer information. Here's part of his reply back to me:

"I am familiar with botnets, zombies and Denial Of Service attacks.
A common scenario is that PCs that have been 'zombied' communicate with IRC servers to receive and carry out their orders.

In simple terms, the person in control sends out a command to an IRC channel "attack ip address x.x.x.x"
The infected PC's receives the command via IRC and carries out the order (send as much junk to that IP address as quick as possible).
A common port range for IRC is 6660-6669TCP so you may see your computer trying to connect out to the Internet on any of these ports if you have been zombied."

I have since remedied the problem although I inadvertanly deleted a few files containing info that would of helped me to better understand "what happened".

johnwill · 09-27-2007, 08:03 AM

So, the issue is resolved?

Overclocked Doc · 09-27-2007, 01:38 PM

Yes it is thanks.

09-23-2007, 02:01 PM	#1 (permalink)
Overclocked Doc Registered User Join Date: Nov 2004 Posts: 204 OS: 2000/XP Pro	[SOLVED] Possible denial of service attack? Not sure if this is where I should post this, but it appears to be close. Is it possible I am expieriencing a "denial of service attack" on one of my machines on my home network? The machine in questions appears to be sending out large packet amounts to 5 similar IPs all at one. The packet amounts are all the same amount. When this happens, no other machine on my network can access the net until the one in question is removed. Checking the Ips, I noted on one day, they appeared to be directed to Russia. On another day they appeared to be directed to North America at what appears to be a legitimate business (paynet.no). I have run virus and spyware scans using multiple software and even scanned the hard drive from another machine. I am quite well versed in dealing with a lot of this stuff but, this appears to have gotten the better of me. I really don't want to reformatt if possible, simply because of the time involved to reinstall all the 80 Gbs worth of software. Does this scenario ring a bell with anyone?

09-24-2007, 07:15 AM	#2 (permalink)
johnwill Manager, Networking Forums Join Date: Sep 2002 Location: S.E. Pennsylvania, US Posts: 31,468 OS: XP-Pro, Vista, Linux Blog Entries: 1	Re: Possible "denial of service attack"? Actually, this is not a DOS, which would be lots of traffic coming in. You appear to have malware that has taken over the machine and is using it for some purpose. Most likely, it's sending massive amounts of SPAM to us. You are clearly infected, so I suggest... Please follow this HJT Log 5 Step Process to post a HijackThis log in the HijackThis Log Help forum here. __________________ If TSF has helped you, Tell us about it! or Donate to help keep the site up! Microsoft MVP - Windows Desktop Experience

09-26-2007, 01:30 PM	#3 (permalink)
Overclocked Doc Registered User Join Date: Nov 2004 Posts: 204 OS: 2000/XP Pro	Re: Possible "denial of service attack"? Thanks for your reply! Yes I had my facts off slightly. I was infact expieriencing high volumes of traffic "outbpound" and not "inbound" as I had previously thought. In reading several well written articles posted on the net, my symptoms closely matched that of a "zombie attack pc". I spoke to a friend who works as an internet security analyst and explained all the details. He offered some insight on how to detemine what was happening in part by defining the ports being used to transfer information. Here's part of his reply back to me: "I am familiar with botnets, zombies and Denial Of Service attacks. A common scenario is that PCs that have been 'zombied' communicate with IRC servers to receive and carry out their orders. In simple terms, the person in control sends out a command to an IRC channel "attack ip address x.x.x.x" The infected PC's receives the command via IRC and carries out the order (send as much junk to that IP address as quick as possible). A common port range for IRC is 6660-6669TCP so you may see your computer trying to connect out to the Internet on any of these ports if you have been zombied." I have since remedied the problem although I inadvertanly deleted a few files containing info that would of helped me to better understand "what happened".

09-27-2007, 08:03 AM	#4 (permalink)
johnwill Manager, Networking Forums Join Date: Sep 2002 Location: S.E. Pennsylvania, US Posts: 31,468 OS: XP-Pro, Vista, Linux Blog Entries: 1	Re: Possible "denial of service attack"? So, the issue is resolved? __________________ If TSF has helped you, Tell us about it! or Donate to help keep the site up! Microsoft MVP - Windows Desktop Experience

09-27-2007, 01:38 PM	#5 (permalink)
Overclocked Doc Registered User Join Date: Nov 2004 Posts: 204 OS: 2000/XP Pro	Re: Possible "denial of service attack"? Yes it is thanks.