@Home/ZA users

I just got off the phone with an @Home network admin. He asks that users of @Home send a copy of their ZA log as an attachment to [email protected], with a brief note explaining what you're sending. They're trying to get hold of all @Home users running IIS that are infected with CodeRed, as those machines are pinging all the other @Home users....and apparently are unaware of what's going on.
Getting hit 100-150x per hour is slowing down a lot of people, and it gets REALLY annoying, too. https://discussions.virtualdr.com/

Thanks for the info Zipulrich. My ZA log file is now over a megabyte, but if they want it.... https://discussions.virtualdr.com/

------------------
Be not afraid of greatness. Some are born great, some achieve greatness, and some have greatness thrust upon 'em.

MAXXIMILIAN'S

Boy are they slowing things down. Sitting behind a hardware firewall, all you see is the slowing down of page openings.

------------------
SMILE
and post back
[ Book mark this post to find it again]

Maxx, I just sent another log - 3 1/2 hours, 164 hits! https://discussions.virtualdr.com/

[This message has been edited by zipulrich (edited 08-07-2001).]

Hi,
I am having trouble with contious streams of data. Latency is what I thought it was. I have a stealth Ip Address and have no viruses on my network. Grr so some virus is causing all this the last week or so?? I am using @home service too. https://discussions.virtualdr.com/

------------------
Some of the good things in life are free! :) Cable Internet isn't one of them!!

J A L, check your firewall logs...any I.P. addresses that start with "24." is most likely another @Home user.

Fun, ain't it?

Oh wow, I just deleted my log file last night. It was over 8 mb! I am getting pinged at least 30 times an hour. I'll start a new log and send it in. Thanks for the tip!

Just to let everyone know, it's not just @Home that is getting hits Road Runner and many others are having the same problem.
Spike

Zipulrich, what is IIS? I have @home but in the dark about IIS. I had over 300 hits over a 3 day period. I sent the list to @home but don't know if that was the right thing to do or not. Thanks for the info. Joe

I just found and reviewed Johnny Canucks post and answers for IIS. Sorry to bother again. Thanks, Joe

------------------
Celeron 366, 8GBHD, 128 MB Ram, IE5.5(Main) & NS Browsers, Windows 98, Outlook Express Mail.

[This message has been edited by JoeHenry (edited 08-07-2001).]

[This message has been edited by JoeHenry (edited 08-07-2001).]

I just received a reply from [email protected] concerning the hits I sent to them. Any comments? They replied as follows:

It appears that you are reporting a portscan by a computer with an IP
address of 24.0.0.203. This computer in our corporate domain and is
approved to perform proactive scanning of the network. It is actively
scanning our network for security problems in our customers'
configuration which could be exploited. We have been seeing a
significant number of customers installing networking software which is
leaving their computers open to attack, this is why we must respond in
this way. You may see it scanning 2-3 times a day. This proactive
scanning is allowed by the Acceptable Use Policy, which can be reviewed
at the following URL:
http://www.home.com/aup/

The relevant section is quoted below. It can be found under the last
section of the AUP, under the heading, 'Violation of Acceptable Use
Policy':

"Although Excite@Home has no obligation to monitor the Services and/or
the network, Excite@Home and its various affiliates and partners reserve
the right to monitor bandwidth, usage, and content from time to time to
operate the Services; to identify violations of this Policy; and/or to
protect the network and @Home users."

If you were also reporting scans by other computers in the @Home domain,
please compose a new email message and send a report for each IP address
separately.

The @Home Network Policy Management Team

Tracking ID #1000

Yes, JohnKing, they sound like government employees covering their buttocks. Anything to confuse and/or cloud the issue. I'm vulnerable, being a novice, but they must think everyone else is, too.
Thanks for your comment. Joe https://discussions.virtualdr.com/

I'm getting 100+ pings per hour, all from ip addresses starting 24.27. Does this do anything or do i have a reason to be concerned?

Well, fellow @home users, It's nice to see I'm not losing my mind over here! https://discussions.virtualdr.com/ I've upped my zonealrm settings to local: high and internet: high, did a trojan scan, and a virus scan....ran adaware incase I missed something......all to find out that you all are getting pinged just the same as I am. I'm getting hit about a hundred times every two hours.

Daizy

------------------
Hope this helps.

Seems to me they might be getting overwhelmed and not able to sort thru all the monster ZA logs. Did they say a separate email for each entry in the log or each 24.xxx entry? They have to compare log entries with their own records, it's gotta be a monster task.

I don't use @home but I'm getting lots of hits from my own isp's dns numbers. I think it's a proactive search to find and help fix infected users, not an indication that they are themselves infected. I just turned off the alerts and look thru the log now and then.

CYA stuff? Sounds like they're just trying to take care of business during a really difficult time.

------------------
"If you look at the sun without shielding your eyes, you'll go blind. If you look at the moon without covering your eyes, you'll become a poet." --Serge Bouchard

I just got one of those "@home security probes" it happened on my port 119

Instead of originating HTTP it was NNTP from 24.0.0.203 (TCP Port 34934) [TCP Flags: S].

The lookup of the address turned up this IP

authorized-scan1.security.home.net

I seemed to get two probes really quickly from them too...so there's your secuirty probes.....

Mac

[This message has been edited by Mac-99_take2 (edited 08-07-2001).]