This is what I got:The firewall has blocked Internet access to your computer (TCP Port 32041) from 195.92.195.167 (HTTP).

Occurred: 11 times between 12/2/00 7:13:34 and 12/2/00 7:36:54

11 times is this an attack?

------------------
Steve

Here is the information for them:

-----------------------------------
-- PING RESPONSE --

Pinging 195.92.195.167 with 32 bytes of data:

Reply from 195.92.195.167: bytes=32 time=303ms TTL=46

Ping statistics for 195.92.195.167:
Packets: Sent = 1, Received = 1, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 303ms, Maximum = 303ms, Average = 303ms


-- NetBIOS QUERY RESULTS --

Host not found.

-- NSLOOKUP QUERY RESULTS --

*** First PTR Name Server Lookup unsuccessful.
*** Second PTR Name Server Lookup unsuccessful.
*** All Three Name Server Lookup attempts were unsuccessful.

-- ARIN WHOIS QUERY RESULTS --

European Regional Internet Registry/RIPE NCC (NETBLK-RIPE-C)
These addresses have been further assigned to European users.
Contact information can be found in the RIPE database, via the
WHOIS and TELNET servers at whois.ripe.net, and at
http://www.ripe.net/db/whois.html

Netname: RIPE-CBLK3
Netblock: 195.0.0.0 - 195.255.255.0
Maintainer: RIPE

Coordinator:
RIPE Network Coordination Centre (RIPE-NCC-ARIN) nicdb@RIPE.NET
+31 20 535 4444
Fax- - +31 20 535 4445

Domain System inverse mapping provided by:

NS.RIPE.NET 193.0.0.193
NS.EU.NET 192.16.202.11
AUTH03.NS.UU.NET 198.6.1.83
NS2.NIC.FR 192.93.0.4
SUNIC.SUNET.SE 192.36.125.2
MUNNARI.OZ.AU 128.250.1.21
NS.APNIC.NET 203.37.255.97

To search on arbitrary strings, see the Database page on
the RIPE NCC web-site at http://www.ripe.net/db/

Record last updated on 16-Oct-1998.
Database last updated on 2-Dec-2000 18:17:47 EDT.

The ARIN Registration Services Host contains ONLY Internet
Network Information: Networks, ASN's, and related POC's.
Please use the whois server at rs.internic.net for DOMAIN related
Information and whois.nic.mil for NIPRNET Information.

-- RIPE WHOIS QUERY RESULTS --


% Rights restricted by copyright. See http://www.ripe.net/ripencc/pub-services/db/copyright.html

inetnum: 195.92.0.0 - 195.92.255.255
netname: UK-POL-960612
descr: Planet Online
descr: Internet Service Provider
descr: In case of problems, please contact +44 113 234 6068
descr: Please do not send abuse reports to tech or admin
descr: contacts. Abuse reports to abuse@planet.net.uk please!
country: GB
admin-c: ASK5-RIPE
admin-c: DM386-RIPE
admin-c: MR122-RIPE
admin-c: MR257-RIPE
tech-c: ASK5-RIPE
tech-c: DM386-RIPE
tech-c: MR122-RIPE
tech-c: MR257-RIPE
status: ALLOCATED PA
mnt-by: RIPE-NCC-HM-MNT
mnt-lower: AS5388-MNT
changed: hostmaster@ripe.net 19960612
changed: hostmaster@ripe.net 19990224
changed: hostmaster@ripe.net 20001121
source: RIPE

route: 195.92.0.0/16
descr: Planet Online Limited
descr: The White House
descr: Melbourne St.
descr: Leeds LS2 7PS United Kingdom
origin: AS5388
mnt-by: AS5388-MNT
changed: matthew@planet.net.uk 19960612
source: RIPE

person: Andrew S Kennedy
address: Planet Online Ltd.
address: The White House
address: Leeds, LS2 7PS
address: GB
phone: +44 113 2345566
fax-no: +44 113 2345656
e-mail: andrew@theplanet.net
nic-hdl: ASK5-RIPE
changed: matthew@planet.net.uk 19970429
source: RIPE

person: Darren Marshall
address: Planet Online Ltd
address: The Whitehouse
address: Melbourne St
address: Leeds
address: LS2 7PS
address: Great Britain
phone: +44 1132345566
e-mail: darren@planet.net.uk
nic-hdl: DM386-RIPE
notify: darren@planet.net.uk
changed: darren@planet.net.uk 19970715
source: RIPE

person: Matthew Robinson
address: Energis Squared Limited.
address: Melbourne Street,
address: Leeds, LS2 7PS
address: GB
phone: +44 113 234 5566
fax-no: +44 113 234 5656
e-mail: matthew@crescent.org.uk
e-mail: abuse@energis-squared.com
nic-hdl: MR122-RIPE
remarks: ** The abuse email address is there to hopefully
remarks: ** sort out daft 'firewall' programs.
remarks: ** Please send personal mails to mailto:matthew@crescent.org.uk
remarks: ************************************************** *******
remarks: I cannot deal with direct reports of network abuse as I am the
remarks: technical contact and not the end user of this address space.
remarks: Please send them to mailto:abuse@energis-squared.com
remarks: Do not send them directly to me.
remarks: Any direct reports will be returned to you.
remarks: Any abusive or threatening reports sent to me will be forwarded
remarks: to your service providers abuse team and the police.
remarks: Sorry to be so blunt but I'm tiring of idiots :-)
remarks: ************************************************** *******
notify: ripe-notify@crescent.org.uk
mnt-by: AS5388-MNT
changed: ian.rhodes@ThePlanet.co.uk 19960407
changed: matthew@planet.net.uk 19970409
changed: matthew@u-net.net 19970603
changed: matthew@planet.net.uk 19980204
changed: matthew@planet.net.uk 19981103
changed: matthew@planet.net.uk 19990226
changed: matthew@energis-squared.com 20000801
changed: matthew@energis-squared.com 20001005
source: RIPE

person: Matt Ryan
address: Planet OnLine Ltd
address: The White House
address: Melbourne Street
address: Leeds LS2 7PS
address: Great Britain
phone: +44 113 2345566
e-mail: matt@planet.net.uk
nic-hdl: MR257-RIPE
notify: matt@planet.net.uk
mnt-by: AS5388-MNT
changed: matt@planet.net.uk 19960805
changed: matt@planet.net.uk 19970304
changed: matt@planet.net.uk 19981103
source: RIPE


-- TRACEROUTE RESULTS --


Tracing route to funnelweb.webspace.pol.co.uk [195.92.195.167]
over a maximum of 30 hops:

1 113 ms 114 ms 115 ms rno-max7.greatbasin.net [206.14.169.24]
2 120 ms 115 ms 97 ms rno-core1-max-100mb.greatbasin.net [206.14.169.7]
3 235 ms 348 ms 420 ms rno-core0-ospf-100mb.greatbasin.net [207.228.7.241]
4 115 ms 109 ms 124 ms Serial3-4.GW3.SCL1.ALTER.NET [157.130.232.25]
5 110 ms 114 ms 114 ms 143.at-5-0-0.XR4.SCL1.ALTER.NET [152.63.114.174]
6 124 ms 105 ms 124 ms 294.at-1-0-0.XR2.SAC1.ALTER.NET [152.63.51.241]
7 125 ms 113 ms 116 ms 184.ATM7-0.BR5.SAC1.ALTER.NET [152.63.52.229]
8 141 ms 124 ms 115 ms 137.39.52.90
9 115 ms 114 ms 119 ms p6-0.paloalto-nbr1.bbnplanet.net [4.0.6.97]
10 125 ms 124 ms 135 ms p12-0.snjpca1-br2.bbnplanet.net [4.24.5.197]
11 133 ms 118 ms 114 ms p9-0.snjpca1-br1.bbnplanet.net [4.24.9.129]
12 190 ms 204 ms 179 ms p9-0.nycmny1-nbr1.bbnplanet.net [4.24.9.158]
13 205 ms 200 ms 177 ms p1-0.nycmny1-br1.bbnplanet.net [4.24.10.82]
14 204 ms 204 ms 180 ms p1-0.nycmny1-ba1.bbnplanet.net [4.24.6.230]
15 455 ms 264 ms 264 ms p8-0-0.london2-cr2.bbnplanet.net [4.0.5.134]
16 270 ms 269 ms 284 ms s4-1-1.energsquar2.bbnplanet.net [195.16.162.174]
17 275 ms 259 ms 272 ms Marrow.AS5388.NET [195.92.201.2]
18 275 ms 279 ms 259 ms BNR-1.MSL.AS5388.NET [195.92.201.148]
19 279 ms 264 ms 274 ms BNR-2.MSL.AS5388.NET [195.92.201.99]
20 310 ms 276 ms 264 ms BNR-1.GRL.AS5388.NET [195.92.201.155]
21 275 ms 310 ms 280 ms PBR-1.GRL.AS5388.NET [195.92.200.136]
22 277 ms 259 ms 270 ms funnelweb.webspace.pol.co.uk [195.92.195.167]

Trace complete.

Trace Started: 9:02:22.58p
Trace Finished: 9:03:25.69p

------------------
Moderator at Help from Techs Support Forums (http://www.helpfromtechs.com)

I got another one that seems similar.Also what program(s) are you using? I have 2 different ones I don't have installed right now/Sam Spade & another one I can't think og the name right now but I think I got the link from you.I've got it on cd I'll have to look it up.Here's the other one:The firewall has blocked Internet access to your computer (TCP Port 36517) from 195.92.193.249 (HTTP).

Occurred: 8 times between 12/3/00 8:05:02 and 12/3/00 8:22:26

------------------
Steve

same people.

I use Network Tracer (http://www.pc-help.org/trace.htm). Very easy to use and gives you all the needed information.

Before you go sending any abuse mail to these guys, check out ZoneLog Analyser (http://zonelog.co.uk/) and see if that tells you exactly what kind of an alert it is.

------------------
Moderator at Help from Techs Support Forums (http://www.helpfromtechs.com)

Thanks for the info.I didn't know zonealarm had that program.I think I have that trace tool on cd also Thanks again.

------------------
Steve

I used ZoneAlarm in combination with SamSpade and got a lot of "intrusion-alerts";
most of them originated from an IP-block in Macedonia, at least that was what SamSpade told me...After installing Norton Personal Firewall, it appeared to be users on the same network as me, who ( accidently or not..)where looking who else was on the network..( and NOT the Macedonia guys !!)
Strange enough ZoneAlarm did not detect the SubSevenscanner-kids ( Nortons Firewall did this, WITH the IP's of the wannabe intruders..)


------------------

I got lucky today and with the ZoneAlarm ZoneLog Analyzer reported an attack to the ISP of the abuser and they sent me an email back to tell me they got them.

------------------
Steve

C15, I'm not sure why ZA didn't pick up on that. Use whatever works best for you, but I would keep ZA running no matter what else you decide to use. Welcome to the board! http://www.helpfromtechs.com/ubb/smilies/smile.gif


Steve, congrats on your success of nabbing a bad guy. http://www.helpfromtechs.com/ubb/smilies/smile.gif The emailing option is a great tool for these attacks, but you have to be certain before you send one.

------------------
Moderator at Help from Techs Support Forums (http://www.helpfromtechs.com)

C15 Check this out.

On Norton Personal Firewall which I use in conjunction with ZoneAlarm,go to http://www.grc.com and do a shields up with only Norton Personal Firewall enabled.Look at the results.Reconfigure your personal information after to block what it reveals and notice that there is a port open.It still blocks access to the port however the guy makes a very good point.Now that a scan has revealed there is a port at that address it will probably be logged so they can come back and try again.Then use ZoneAlarm and do a Sheilds up with Norton disabled.Compare the results.Then decide.

------------------
Steve

Yes, I know..I did this comparison several times..last time was 7 dec. with the latest ZA; the results are very impressive..( ports stealthed and with Norton only closed.)!However for some reason ( Win2K ??) Trojanscans were not picked up again and after a restart I lost my networkconnection at all..( after removing ZA, this problem got solved..)
I have to work on this, to find out why ZA in combination with my Win2K ( without any SP )gives this strange results..With W98 it works O.K. as far as I can see.

------------------

With Gibsons "leaktest" renamed to "iexplore", Norton's Firewall was easily fooled...so I will have to admit that this is not as solid as could be expected from a major firewall...



<FONT COLOR="#800080" SIZE="1" FACE="Verdana, Arial">This message has been edited by C15 on December 09, 2000 at 05:23 AM</font>

I saw a post about configuring Norton so that you uncheck the enable automatic firewall rule creation and this will eliminate programs from getting free run of the internet.I am doing that now and it works great.You can block adds,communications to IP's that have no address other than that,and only allow communications to the ports you want and don't want.I am still using ZoneAlarm.Together they make a pretty good team I think.One does one thing better than the other.

------------------
Steve