-_-" 幹嘛啊, 一直駭..?

[milwater]

大大救郎哦~
這幾天一直有人要在我的server植入木馬, 搞得我不勝其擾!
照以前的經驗, 就算用了LockDown2K來做Firewall, 被攻破也只不過是時間的問題..
請問各位大大, 有辦法能夠制止這X的行為嗎??
以下是8月4日的log檔, 底線是自己的IP, 隱藏起來..
===========================================================================

** LockDown 2000 v7.0.0.6 - 星期六, 八月 4, 2001 - 10:08 PM 台北標準時間 **
:: Trojan network connectivity check enabled.
:: Auto Trojan scan is activated.
:: Nuke protection enabled.
:: ICQ Nuke protection enabled.
[2001/8/4 下午 10:09:12] System Area Change - Windows Directory - Rescanning
[2001/8/4 下午 10:09:42] Scan Complete.
[2001/8/4 下午 10:12:13] Incoming hack attempt from IP Address: 211.21.89.146
[2001/8/4 下午 10:12:13] Hacker is attempting to gain access using the Netbus trojan on port 12345.
[2001/8/4 下午 10:12:13] Hacker's connection was terminated by Lockdown 2000.
[2001/8/4 下午 10:12:13] Log auto-saved to: 08042001.LOG
[2001/8/4 下午 10:12:27] Attempting to trace hacker's connection... Some traces may take a few minutes.
[2001/8/4 下午 10:12:27] =[Trace Route]=============================
1 <10 ms <10 ms <10 ms 211.21.__.__
2 60 ms 100 ms 121 ms 10.21.89.254
3 330 ms 1252 ms 881 ms 211.21.89.145
4 110 ms 1141 ms 621 ms 211.21.89.146
[= Trace Route Complete =]
[2001/8/4 下午 10:12:28] Incoming hack attempt from IP Address: 211.21.89.146
[2001/8/4 下午 10:12:28] Hacker is attempting to gain access using the BackOrifice 2000 trojan on port 54320.
[2001/8/4 下午 10:12:28] Hacker's connection was terminated by Lockdown 2000.
[2001/8/4 下午 10:12:28] Log auto-saved to: 08042001.LOG
[2001/8/4 下午 10:12:42] Attempting to trace hacker's connection... Some traces may take a few minutes.
[2001/8/4 下午 10:12:42] =[Trace Route]=============================
1 <10 ms <10 ms <10 ms 211.21.__.__
2 50 ms 70 ms 70 ms 10.21.89.254
3 100 ms 100 ms 100 ms 211.21.89.145
4 171 ms * 420 ms 211.21.89.146
[= Trace Route Complete =]
[2001/8/4 下午 10:32:39] Incoming hack attempt from IP Address: 212.83.119.105
[2001/8/4 下午 10:32:39] Hacker is attempting to gain access using the Netbus trojan on port 12345.
[2001/8/4 下午 10:32:39] Hacker's connection was terminated by Lockdown 2000.
[2001/8/4 下午 10:32:39] Log auto-saved to: 08042001.LOG
[2001/8/4 下午 10:33:25] Attempting to trace hacker's connection... Some traces may take a few minutes.
[2001/8/4 下午 10:33:25] =[Trace Route]=============================
1 <10 ms <10 ms <10 ms 211.21.__.__
2 61 ms 60 ms 60 ms 10.21.89.254
3 50 ms 60 ms 60 ms 168.95.84.122
4 50 ms 50 ms 50 ms 211.22.36.2
5 50 ms 50 ms 61 ms 168.95.207.26
6 50 ms 50 ms 50 ms 211.22.33.131
7 200 ms 200 ms 200 ms 202.39.91.1
8 210 ms 200 ms 210 ms 157.130.197.97
9 200 ms 200 ms 200 ms 152.63.53.14
10 200 ms 210 ms 200 ms 152.63.49.210
11 200 ms 210 ms 201 ms 152.63.50.189
12 200 ms 210 ms 201 ms 205.171.4.97
13 200 ms 210 ms 201 ms 205.171.22.118
14 200 ms 210 ms 211 ms 205.171.5.123
15 270 ms 271 ms 270 ms 205.171.5.113
16 260 ms 271 ms 260 ms 205.171.30.14
17 261 ms 270 ms 270 ms 205.171.30.142
18 351 ms 360 ms 361 ms 134.222.231.73
19 360 ms 351 ms 350 ms 134.222.230.110
20 371 ms 380 ms 391 ms 134.222.230.150
21 380 ms 391 ms 391 ms 134.222.119.233
22 381 ms 391 ms 380 ms 212.226.242.106
23 381 ms 390 ms 391 ms 212.226.242.98
24 390 ms 401 ms 400 ms 193.65.231.90
25 391 ms 400 ms 401 ms 212.83.96.169
26 400 ms 401 ms 400 ms 212.83.119.2
27 531 ms 511 ms 511 ms 212.83.119.105
[= Trace Route Complete =]
[2001/8/4 下午 10:34:33] Incoming hack attempt from IP Address: 212.83.119.105
[2001/8/4 下午 10:34:33] Hacker is attempting to gain access using the Netbus trojan on port 12345.
[2001/8/4 下午 10:34:33] Hacker's connection was terminated by Lockdown 2000.
[2001/8/4 下午 10:34:33] Log auto-saved to: 08042001.LOG
[2001/8/4 下午 10:35:18] Attempting to trace hacker's connection... Some traces may take a few minutes.
[2001/8/4 下午 10:35:18] =[Trace Route]=============================
1 <10 ms <10 ms <10 ms 211.21.__.__
2 50 ms 61 ms 70 ms 10.21.89.254
3 50 ms 50 ms 50 ms 168.95.84.122
4 50 ms 60 ms 60 ms 211.22.36.2
5 50 ms 60 ms 50 ms 168.95.207.26
6 50 ms 60 ms 60 ms 211.22.33.131
7 201 ms 200 ms 200 ms 202.39.91.1
8 201 ms 200 ms 210 ms 157.130.197.97
9 201 ms 210 ms 200 ms 152.63.53.14
10 201 ms 210 ms 200 ms 152.63.49.210
11 201 ms 200 ms 200 ms 152.63.50.189
12 210 ms 210 ms 200 ms 205.171.4.97
13 200 ms 210 ms 210 ms 205.171.22.118
14 200 ms 200 ms 211 ms 205.171.5.123
15 270 ms 270 ms 271 ms 205.171.5.113
16 260 ms 271 ms 280 ms 205.171.30.14
17 260 ms 271 ms 270 ms 205.171.30.142
18 351 ms 360 ms 361 ms 134.222.231.73
19 360 ms 351 ms 370 ms 134.222.230.110
20 381 ms 380 ms 381 ms 134.222.230.150
21 380 ms 391 ms 380 ms 134.222.119.233
22 381 ms 390 ms 391 ms 212.226.242.106
23 380 ms 391 ms 381 ms 212.226.242.98
24 391 ms 401 ms 390 ms 193.65.231.90
25 401 ms 390 ms 401 ms 212.83.96.169
26 400 ms 411 ms 400 ms 212.83.119.2
27 491 ms 521 ms 510 ms 212.83.119.105
[= Trace Route Complete =]
[2001/8/4 下午 10:39:39] Incoming hack attempt from IP Address: 212.83.119.105
[2001/8/4 下午 10:39:39] Hacker is attempting to gain access using the Netbus trojan on port 12345.
[2001/8/4 下午 10:39:39] Hacker's connection was terminated by Lockdown 2000.
[2001/8/4 下午 10:39:39] Log auto-saved to: 08042001.LOG
[2001/8/4 下午 10:40:24] Attempting to trace hacker's connection... Some traces may take a few minutes.
[2001/8/4 下午 10:40:24] =[Trace Route]=============================
1 <10 ms <10 ms <10 ms 211.21.__.__
2 60 ms 70 ms 60 ms 10.21.89.254
3 50 ms 60 ms 50 ms 168.95.84.122
4 50 ms 60 ms 50 ms 211.22.36.2
5 50 ms 60 ms 60 ms 168.95.207.26
6 51 ms 50 ms 60 ms 211.22.33.131
7 200 ms 201 ms 200 ms 202.39.91.1
8 210 ms 201 ms 210 ms 157.130.197.97
9 200 ms 211 ms 200 ms 152.63.53.14
10 200 ms 201 ms 200 ms 152.63.49.210
11 200 ms 201 ms 200 ms 152.63.50.189
12 200 ms 201 ms 210 ms 205.171.4.97
13 200 ms 211 ms 200 ms 205.171.22.118
14 201 ms 210 ms 200 ms 205.171.5.123
15 271 ms 270 ms 270 ms 205.171.5.113
16 260 ms 270 ms 261 ms 205.171.30.14
17 260 ms 271 ms 270 ms 205.171.30.142
18 350 ms 361 ms 360 ms 134.222.231.73
19 351 ms 360 ms 371 ms 134.222.230.110
20 370 ms 381 ms 380 ms 134.222.230.150
21 381 ms 380 ms 391 ms 134.222.119.233
22 380 ms 391 ms 391 ms 212.226.242.106
23 381 ms 391 ms 390 ms 212.226.242.98
24 391 ms 400 ms 391 ms 193.65.231.90
25 390 ms 401 ms 400 ms 212.83.96.169
26 401 ms 400 ms 401 ms 212.83.119.2
27 621 ms 540 ms 511 ms 212.83.119.105

===========================================================================
T_T

[iamapo]

用netstat -a看一下你有開port 12345嗎
如果有,趕快用Ctrl+Alt+Del檢視目前的程式狀況
將來路不明的程式刪除吧...(使用The Cleaner軟體也可以)
如果沒有開port 12345 那就只是對方在try而已,不是真的入侵...
不用太緊張...^^

[milwater]

TCP www:12345 www.abc.com.tw:0 LISTENING

..這算開啟了嗎 ..??

[iamapo]

最初由 milwater
TCP www:12345 www.abc.com.tw:0 LISTENING

..這算開啟了嗎 ..??

喔...你真的被植入木馬程式耶
趕快檢查是那支程式做怪吧...
祝好運~~

[milwater]

後續報告

後來安裝了Cleaner3, 讓它去掃硬碟看看,
結果 - 果然有一隻大陸來的王八蛋.把它delete掉.
後續再看看..

[iget]

我的好像也中標了

[Duron]

我也是用BlackICE,情況跟iget的差不多!

但以Cleaner3掃瞄,也沒發現什麼可疑的程式,
且以手工的方法檢查,也沒發現,又用NAV檢查,
也沒問題,我想這個情況應該不是中標!

[micchung]

最初由 iget
我的好像也中標了

這個應該是一堆中了code red的倒楣鬼吧..
所以才會拼命scan port 80