My computer just got attacked.

I was able to log everything. I ran a whois too. what would you do with this info? I sent it on to my ISP. Not sure what they can do.

The attack came out of Korea

Here is the log, then the whois

Tuesday, December 2, 2003
1:09:33

• Settings :

- Detect connections to specified ports. 21 25 80 110 137 138 139 1243 2773 2774 4590 4950 5025 5500 5760 6666 6667 6711 6712 6713 6776 7000 7215 7300 7301 7306 7307 7308 8787 12345 12346 12354 16959 20034 27374 27573 30029 31337 31338 31785 31787 31788 49301 54283 54320 54321.

• Detected IP :

- 220.117.227.76:27374 220.117.227.76 Bad Blood, Ramen, Seeker, Subseven, Subseven 2.1 Gold, Subseven 2.1.4 Defcon 8, Subseven Muie, Ttfloader 1:08:46 ;
- 220.117.227.76:1243 220.117.227.76 Backdoor-g, Subseven, Subseven Apocalypse, Tiles 1:09:04.




Here is the whois:

whois 220.117.227.76

OrgName: Asia Pacific Network Information Centre
OrgID: APNIC
Address: PO Box 2131
City: Milton
StateProv: QLD
PostalCode: 4064
Country: AU

ReferralServer: whois://whois.apnic.net

NetRange: 220.0.0.0 - 220.255.255.255
CIDR: 220.0.0.0/8
NetName: APNIC6
NetHandle: NET-220-0-0-0-1
Parent:
NetType: Allocated to APNIC
NameServer: NS1.APNIC.NET
NameServer: NS3.APNIC.NET
NameServer: NS.RIPE.NET
NameServer: RS2.ARIN.NET
Comment: This IP address range is not registered in the ARIN database.
Comment: For details, refer to the APNIC Whois Database via
Comment: WHOIS.APNIC.NET or http://www.apnic.net/apnic-bin/whois2.pl
Comment: ** IMPORTANT NOTE: APNIC is the Regional Internet Registry
Comment: for the Asia Pacific region. APNIC does not operate networks
Comment: using this IP address range and is not able to investigate
Comment: spam or abuse reports relating to these addresses. For more
Comment: help, refer to http://www.apnic.net/info/faq/abuse
Comment:
RegDate:
Updated: 2002-09-11

OrgTechHandle: AWC12-ARIN
OrgTechName: APNIC Whois Contact
OrgTechPhone: +61 7 3858 3100
OrgTechEmail: search-apnic-not-arin@apnic.net

# ARIN WHOIS database, last updated 2003-12-01 19:15
# Enter ? for additional hints on searching ARIN's WHOIS database.
%
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

inetnum: 220.116.0.0 - 220.127.255.255
netname: KORNET
descr: KOREA TELECOM
descr: Network Management Center
country: KR
admin-c: DL248-AP
tech-c: GK40-AP
descr: ************************************************
descr: Allocated to KRNIC Member.
descr: If you would like to find assignment
descr: information in detail please refer to
descr: the KRNIC Whois Database at:
descr: "http://whois.nic.or.kr/english/index.html"
descr: ************************************************
status: ALLOCATED PORTABLE
notify: security@hanaro.com
mnt-by: MNT-KRNIC-AP
changed: hm-changed@apnic.net 20021231
source: APNIC

person: Dong-Joo Lee
address: 128-9 Yeong-Dong Jongro-Ku Seoul
address: Network Management Center
country: KR
phone: +82-2-766-1407
fax-no: +82-2-766-6008
e-mail: ip@ns.kornet.net
nic-hdl: DL248-AP
mnt-by: MAINT-NEW
changed: hostmaster@nic.or.kr 20010425
source: APNIC

person: Gyung-Jun Kim
address: KORNET
address: 128-9, Yeong-Dong, Jongro-Ku
address: SEOUL
address: 110-763
country: KR
phone: +82-2-747-9213
fax-no: +82-2-3673-5452
e-mail: ip@ns.kornet.net
nic-hdl: GK40-AP
mnt-by: MNT-KRNIC-AP
changed: hostmaster@nic.or.kr 20010906
source: APNIC

inetnum: 220.117.224.0 - 220.117.239.255
netname: KORNET-XDSL-SONGPA-KR
descr: SONGPA NODE
descr: SONGPAJEONHWAKUK SINCHEONDONG SONGPAKU
descr: SEOUL
descr: 138-703
country: KR
admin-c: HL13860-KR
tech-c: WK18172-KR
remarks: This IP address space has been allocated to KRNIC.
remarks: For more information, using KRNIC Whois Database
remarks: whois -h whois.nic.or.kr
mnt-by: MNT-KRNIC-AP
remarks: This information has been partially mirrored by APNIC from
remarks: KRNIC. To obtain more specific information, please use the
remarks: KRNIC whois server at whois.krnic.net.
changed: hostmaster@nic.or.kr 20031124
source: KRNIC

person: HeungGu Lee
descr: KOREA TELECOM
descr: 128-9 Youngundong Chongroku
descr: SEOUL
descr: 110-460
country: KR
phone: +82-2-747-9213
fax-no: +82-2-747-8701
e-mail: ip@ns.kornet.net
nic-hdl: HL13860-KR
mnt-by: MNT-KRNIC-AP
remarks: This information has been partially mirrored by APNIC from
remarks: KRNIC. To obtain more specific information, please use the
remarks: KRNIC whois server at whois.krnic.net.
changed: hostmaster@nic.or.kr 20031124
source: KRNIC

person: Won Kang
descr: KOREA TELECOM
descr: 128-9 Youngundong Chongroku
descr: SEOUL
descr: 110-460
country: KR
phone: +82-2-747-9213
fax-no: +82-2-747-8701
e-mail: ip@ns.kornet.net
nic-hdl: WK18172-KR
mnt-by: MNT-KRNIC-AP
remarks: This information has been partially mirrored by APNIC from
remarks: KRNIC. To obtain more specific information, please use the
remarks: KRNIC whois server at whois.krnic.net.
changed: hostmaster@nic.or.kr 20031124
source: KRNIC

I just make sure the firewall keeps 'em blocked after the first try. I wouldn't have time to do anything else if I reported all of them.

I guess they were expecting Windows.

I have this computer shut down pretty tight.

I'm not well versed in computer speak but was it a subseven trojan horse attack? That seems to be a favorite among attackers.

It has been high activity over the past few days.

honeypot running and those were the first.

Before you ever use one, do not use them to attack the person who is attacking you. Use them to help detect attackers and what ports they are trying to exploit.

with honeypots you can attack the attacker, but that is not the right thing to do. Mostly a honeypot is a decoy to trap attackers.

Read this for info on honeypots

http://www.tracking-hackers.com/papers/honeypots.html