Threatened with Hack/Now Weird Internet Traffic

[Rouen]

I was playing in a CS server and was accused of cheating. The admin stated he was going to "Connect my IP to my computer, so I'll know if he turns a hack on." I promptly turned on Ethereal, after a few minutes, I started getting alot of weird packets. I would get a UDP packet from a randomly IP, then it would try to make my computer send an ICMP packet back, but it says destination unreachable. I immediately did an nslookup to see where this guy was located roughly, since most ISPs put the state name (Like Texas) into the host name. According to the DNS server, there is no such IP.

I make idle packet captures on a random basis, just to see if there is anything going on in my machine that I dont know about. Typically its all the same. But I've been getting the same UDP packet from multiple IPs, some exist, some dont (Discovered via nslookup) and it tries to force a reply in ICMP to their machine. I have a registry edit so my computer does not redirect ICMPs.

Any ideas?

 

[mikesgroovin]

Sounds perhaps like a program that may ask for a ICMP echo or stamp request....but you said UDP and then ICMP....
hhhm, perhaps whatever it is, you are trying to send back a destination unreachable packet via ICMP and it fails to send so his side dies and then resends.

Sounds extremely harmless in my book. A big, inefficient waste of time too.

Can you post the entire UDP packet?

 

[DJ-CHRIS]

Having the packet really helps

Also, are you connecting thru a router? Do you have a DMZ? We need this infomation

 

[RockyZ]

Sounds like the Admin was bsing. But post the packet just to be safe.

 

[Rouen]

0000 00 0f db 41 6d 98 00 0e a6 97 d6 a3 08 00 45 00 ...Am... ......E.
0010 00 76 5b 78 00 00 80 01 0e 0d 47 f8 17 98 53 e4 .v[x.... ..G...S.
0020 1d 8e 03 03 ce 56 00 00 00 00 45 00 00 5a 57 e7 .....V.. ..E..ZW.
0030 00 00 71 11 20 aa 53 e4 1d 8e 47 f8 17 98 92 58 ..q. .S. ..G....X
0040 c4 69 00 46 6c f1 64 31 3a 61 64 32 3a 69 64 32 .i.Fl.d1 :ad2:id2
0050 30 3a 6a 86 5d c4 53 8e 31 e7 e8 b1 03 4d 2a 04 0:j.].S. 1....M*.
0060 4e f8 29 84 9a ed 65 31 3a 71 34 3a 70 69 6e 67 N.)...e1 :q4ing
0070 31 3a 74 38 3a 5e e1 66 76 5c 37 58 23 31 3a 79 1:t8:^.f v\7X#1:y
0080 31 3a 71 65 1:qe

0000 00 0f db 41 6d 98 00 0e a6 97 d6 a3 08 00 45 00 ...Am... ......E.
0010 00 76 5b 7a 00 00 80 01 58 2c 47 f8 17 98 dd 7f .v[z.... X,G.....
0020 49 d1 03 03 84 35 00 00 00 00 45 00 00 5a b3 c0 I....5.. ..E..Z..
0030 00 00 72 11 0d f2 dd 7f 49 d1 47 f8 17 98 1f d5 ..r..... I.G.....
0040 c4 69 00 46 68 a8 64 31 3a 61 64 32 3a 69 64 32 .i.Fh.d1 :ad2:id2
0050 30 3a 3e 7a a3 e0 3f f0 b9 b7 8c 62 3e ff f2 b3 0:>z..?. ...b>...
0060 a6 19 83 07 88 97 65 31 3a 71 34 3a 70 69 6e 67 ......e1 :q4ing
0070 31 3a 74 38 3a 54 c3 45 bb 26 3f 02 e1 31 3a 79 1:t8:T.E .&?..1:y
0080 31 3a 71 65 1:qe

0000 00 0f db 41 6d 98 00 0e a6 97 d6 a3 08 00 45 00 ...Am... ......E.
0010 00 76 5b 75 00 00 80 01 26 fe 47 f8 17 98 3c b0 .v[u.... &.G...<.
0020 1b d4 03 03 b5 68 00 00 00 00 45 00 00 5a 2b 01 .....h.. ..E..Z+.
0030 00 00 2e 11 a9 7e 3c b0 1b d4 47 f8 17 98 24 8b .....~<. ..G...$.
0040 c5 19 00 46 07 53 64 31 3a 61 64 32 3a 69 64 32 ...F.Sd1 :ad2:id2
0050 30 3a 11 cd 39 b6 17 cd 58 81 31 2b 7d b0 4c 6a 0:..9... X.1+}.Lj
0060 a6 72 f0 eb 47 0b 65 31 3a 71 34 3a 70 69 6e 67 .r..G.e1 :q4ing
0070 31 3a 74 38 3a 19 0b 4e 5d 2a c8 3d 4f 31 3a 79 1:t8:..N ]*.=O1:y
0080 31 3a 71 65 1:qe

Basically this is the same ICMP packet from three IPs.- There was about 15 IP's sending me the same thing in quick succession. Yes I am behind a router and I do not have a DMZ.

 

[ibarrere]

well if all his program wants is an icmp (not to mention a misdirected one...) packet, he's not gonna get much info out of you. Sounds like some harmless script kiddie trick.

 

[Rouen]

Probably is, but I've heard of this happening to someone, a friend of the family who is a graduate of John Hopkins with a Masters in IT. Someone tagged his computer somehow, so that no matter how many different IP's he got, how many times he reinstalled windows, he constantly got attacked and compromised. He said and I quote "I'm a graduate of Hopkins University. I owe over $120,000 in student loans. I thought I knew all the s**t. But apparently, I don;t know s**t."

He thought he had hardened his machine, an entire blackhat community somehow found out (Probably through a profile like on myspace) that he was a graduate of IT from Hopkins and broke into the machine, I believe he was also running a honeypot. They took pictures of him off his computer, wearing a swimsuit and put it on the front page of their community website, bragging about it.

This is why I even bothered worrying about it and taking measures, plus posting it up here.

 

[Law]

If he's running a honeypot, that's like telling the hacker "here I am" over and over again. That would probably explain why he's always being targeted.

So you're saying you've never seen this before and that you've only seen it now after you were threaten? IÂ’m not trying to question your intelligence or anything but sometime people can get so paranoid and donÂ’t realize that this type of stuff was happening on their machine alone time before they even know about it.

 

[ibarrere]

why was he running a honeypot with his personal machine??

 

[Law]

why was he running a honeypot with his personal machine??

I'm pretty sure he isn't, but the honeypot is part of his network and it shares the same public IP address. That's just what I'm assuming. There's no way for someone to just "tagged" someone on the Internet and find them that easily.