The last several days I’ve been getting quite a few notices from my Norton SystemWorks about attempts to access my computer by “worms.” The most recent was earlier this afternoon:
Details: Attempted Intrusion “Portscan” against your machine was detected and blocked.
Intruder: 7.12.12.16(13364).
Risk Level: Medium.
Protocol: UDP.
Attacked IP: PDDOC-G5G26QUAN(207.119.206.249).
Attacked Port: 1034.
Click the address to trace the attacker.
Details: Intrusion detected and blocked. All communication with 7.12.12.16 will be blocked for 30 minutes.
The notices were somewhat lacking in information about the worms and I’m not very knowledgeable about computer worms, so I decided to google it using the words portscan and worm.
It turns out, as I now understand it, that there are a number of different software “ports” for computers used for various kinds of communication. For instance, one “port” might be used for outgoing e-mail and others are used for incoming e-mail, instant messaging, etc.
A portscan worm is a probe coming in from the internet that scans these ports looking for opportunities to enter a vulnerable computer and do its dirty work.
I can’t think of anything good about this, except that SystemWorks appears to be successful in stopping it — for now.
26 Responses to “Worm Attack!!!”
- Richard UK Says:
March 21st, 2006 at 5:14 pm I have had numerous attacks during the last two weeks made by the
same person from the IP address mentioned. He/she is based in your
country, (I’m in UK.)
details obtained are;
Colombus,
Ohio,
Org name: DoD Network Centre,
Org ID: DNIC,
3990 E. Broad Street,
PostalCode 43218.
My Norton software denies the criminal any access, unfortunately I
cannot find an email address for the above organisation to report
the scum’s activity. Perhaps someone reading your site can report
the IP address etc to the organisation reporting the activity? - Robin Says:
March 22nd, 2006 at 11:49 am I’ve been getting the same message myself and it’s knocking me off the internet. I’m interested in hearing what the fix to this is. - Mike Says:
March 22nd, 2006 at 12:23 pm I haven’t seen an re-occurance of this since the 18th. For me, the fix seems to be to make sure that my operating system software, internet access software and Norton SystemWorks are up to date.Doing a search on the internet DNIC = Data Network Identification Code, so the Org ID is probably false.“DoD Network Centre” and “DoD Network Center” both came up with no match in Google. I suspect the Org name is also false. DoD normally refers to Department of Defense in the US.
There is a “Defense Center Supply” at that address according to Google, but my bet would be that it has nothing to do with this worm.
I don’t usually bother with reporting these things. I used to report every spam message and virus that I got. It got to be too much of a hassle. Then it occurred to me that if I’m getting these things, then people who get paid to look for them and react to them are also getting paid so I just do what I can to make my system secure and spread the word to others who might be interested. Now I get almost no viruses and way too much spam.
- Robin Says:
March 22nd, 2006 at 1:26 pm Thanks I’ll run my update again just to make sure and if still having problem I’ll be contacting Norton. - Sam Says:
March 23rd, 2006 at 11:33 pm I’m getting the same thing, I was freaking out wondering why the Dept of Defense was trying to scope my pc. I’m glad to see some other with the same message. - Peter Says:
March 24th, 2006 at 9:39 am I’ve had a lot of trouble (in the UK) with this character as well, particularly when I am on Ebay. My Bullguard antivirus stops it each time, but there does not seem to be a full time cure. Whoever it it, he/she is very active, probing my system nearly every time I log on. Glad at least to see that i am not alone! - Mike Says:
March 24th, 2006 at 9:47 am That’s interesting. I don’t log off often. It does appear that the occurance corresponds to when I was logging back on after I had rebooted the machine for some reason. - Paul Says:
March 24th, 2006 at 11:32 am I’m getting the same thing in toronto. Every 6 hours 7.12.12.16 has been attacking my computer.
I’ve traced it to DoD in Ohio who is collecting info for DISA in california. (Defense Information
Systems Agency – www.disa.mil)Is this something to be concerned about? - Kaia Says:
March 24th, 2006 at 2:15 pm I’ve been getting this as well, just about every day for the past several days. Thanks for posting your info … it was freaking me out too. - Mike Says:
March 24th, 2006 at 7:05 pm While it “looks” like a Department of Defense hack, I doubt the accuracy of any of the info.So far as the need to be concerned about it, it appears that everyone that has commented here has software that that has seen it and, I suppose stopped it, with little or no adverse consequences. Robin, on the 22nd, mentioned getting knocked off the internet by it.From what I have been able to learn, it appears that an attack like this is a probe testing the vulerability of the computers being targeted. Once an vulnerable port is found, the hacker or hack software can insert code to do all sorts of things.
I think that the ones that need to be concerned are those who do not have the protections in place to bar such attacks.
The attack appears to have first popped up on the 18th, the day I originally made the post, then I didn’t see it for a while. I went back and looked at the worm detection activity, and it turns out it had popped up once on the 19th and again 1 time on the 20th. Then nothing until today at 3:40 am central time USA and then again 6 hours and 2 minutes later. Then 6 hours and 2 minutes later, it popped up again. It’s not getting in — just keeps trying. I’ll check tomorrow morning to see if it shows up at 3:46am or so.
- Jan-Dirk Says:
March 25th, 2006 at 3:19 am I am experiencing same problems as described above, attacks occur every 6 hours and 3-4 minutes. - Jay Says:
March 25th, 2006 at 2:09 pm I too have been being scanned non stop from 7.12.12.16. This is indeed a Department of Defense ip, although it could be
spoofed or something. I doubt this is actual intentional activity from the DoD. It is more likely that someone has managed to
either spoof the ip or has actually managed to root a DoD computer for scanning purposes. Either way the DoD would probably
not be happy to have this activity happening through one of its ips. They own from 7.0.0.0 – 7.255.255.255. One possible
remedy would be to e-mail their abuse address, although I wasn’t able to find the specific abuse address this one did pop up
HOSTMASTER@nic.mil as connected to the DoD whois results for 7.12.12.16. So perhaps someone out there who has made abuse
complaints before and is familiar with the process could report this activity from 7.12.12.16 to HOSTMASTER@nic.mil
and hopefully bring it to their attention so it can be stopped. - Mike Says:
March 25th, 2006 at 9:19 pm I didn’t have time to check this morning, but just
now checked and it did show up three more times:3:50:12 am
3:53:48 am
3:57:15 amand nothing since…..
Maybe he’s given up…..
probably not…
- Jan (The Netherlands) Says:
March 26th, 2006 at 10:37 am Until today march 26 (3 times), I got 28 attacks that Norton Internet Security succesfully blocked.
First occurance march 15, 1 to 6 times a day. - Stev(netherlands0 Says:
March 26th, 2006 at 12:16 pm Yep me to here in holland.the ip 7.12.12.16 is port scanning my comp to for servrel days now.
It seems that is now portscanning every 6 ours aprox..
The best we can do is report it ate HOSTMASTER@nic.milSearch results for: 7.12.12.16OrgName: DoD Network Information Center
OrgID: DNIC
Address: 3990 E. Broad Street
City: Columbus
StateProv: OH
PostalCode: 43218
Country: USNetRange: 7.0.0.0 – 7.255.255.255
CIDR: 7.0.0.0/8
NetName: DISANET7
NetHandle: NET-7-0-0-0-1
Parent:
NetType: Direct Allocation
Comment: Defense Information Systems Agency
Comment: DISA /D3
Comment: 11440 Isaac Newton Square
Comment: Reston, VA 22090-5087 US
RegDate: 1997-11-24
Updated: 1998-09-26RTechHandle: MIL-HSTMST-ARIN
RTechName: Network DoD
RTechPhone: +1-800-365-3642
RTechEmail: HOSTMASTER@nic.milOrgTechHandle: MIL-HSTMST-ARIN
OrgTechName: Network DoD
OrgTechPhone: +1-800-365-3642
OrgTechEmail: HOSTMASTER@nic.mil - Sunshine Says:
March 27th, 2006 at 11:26 am After contacting the hostmaster at (800)365-3642 I was given the number to JTF-GNO (800)357-4231 who said that 7.12.12.16 is indeed being spoofed and anyone anving any problem with that ip should contact their own ISP and let them know. The lady I spoke with said that they can probably track this person down. 7.12.12.16 is indeed a DOD ip but that it’s for internal use only. - North Farnham Freeholder » Blog Archive » Worm Attack!!! Part Two Says:
March 28th, 2006 at 10:41 am […] I don’t know if this has anything to do with the portscan worm that has been probing my computer since March 18 — its spoofed address is 7.12.12.16, an address that is supposed to be for internal US Department of Defense use — but this is one type of activity that an intruder could accomplish if he makes it through into your computer. (I originally posted about the port scan worm in a post on March 18, titled Worm Attack!!!.) by Mike @ 10:41 am. Filed under internet, give me a break!, internet ethics, worms [link] […] - Mike Says:
March 28th, 2006 at 10:44 am I’ve got a new post on this topic called Worm Attack!!! Part Two. I don’t know if this is the same fella, but if he suceedes in getting in through an open port, this is one kind of unethical activity that he could accomplish. - Jack Says:
March 29th, 2006 at 5:19 pm Just happened me here in Ireland. - Robin Says:
March 30th, 2006 at 9:23 am I’m still having problems with this as well. I’ve always had Norton Virus Protection , however, this last weekend I bought Norton System Works 2006 and the Norton Personal Firewall hoping that this would solve the problem. Not yet… Norton is stopping the attack AND kicking me off the internet for 30 mins at a time. Not good! Unfortunately in order for me to call Norton I must pay an addtional fee!! I’m wondering if my next step is to take my PC into the shop and have it gone over for a solution. - Andrew Says:
March 30th, 2006 at 6:46 pm Had this problem for over a week being intruded from 7.12.12.16(13364). Sent my logs to Symantec for analysis whether
they can get DoD to plug their system or find a way to shut the turkey(s) down would be a reassuring thing. Another
person in Toronto Canada has reported the same thing. Who knows may be the DoD is testing ISP providers worldwide to see who has
any security holes to stip CyberTerroism? So far today no problems…I hate it when something seems to go away and then
when you least expect it it comes back!Glad to hear I’m not the only sufferer! - Moe Says:
April 10th, 2006 at 9:59 am here is the message that I got pls if any one know how to resolve pls post it
- Moe Says:
April 10th, 2006 at 10:01 am sorry if the pic does’nt open here is the direct link
http://up5.w6w.net/upload/10-04-2006/w6w_200604101156091b4709f5.JPG - Robin Says:
April 10th, 2006 at 5:16 pm I’ve scheduled an appointment with the “Geek Squad” for this Friday, April 14th. I’ll let everyone know what the outcome is. I’m VERY frustrated by not being able to even get on the internet. Still kicks me off for 30 mins each time I try to log in. - Dan Says:
May 2nd, 2006 at 3:25 pm So what did the Geek Squad say? - John Says:
May 27th, 2006 at 9:28 am been getting hit from this (7.12.12.16) for a bit now.
it stopped for a while , but started again on 21/5/06.
latest port scan from it was on 26/5/06 .
thing I noticed about it was the port scans only started when,
I visited certain sites , be intrested to hear if anym
Post from one of my abandoned blogs – North Farnham Freeholder – recovered from Internet Archive WayBackMachine March 2011
Comments on this entry are closed.