this ip/person is port scanning my network trying to gain access for hacking

this ip/person is port scanning my network trying to gain access for hacking

[Wed Apr 22 10:29:24 2009] [error] [client 61.160.216.63] script 'C:/Program Files/Apache Software Foundation/Apache2.2/htdocs/prx1.php' not found or unable to stat

Daily TCP scanning from this Chinese IP. Usually ports 8080 80 8008 8081 1080 8800 but have seen other TCP ports scanned

this chinise idiot is trying once again to get into my network on port 80

Is a total idoit, he left the RDP port open on his computer so you can RDP into his pc (Im a hacker who just likes to take down other hackers to make the Internet better lol). Stupid windows user. List of ports open: PORT STATE SERVICE VERSION 135/tcp filtered msrpc 139/tcp filtered netbios-ssn 445/tcp filtered microsoft-ds 1023/tcp filtered netvenuechat 1025/tcp open msrpc Microsoft Windows RPC 2967/tcp filtered unknown 3389/tcp open microsoft-rdp Microsoft Terminal Service 4444/tcp filtered krb524 9898/tcp filtered unknown Service Info: OS: Windows Get this idiot!!

well, i don't even know if this is really a threat or not, but its the second time so i thought i should report it anywase here is the log file: (000009) 6/14/2009 10:51:37 AM - (not logged in) (203.127.202.68)> Connected, sending welcome message... (000009) 6/14/2009 10:51:37 AM - (not logged in) (203.127.202.68)> 220-Welcome, this server is hosted (000009) 6/14/2009 10:51:37 AM - (not logged in) (203.127.202.68)> 220 free by www.samos95.com (000009) 6/14/2009 10:51:37 AM - (not logged in) (203.127.202.68)> disconnected. and thats all that happened.... like i said, don't know if this time it is a real threat, but still, he is not allowed to be on my private server, and is hacking...

I\'ve noticed this host doing loads of TCP syn scan\'s and annoyingly it\'s not closing it\'s sockets properly, so it ends up DoS\'ing some hosts on our network. RDP is definitely open on that host and you can get to the login screen. I\'m guessing it\'s pw0ned and is just a zombie.

61.160.216.63 repeatedly sends GET http://www.wantsfly.com/prx.php?hash=5217030DA12740D71838041B1F904DEBF43753961443 HTTP/1.0" to my web server, which is not on wantsfly.com. Last attempt was at [21/Jun/2009:16:00:02 -0700]; before that was [20/Jun/2009:11:14:53 -0700]; before that was [17/Jun/2009:17:21:59 -0700]; before that was [16/Jun/2009:12:48:41 -0700].

zone alarm blocked this ip from gaining access to my computer and i don't know the intention of the site but i can say the site is in beijing china

this IP for the last week has been attempting access from at least 10 of my external IP's using mostly the 3 ports listed above. I created a rule to deny access completely from this IP

HackHound or CrazyBoris files are infected with something because I haven't messed with backdoors in forever, and just yesterday I played around with only 4-6 files, and now my firewall has caught 3 connection attempts. This little chinese prick needs to get arrested already! He tried to connect through port 12200. His IP is 61.160.216.63

http://www.wantsfly.com/prx.php shows in my access log but wantsfly is definately not my domain

http://www.wantsfly.com/prx.php shows in my access log but wantsfly is definately not my domain

61.160.216.63 - this is where he connects from

This IP has been trying to connect to my own server software trying to see if it will act as a proxy, below is HTTP headers sent to me... --------------- User Connected: 61.160.216.63, 9 HTTP Request: GET http://www.wantsfly.com/prx.php?hash=B0D93162FA7E2EC34CD791AA1F40CD13DEA0FF8A5D6A HTTP/1.0 Accept: */* Accept-Language: en-us User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Host: www.wantsfly.com Connection: Keep-Alive

This IP has been trying to connect to my own server software trying to see if it will act as a proxy. The information she left behind is: HTTP Request: GET http://www.wantsfly.com/prx.php?hash=B0D93162FA7E2EC34CD791AA1F40CD13DEA0FF8A5D6A HTTP/1.0 Accept: */* Accept-Language: en-us User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

More Chinese port scanning. uses several different IPs

Back Trace Information on Sygate Firewall Log Viewer – Security Log of Time: 8/20/09 7:45:21 AM Security Type: Port Scan Severity: Minor Direction: Incoming Protocol: TCP Remote Host: 61.160.216.63 In the Notes Section at the left bottom of that page: Somebody is scanning your computer. Your computer’s TCP ports: 8080, 80, 8081, and 8800 have been scanned from 61.169.216.63 Whois Detail Information of ( 61.160.216.63 ) % This is the RIPE Database query service. % The objects are in RPSL format. % % The RIPE Database is subject to Terms and Conditions. % See http://www.ripe.net/db/support/db-terms-conditions.pdf % Note: This output has been filtered. % To receive output for a database update, use the "-B" flag. % Information related to '0.0.0.0 - 255.255.255.255' inetnum: 0.0.0.0 - 255.255.255.255 netname: IANA-BLK descr: The whole IPv4 address space country: EU # Country is really world wide org: ORG-IANA1-RIPE admin-c: IANA1-RIPE tech-c: IANA1-RIPE status: ALLOCATED UNSPECIFIED remarks: The country is really worldwide. remarks: This address space is assigned at various other places in remarks: the world and might therefore not be in the RIPE database. mnt-by: RIPE-NCC-HM-MNT mnt-lower: RIPE-NCC-HM-MNT mnt-routes: RIPE-NCC-RPSL-MNT source: RIPE # Filtered organisation: ORG-IANA1-RIPE org-name: Internet Assigned Numbers Authority org-type: IANA address: see http://www.iana.org remarks: The IANA allocates IP addresses and AS number blocks to RIRs remarks: see http://www.iana.org/ipaddress/ip-addresses.htm remarks: and http://www.iana.org/assignments/as-numbers e-mail: bitbucket@ripe.net admin-c: IANA1-RIPE tech-c: IANA1-RIPE mnt-ref: RIPE-NCC-HM-MNT mnt-by: RIPE-NCC-HM-MNT source: RIPE # Filtered role: Internet Assigned Numbers Authority address: see http://www.iana.org. e-mail: bitbucket@ripe.net admin-c: IANA1-RIPE tech-c: IANA1-RIPE nic-hdl: IANA1-RIPE remarks: For more information on IANA services remarks: go to IANA web site at http://www.iana.org. mnt-by: RIPE-NCC-MNT source: RIPE # Filtered http://www.iana.org.

Same exact evidence as the others and I haven't even been up 24 hrs !

Silly children, this person is a person looking for a proxy server out there that he can connect to, to be able to access sites that China is censoring. Hacker... maybe, I believe it is someone who is just looking for uncensored news like BBC and CNN.

Silly children, this person is a person looking for a proxy server out there that he can connect to, to be able to access sites that China is censoring. Hacker... maybe, I believe it is someone who is just looking for uncensored news like BBC and CNN.

TCP connection dropped 61.160.216.63, 12200, WAN WAN TCP Port: 7212

61.160.216.63 Keeps creating drop packets to try to hack.

61.160.216.63 Keeps creating drop packets to try to hack.

doors.txt;10;15

I have turned on two new dedicated servers with two separate hosts in completely different IP blocks on opposite ends of the US within the last two weeks. Before I even setup DNS to point a domain at either of these servers they are already logging entries from this bozo! This is not someone friendly looking for a proxy, this is malicious and has to be backed by some real resources to cover all the systems it is attacking!

why do you do this? leave my pc to me and yours to you.

Had just set up a new dedicated server and hadn't even had time to fix a cup of coffee and a quick bite to eat before this PoS scum rotten tried to hack the server. Freakin ChiCom attempt to get into our systems needs to be dealt with.

Hit my web server looking for a proxy.

My firewall caught him... scanning my ports...whoever this is, they need to catch him, STOP him and ban him from computers!!!!!

Don't know how the hell they got my domain name, but my website has gotten 3 hostile requests from this idiot.

My firewall also caught him. Being in China he will be hard to stop. Maybe he will scan a REAL hacker who will somehow mess up his computer!

61.160.216.63 This is a daily event on my site, and I have blocked nearly the entire asian continent due to the malicious behaviour originating from china and eastern european countries. I firmly believe due to the scope of this particular event, that it is chinese military hackers doing massive scans to find vulnerable proxy servers to perpetrate distributed attacks without actually having an associated botnet in place. Or to use in addition to their existing botnet. http://www.wantsfly.com/prx2.php?hash=65D6A41CB340235B4A35F3180050294F2D7C1349B6CA Http Code: 403 Date: Nov 13 08:21:29 Http Version: HTTP/1.0 Size in Bytes: - Referer: -Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

61.160.216.63 This is a daily event on my site, and I have blocked nearly the entire asian continent due to the malicious behaviour originating from china and eastern european countries. I firmly believe due to the scope of this particular event, that it is chinese military hackers doing massive scans to find vulnerable proxy servers to perpetrate distributed attacks without actually having an associated botnet in place. Or to use in addition to their existing botnet. http://www.wantsfly.com/prx2.php?hash=65D6A41CB340235B4A35F3180050294F2D7C1349B6CA Http Code: 403 Date: Nov 13 08:21:29 Http Version: HTTP/1.0 Size in Bytes: - Referer: -Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

61.160.216.63 This is a daily event on my site, and I have blocked nearly the entire asian continent due to the malicious behaviour originating from china and eastern european countries. I firmly believe due to the scope of this particular event, that it is chinese military hackers doing massive scans to find vulnerable proxy servers to perpetrate distributed attacks without actually having an associated botnet in place. Or to use in addition to their existing botnet. http://www.wantsfly.com/prx2.php?hash=65D6A41CB340235B4A35F3180050294F2D7C1349B6CA Http Code: 403 Date: Nov 13 08:21:29 Http Version: HTTP/1.0 Size in Bytes: - Referer: -Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

61.160.216.63 This is a daily event on my site, and I have blocked nearly the entire asian continent due to the malicious behaviour originating from china and eastern european countries. I firmly believe due to the scope of this particular event, that it is chinese military hackers doing massive scans to find vulnerable proxy servers to perpetrate distributed attacks without actually having an associated botnet in place. Or to use in addition to their existing botnet. http://www.wantsfly.com/prx2.php?hash=65D6A41CB340235B4A35F3180050294F2D7C1349B6CA Http Code: 403 Date: Nov 13 08:21:29 Http Version: HTTP/1.0 Size in Bytes: - Referer: -Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)

94.72.238.62 - - [22/Nov/2009:04:35:23 -0800] "HEAD / HTTP/1.0" 200 - 61.160.216.63 - - [22/Nov/2009:06:52:17 -0800] "GET http://www.wantsfly.com/prx2.php?hash=C9F647EC97A58D70413DC83900506FC31778BD78530F HTTP/1.0" 404 596

trying to hack my computer

That moron tried to execute a malicious file that doesn't exist. "2009-12-08 16:45:30 61.160.216.63 GET /prx2.php hash=0051041842986E8B4B2D4544005017BFBBE04552E9BF 404"

My logs show 146 attempts to access prx.php, prx2.php, etc since July 22nd. I get the impression the host is just scanning for a known vulnerability hoping to exploit it. I can't testify about port scanning as I haven't been checking for port scans.

Some communist china jackass is all over my log. I am going to block the entire continent of china. Its bad enough our idiot CEOs give our jobs away and our asshole president Obama bowing to them, that we have to deal with hackers from over there. 2009-12-19 16:51:48 W3SVC1 GET /prx2.php hash=40837785DDFCB56F184A69B80050EE08F6442166D688 80 - 61.160.216.63 HTTP/1.0 Mozilla/4.0+(compatible;+MSIE+6.0;+Windows+NT+5.0) - - www.wantsfly.com 404 0 2 1429 248 1667

Incoming TCP request from port 4114 Dec 23 15:25:25: xxxxxxxxxxxxxxx SRC=61.160.216.63 DST=192.168.xxx.xxx LEN=48 TOS=0x00 PREC=0x00 TTL=103 ID=10147 DF PROTO=TCP SPT=4114 DPT=80 SEQ=1338335443 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (0204058001010402)

Still trying to execute that php script.

FYI, google "block ip by country" and there's a great site that generates an .htaccess for allowing whichever countries you like into your server. I selected USA and it states about 1.5million IP's as of this writing and it was 1mb in size. here's a download if anyone is interested, rename it to ".htaccess" (without anything before the period, and nothing after the word htaccess) and put in the root directory of your server. Try visiting from a proxy outside the USA for proof of concept http://rapidshare.com/files/344937761/only_allow_USA_IP_range_htaccess.txt.html

[Fri Feb 19 09:30:59 2010] [error] [client 61.183.15.9] script '/var/www/html/prx2.php' not found or unable to stat

Did some research. The attempts you are getting and so on is more likely just a bot. Using the same concept as yahoo and google have spiders but going one step further as to getting in through ftp. They try to add a shell to your computer so, yes, they can proxy and DoS other sites from your server. I know this because they use a common username such as NULL or Admin and such with common passwords. I setup a dummy server with those common logins. They came in and once in hijacked the directories and started with the madness. Just make sure no logins are easy, other than that there is really nothing to worry about. Set up a password attempt limit and a ban time.

221.192.199.35 - - [04/Mar/2010:22:50:41 -0500] \"GET http://www.wantsfly.com/prx2.php?hash=D9E16960895BC7BD18C17788005045967A7480F38CB5 HTTP/1.0\" 404 287 \"-\" \"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)\"

GET http://www.wantsfly.com/prx2.php?hash=0FA871D8CFB16CF4D9C7B1540050DDE90AD6B9DFFFBA A couple of times in my log. It's an attempt to scan for open http proxies.

GET http://www.wantsfly.com/prx2.php?hash=0FA871D8CFB16CF4D9C7B1540050DDE90AD6B9DFFFBA A couple of times in my log. It's an attempt to scan for open http proxies.

GET http://www.wantsfly.com/prx2.php?hash=0FA871D8CFB16CF4D9C7B1540050DDE90AD6B9DFFFBA A couple of times in my log. It's an attempt to scan for open http proxies.

script '/Applications/MAMP/htdocs/prx.php' not found or unable to stat Jun 08 16:42:37 2009] [client 61.160.216.63] Jun 10 15:11:36 2009] [client 61.160.216.63] Jun 12 15:51:15 2009] [client 61.160.216.63] Jun 15 15:09:55 2009] [client 61.160.216.63] Jun 18 14:26:45 2009] [client 61.160.216.63] Jun 21 09:23:45 2009] [client 61.160.216.63] Jul 08 08:34:35 2009] [client 61.160.216.63] Jul 10 15:48:50 2009] [client 61.160.216.63] Jul 14 15:35:35 2009] [client 61.160.216.63] Jul 16 08:51:01 2009] [client 61.160.216.63] Jul 18 10:29:38 2009] [client 61.160.216.63] Jul 20 09:08:16 2009] [client 61.160.216.63] Jul 24 15:36:17 2009] [client 61.160.216.63] Jul 25 09:00:34 2009] [client 61.160.216.63] Jul 27 11:46:13 2009] [client 61.160.216.63] Jul 29 07:53:56 2009] [client 61.160.216.63] Jul 31 10:30:36 2009] [client 61.160.216.63] Jul 31 15:23:52 2009] [client 61.160.216.63] Aug 02 09:44:14 2009] [client 61.160.216.63] Aug 04 10:09:15 2009] [client 61.160.216.63] Aug 07 08:46:16 2009] [client 61.160.216.63] Aug 09 10:26:57 2009] [client 61.160.216.63] Aug 10 10:49:41 2009] [client 61.160.216.63] Aug 15 09:56:44 2009] [client 61.160.216.63] Aug 15 15:07:15 2009] [client 61.160.216.63] Aug 17 09:40:59 2009] [client 61.160.216.63] Aug 19 11:47:03 2009] [client 61.160.216.63] Aug 21 21:07:00 2009] [client 61.160.216.63] Sep 11 09:08:59 2009] [client 61.160.216.63] Sep 13 20:45:14 2009] [client 61.160.216.63]

from these ips 112.121.181.26 and 213.163.89.106 there are many hacking attempts on my pc.... but every time norton blocked the attempt... but attempts are continuously going on..

from these ips 112.121.181.26 and 213.163.89.106 there are many hacking attempts on my pc.... but every time norton blocked the attempt... but attempts are continuously going on..

from these ips 112.121.181.26 and 213.163.89.106 there are many hacking attempts on my pc.... but every time norton blocked the attempt... but attempts are continuously going on.. what is happening i don't know.....

from these ip 112.121.181.26 and there are many hacking attempts on my pc

trying to hack my network....using wantsfly prx something.... ban this sob

apache access logs - 61.183.15.9 - - [14/Apr/2010:14:21:59 -0500] "GET http://www.wantsfly.com/prx2.php HTTP/1.0" 404 1107 apache error logs - [Wed Apr 14 14:21:59 2010] [error] [client 61.183.15.9] script 'C:/xampp/htdocs/prx2.php' not found or unable to stat -- I changed apache ports, webroot pw changed, etc. to deny these but logs show call / post attempt from numerous locations, all in china, one or twice a day for the last four days. This is a dev server, not a sensitive data issue but I'm dealing with this instead of working on my project, GRR!!!

These Chinese originated ip125.45.109.166:12200 (and other ports) is continuously popping up in the blocked firewall alert. Doesn’t anyone taking action to stop these attacks from these hackers? Anyone suggests any option?

This person attempts to access my server as a proxy on almost a daily basis, twice today. Can we do something about this? There has got to be someone who can shut him down, legally or illegaly I dont care at this point.

This thread is funny

www.wantsfly.com constantly bugging me. I have their IP adress added to HOSTS and still they get through.