question for dodger

[forestdale]

I installed yahoo messenger yesterday. The only person I've used it with so far is sara and she is the only person on my list.

This morning when I came online, just after yahoo messenger loaded itself, I had an attack that my norton picked up as being a Welchia_ICMP_Scan attack. This is what the Norton site says about it:

"This event indicates the Welchia worm is making ICMP echo requests or is receiving replies.
The Welchia worm checks for active machines to infect by sending an ICMP echo request, or PING, which will result in increased ICMP traffic.

"Turn off and remove unneeded services. By default, many operating systems install auxiliary services that are not critical, such as an FTP server, telnet, and a Web server. These services are avenues of attack. If they are removed, blended threats have fewer avenues of attack and you have fewer services to maintain through patch updates.

"If a blended threat exploits one or more network services, disable or block access to those services until a patch is applied.

"Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services."

I'm thinking this attack is originating in Yahoo somewhere. I know it's not coming from sara (her pure evil genius is directed at other areas ) but do you think the yahoo network could be the source? and if so, is the only way to not get these attacks to turn off messenger when I'm not using it?

[forestdale]

Hi gabe, me again, lucky you. I've had another attack. This time it's the doom trojan horse virus from Dallas Texas. This is what my Norton program tell me about the person who sent it. I've even got their phone # ! :

OrgID: TPCM
CustName: ThePlanet.com Internet Services, Inc.
Street: 1333 North Stemmons Freeway
Street: Suite 110
City: Dallas
StateProv: TX
Country: US
PostalCode: 75207
RegDate: 1999-08-31
Updated: 2004-05-07
ReferralServer: rwhois://rwhois.theplanet.com:4321
OrgAbuseHandle: ABUSE271-ARIN
OrgAdminHandle: CROSB-ARIN
OrgNOCHandle: TECHN33-ARIN
OrgTechHandle: TECHN33-ARIN

NetHandle: NET-67-18-0-0-1
OrgID: TPCM
Parent: NET-67-0-0-0-0
NetName: NETBLK-THEPLANET-BLK-11
NetRange: 67.18.0.0 - 67.19.255.255
NetType: allocation
RegDate: 2004-03-15
Updated: 2004-07-29
NameServer: NS1.THEPLANET.COM
NameServer: NS2.THEPLANET.COM
TechHandle: PP46-ARIN

TechHandle: PP46-ARIN
TechName: Pathos, Peter
TechPhone: +1-214-782-7800
TechEmail: abuse@theplanet.com

OrgAbuseHandle: ABUSE271-ARIN
OrgAbuseName: Abuse
OrgAbusePhone: +1-214-782-7802
OrgAbuseEmail: abuse@theplanet.com

OrgTechHandle: TECHN33-ARIN
OrgTechName: Technical Support
OrgTechPhone: +1-214-782-7800
OrgTechEmail: admins@theplanet.com

OrgAdminHandle: CROSB-ARIN
OrgAdminName: Crosby, Lance
OrgAdminPhone: +1-214-800-6008
OrgAdminEmail: lcrosby@theplanet.com

OrgNOCHandle: TECHN33-ARIN
OrgNOCName: Technical Support
OrgNOCPhone: +1-214-782-7800
OrgNOCEmail: admins@theplanet.com

I got this a few moments after I opened yahoo again. I'm fully up to date with my patches and virus upgrades + I have my firewall up so I doubt anything will get through. Should I be doing anything else?

[Gabe]

The Planet is a hosting company.
They have a data center where they host servers like ours. They probably have several thousands servers with different IPs.
Do you have the IP of the computer that is attacking you? My guess is that they might have a server that is doing a DOS attack.

(Denial of Service Attack)

If your firewall is blocking the attack I would not worry about it.
When you run a scan on your computer does it come up with any viruses?

[forestdale]

nope, no viruses, so I guess all my security is doing its job. I do have the IP of the computer sending the attack but I guess that if it's not getting through it's not worth doing anything. Not that I could anyway.

Thanks gabe.

[Gabe]

If you find the warning annoying you can disable the warning I believe.

You might want to check the documentation or do a search on google on the subject.