# I have a stalker



## DKWunlimited (Sep 11, 2006)

And I need computer safety advice.

Let me start by saying that my ex is in IT security for a very large global oil company, He coveres 30,000 computers and his job is to "test" the security measures in place. 

That being said.. we've been apart 3 years and in that 3 years he's come up with my bank records, contacted friends of mine from internet and in general snooped in various areas of my life. In February of this year I got a new computer, the first that i have gotton since leaving the house that we shared. I've stopped using the computer that i had before.

My new computer came with VISTA (which i actually like) as well as new security software. Now I am getting daily pop up messages telling me that a recent attempt to access my computer was blocked. It's always from the same IP address and it's always a portscan.

I am fairly knowledgable about computers but i'm thinking it wouldn't hurt to get others advice on how to stop the stalking. I'm changing all my passwords AGAIN... what other open areas should i be looking at blocking?


----------



## Kung (Jan 19, 2004)

Edited - see below

Do you know what version of Vista you have? I don't think it ships with all versions.

In the short term, I'd employ a hardware router, make sure your passwords are 'strong' (longer, with more characters, etc.), etc.

I would ALSO contact your ISP about this, and keep logs of the attempts on your computer. They should be able to use this stuff to find the guy.


----------



## DKWunlimited (Sep 11, 2006)

When you say USB key.. do you mean the portable USB drives? I do have one of those, although I've never used it.


----------



## Kung (Jan 19, 2004)

Actually..hold on a few...I'm talking with one of my buddies who happened to help design that technology......it may not help.


----------



## DKWunlimited (Sep 11, 2006)

I have VISTA home premium


----------



## Kung (Jan 19, 2004)

Ok, what I'm hearing from my buddy are the following:

1) In the case where someone's port scanning and such, Bitlocker won't help. That's more designed for if someone snatched your PC.

2) Be wary of 'automatic' elevation of privileges (i.e., if you're just sitting there doing nothing, and all of a sudden, Vista asks if you want to do this or that).

3) In addition to having Vista's firewall enabled (you can read a lot about Vista's firewall here, I'd get a hardware firewall as well. (Any wireless/wired broadband router should have a firewall.)

4) Turn on firewall logging on the hardware firewall, if it is an option, so that if you DO get hacked, or continual attempts, it'll be logged.

If you need any assistance w/the above, let me know.


----------



## DKWunlimited (Sep 11, 2006)

I do have a Norton inbound firewall in place and it is logging, that's what is giving me the daily pop ups to let me know it blocked more attempts. 

What would I be looking for in a hardware firewall? I do have several wireless routers sitting in a box. I hadn't been using them at the new house because I'm out in the country and stuck with a dial up connection and didn't think I could.

My computer is a laptop that travels with me. 

Also, can you explain a port scan to me... is there any logical reason why someone whould scan OTHER than to try and hack?


----------



## Kung (Jan 19, 2004)

DKWunlimited said:


> I do have a Norton inbound firewall in place and it is logging, that's what is giving me the daily pop ups to let me know it blocked more attempts.


That'll be sufficient for a software firewall.



> What would I be looking for in a hardware firewall?


Well, basically, just any firewall that's running on a piece of equipment (such as a broadband router) OTHER than your computer. The reason is because a software firewall can always be disabled (including your Norton firewall). It's one HECK of a lot harder to do so with a hardware-based firewall.



> My computer is a laptop that travels with me.


I'd make sure both the firewall that comes with Vista, and the one that's with Norton, are enabled.



> Also, can you explain a port scan to me... is there any logical reason why someone whould scan OTHER than to try and hack?


Sure. It allows owners of computers/networks to scan their own equipment for weaknesses and backdoors, so that they can then respond to those by securing them - to protect against the very thing you're encountering.


----------



## DKWunlimited (Sep 11, 2006)

So could MY ISP be doing the scanning?


----------



## Kung (Jan 19, 2004)

Depends upon the ISP. Some ISPs, such as Cox, do it regularly. Others never do it.


----------



## DKWunlimited (Sep 11, 2006)

I'm with SBC-Yahoo


----------



## Kung (Jan 19, 2004)

I'd personally call them and tell them about this and ask them if they're doing port scans. If they don't help, PM me the IP address and I can probably track it down.


----------



## Nevada (Sep 9, 2004)

DKWunlimited said:


> Now I am getting daily pop up messages telling me that a recent attempt to access my computer was blocked. It's always from the same IP address and it's always a portscan.


Can you provide some particulars of the alert? What was the IP address? What port did the request come in on? Whas the source identified?


----------



## Gary in ohio (May 11, 2002)

portscan are pretty common way to start hacking in, If you can find a hole with portscan you can then get in. Port scans happen all the time. If its comming from 1 IP address you can track the IP back to an ISP and possible a person.


----------



## DKWunlimited (Sep 11, 2006)

It does come from 1 IP address, and I have done a tracert it comes back with 6 hops from my computer and thier computer is called "resolver2" but dosn't give me an ISP name. the attacks have usually happened on a Monday or Tuesday between 8;30am and 11;30am


----------



## Nevada (Sep 9, 2004)

DKWunlimited said:


> It does come from 1 IP address, and I have done a tracert it comes back with 6 hops from my computer and thier computer is called "resolver2" but dosn't give me an ISP name. the attacks have usually happened on a Monday or Tuesday between 8;30am and 11;30am


The next time it happens report back here with the IP address. I'll tell you which network provider owns it and who it's leased to.


----------



## DKWunlimited (Sep 11, 2006)

Edited - I wouldn't post this stuff for public, even though it's public domain. (I've got it copied to my PC.)

-- Kung


----------



## Kung (Jan 19, 2004)

It ties to "Level 3 Communications" in Westminster, Co.....and to this guy's house:


----------



## Nevada (Sep 9, 2004)

DKWunlimited said:


> Edited - I wouldn't post this stuff for public, even though it's public domain. (I've got it copied to my PC.)


PM it to me then.


----------



## DKWunlimited (Sep 11, 2006)

Hmm isn't that interesting. I don't know anyone in Westminster so maybe it is just a random hacker looking for an open door.


----------



## Nevada (Sep 9, 2004)

DKWunlimited said:


> Hmm isn't that interesting. I don't know anyone in Westminster so maybe it is just a random hacker looking for an open door.


Kung's right, it's a Level 3 address. According to ARIN it isn't subleased.

Hang on, I'm still researching this.


----------



## Kung (Jan 19, 2004)

Yeah, I should mention that I just did a basic 'whois' on that IP...I've not actually delved in REAL deep on it.


----------



## Nevada (Sep 9, 2004)

DKWunlimited said:


> Hmm isn't that interesting. I don't know anyone in Westminster so maybe it is just a random hacker looking for an open door.


I think he was joking about Westminster. It traces to a company in North Vancouver, BC. It appears to be a commercial application, perhaps web site hosting. I'm thinking it's an application connecting to your computer, but there is not way to know that.

When you did your tracerts, did you have any variation in traces? So far all of mine have ended in Canada.


----------



## Kung (Jan 19, 2004)

I wasn't joking about Westminster - it did display that. LOL


----------



## Nevada (Sep 9, 2004)

Kung said:


> I wasn't joking about Westminster - it did display that. LOL


If that's the case then it's most likely part of a dialup IP address pool. I'm still connecting to North Vancouver. I'll watch it.


----------



## DKWunlimited (Sep 11, 2006)

My traces are going.. OKC to Saint Loius, to chicago, to another chicago to another chicago.. ending with a computer called resolver2.. same path every time, 6 hops


----------



## Nevada (Sep 9, 2004)

DKWunlimited said:


> My traces are going.. OKC to Saint Loius, to chicago, to another chicago to another chicago.. ending with a computer called resolver2.. same path every time, 6 hops


Mine's 14 hops to a computer called Loopbac1.vgs4...

Is it possible that you made an error when you typed the IP address you sent me? PM it again. You might also include the full name of the computer at the end of the tracert.


----------



## Kung (Jan 19, 2004)

No, it's correct - I made a screenshot of it.


----------



## Nevada (Sep 9, 2004)

OK, we're on the same page now.

In Googling for that IP address I found a lot of information. Apparently it's some sort of spyware that hijacks the DNS lookups to direct the browser to other sites. I wonder if you can run a hijackthis scan and post it? That IP address may very well show-up. Look for an entry something like this:

O17 - HKLM\System\CCS\Services\Tcpip\..\{B343D63B-CC6A-4A21-A795-A4D57665EB83}: NameServer = 209.244.0.3 209.244.0.4

If you find anything like that you can be sure you have spyware. They say the AVG spyware scanner can take care of it, but you might want to edit the the registry entries manually.

Also, check-out this post:

http://colorado.indymedia.org/newswire/display/9773/index.php

With any luck your firewall was successful in keeping it out. From the post above it's evident that not all firewalls can stop it.


----------

