how can I find out who is attempting to hack into my computer by their
nine digit number which my firewall reported?

---

Request for Question Clarification by wrynn-ga on 10 Jul 2003 14:25 PDT

His full 12 digit ip address was not reported?

-Joe A.

---

Request for Question Clarification by aceresearcher-ga on 10 Jul 2003 14:58 PDT

Caroline,

Depending on what sort of attack you experienced, this may be
something which you will not want to bother pursuing. For instance, I
have Zone Alarm Pro firewall, and checking my Alerts Log, I see that
there have been 3 High-Risk attempts to penetrate my system -- just
today! These have become quite commonplace on the web, and since
you're protected, you can just ignore the warnings (I've got my
instant warning feature turned off).

If, however, you experienced an attack of a more serious kind, it will
be important for you to post the details of it here in a
Clarification, so that a Researcher can really assist you.

Regards,

aceresearcher

---

Clarification of Question by carolinerobinson-ga on 10 Jul 2003 17:39 PDT

I was at a .org site which is whose constituants are lobbying for
congressional hearings on some rather sensitive information...when I
had 4 alerts.  One was a trojan horse alert with an address which
started with 24.129.--.--,----. The other 3 alerts were described as
'stealth' attempts and the address started with
208.63.---.123,-----.If my firewall renders my computer 'invisible',
how did someone or some 'two' even know that I was at that site? I
have been hacked into before and had a heck of a time cancelling my
credit cards, alerting my bank due to microsoft money data, etc. (the
hacker did try and use my cancelled Visa)  I suppose it has made me
'overkill' when I get an alert from 'Norton'...am I just suffering
from paranoia?

---

Request for Question Clarification by alexander-ga on 10 Jul 2003 23:10 PDT

208.63.x.x is a BellSouth IP, and 24.129.x.x is an AT&T Broadband IP.
You're not likely to be able to get any more detailed information
without contacting one of those companites, and they aren't likely to
want to help you.

There is no reason to believe that either of these computers or their
owners knew that you were at any particular site. It's almost
certainly sheer coincidence that you were scanned at that particular
time. This is likely not an attack directed at you, but rather
individuals scanning a large number of machines looking for some that
they could potentially gain access to.

All your firewall does is block this scanning traffic, ensuring that
they have no chance of getting access to your computer, even if it
would otherwise be vulnerable.

---

Clarification of Question by carolinerobinson-ga on 11 Jul 2003 09:24 PDT

I'm a 'newbie'...I can't find the link to rating my answers.

---

Request for Question Clarification by aceresearcher-ga on 11 Jul 2003 10:04 PDT

Caroline,

The reason you can't find the place to Rate your Answer is because
your Question was not officially Answered (all information was posted
in either the Clarification or the Comment section).

You can choose to accept one of the postings as an Answer and request
that the Researcher who posted it put it in the Answer box, or you can
expire this Question.

I hope that you feel that your problem has been solved!

Regards,

ace

The nine digits as you say is the IP address of the machine that tried
to connect to your machine. Normally, these digits are separated with
dots like:
216.239.51.100

There can be between 4 and 12 digits (in fact, these are 4 numbers
between 0 and 255).

To know who this address hides, you have two methods:
- try to figure who owns this address. This usually doesn't help much,
since there are few owners and sometimes it's unsuccessful.
- try to know if there is a reverse name for this address. This
usually helps more but sometimes there is no reverse name.

There are programs that can do each of these tasks but there are also
websites that do it.
For the first case, try this site:
http://www.whois.sc/

As you can see, it belongs to www.google.com. That's because they own
their IP addresses. It's not the case with most IPs, i.e. the owner of
the computer is usually not the owner of the IP.

For the second test, you can try this page:
http://cc-www.uia.ac.be/ds/nslookup.html

You'll see that the address's reverse name is www.google.com.

There are further methods such as trying a traceroute on the address
to find out how the server is connected to you.

Now, if you don't know what an IP address is, I don't think someone
really tried to hack your computer. Firewalls software are often very
verbose to make people aware that they exist or you might just have
been the target of an internet worm (which failed since your firewall
catched the request). Most of the time, what users think of as an
attack is in fact a peer-to-peer software, a chat software or stuff
like this. To know more, you need to look at the port number
concerned.

The good resource on the subject I know is in French (in case you read
French), it's here:
http://michel.arboi.free.fr/secu/FAQNOPI/reseaux.html