First off, I have been receiving constant requests to route traffic from one IP to another coming to my computer. The bad thing, it's the same one every 30 seconds or so. Running a firewall helps stop it, but it is beginning to bother me. I asked my isp's tech support if there was a way to notify the owner of that IP address that their computer is sending unwanted traffic and may even have a virus if they didn't know about it. Well, this is what I got back, edited of course so the responder won't sound like an amoeba:

If someone is attempting to access your system, please send a copy of your log file to our Security Group at abuse@whatchamadoozit.net They will investigate and take the appropriate action.

Now, I asked a question about contacting the owner of the IP address and I got that garbage? I was not making a complaint, but I might make one about the tech support.

OK, does anyone know how to go about finding who owns a certain IP address so I can get an e-mail off to the administrator/ person to tell them that there is anwanted traffic sent from them to me? Should I care? Any advice?

WesFlash,
There are lots o' ways to find out. The most used is the whois database, here's a link...
<a href="http://www.networksolutions.com/cgi-bin/whois/whois" target="_blank">www.networksolutions.com/cgi-bin/whois/whois</a>

However my favorites are located at
<a href="http://www.karenware.com/powertools.html" target="_blank">http://www.karenware.com/powertools.html</a> she has written some powerfully awesome tools. And they are free.
Another good website, if you are intersested in security is <a href="http://www.grc.com" target="_blank">www.grc.com</a> and their newsgroups rock!
Check 'em out, and have fun!

Wesley

BTW, WesFlash, chances are you have a trojan.
The most common ports used, right now, are 6667 and 113. To check you can run a netstat command from a dos box. To be more specific you would type in...
c:>netstat -an | find ".6667" <enter> then
c:>netstat -an | find " 113" <enter>
need more info? Go to grc.com and read, read, read, this guy ( Steve Gibson ) is great.

Cia'o

Wesley

the requests are coming from an IP address requesting the packets be forwarded to another IP address.
I tried a whois database, and it is coming from a computer on a ISP that is working with my DSL provider. Funny thing is that the tech support wanted me to send an e-mail to the abuse e-mail for that ISP.

Man, I wish I knew how to decipher everything I get running netstat -an
I know my IP address and the addresses of other computers on my network. After that, it gets weird. I've got a bunch of things running on 127.0.0.1, which I understand is a loopback address. So, several of them are open, but which ones are ok? There are also a few that show up as 0.0.0.0:xxxx, where the x's change numbers. Are those ok?

the xxxx's are the port numbers the requests are coming in on. its really difficult to tell which are "safe" and which are not without knowing alot more about your network configuration. it either sounds like you have a trojan or possibly the code red worm. kinda hard to say without looking at your logs.

Well, I reloaded Win2k and every one of the items listed in netstat -an came back, so that wasn't it. I made sure I had my firewall installed before connecting the network cable, and 2 seconds later that same request came in. I founfd that it is a DNS server used by my ISP. Strange, a DNS server isn't supposed to forward traffic to another computer through a users computer. The only way I could get a tech to do anything was to submit my logs, etc. to their abuse e-mail, like that's going to do anything. It seems that a lot of administrators don't have time to patch their computers, and this is a result.

In case anyone wanted an update, here goes:

TECH:

Hello Wes,

Thank you for choosing to be a part of the ZoomTown community. We, here at
ZoomTown Support, make every effort to help you further enjoy your online
experience.

No one else is reporting this problem with the Fuse servers, so it doesn't
appear that the problem is with their servers. However, again, send any logs
to abuse@fuse.net so they can investigate the issue.

Sean
ZoomTown Support

ME:

According to whois lookup, the IP address sending the unwanted traffic is part of Fuse.net. 216.68.0.200. I am re-installing Win2k first in case I have some sort of unknown trojans operating on my computer. If, this continues after the re-install, then fuse has some problems with their servers that need to be addressed or there is an explanation as to the reason for the forwarding of network traffic through it's user's computers that will be necessary. In the mean-time, I suggest that you notify fuse of this so they may check their computers, if that address is part of their internal network, to check for security problems.

Back to the rest of my post. I am in no way a network genius, I still haven't gotten A+ yet. Ok, am I missing something? Win2K usually say that the user knows something about what is going on, right? Should every tech response to my questions always try to blow off my request or ignore it? Am I just blowing things way out of proportion? I may have had a trojan work through my computer to their DNS server. Is it wrong for me to even try to deal with this hassle?

ive seen alot of crap from alot of isps

they will often try to just blow you off or give completely non sense explanations. Try to talk to someone higher up. if that fails, just firewall their stupid request and be done with it.

I finally found out what the deal is. The Router at the IP address in question is TWO updates behind in its IOS. There are a number of problems cisco has addressed in those updates that aren't applied. So, I've no choice but to allow it because I can't make a lazy sysadmin do his job. I do thank one of my former co-workers, who was our security and exchange guru. He pointed out the IOS being out of date to them months ago, and they haven't done anything about it yet. So, I'm allowing it to happen, in the hopes that some jerk will find the vulnerability and whack that Cisco router down so they have to fix it. I know, even a script hacker can do good if they can do it without getting caught. I thought the whole code red scare was supposed get the lazy admins to finally update their software to address certain vulnerabilities, but there's always some stubborn ones too. I would say for some hacker to contact me if they are looking for a Cisco 6400 to take down, but that wouldn't be right, would it?