Apparently someone from "The Computer Guy" IP range (or someone acting
as someone from there) got rcp.exe to run on my machine, attempting to
contact 220.127.116.11 port 514. I detected this with ZoneAlarm.
The reason I'm posting here is because I've just installed JBoss and
MySQL on my machine, and until this point, I have never had this type
of attack before. It happened right around the time I accessed the
JBoss JMX console for the first time from over the Internet (I accessed
my home PC from work). I have a non-static IP, so I'm running the
No-IP DUC I can find my machine on the Internet.
Could someone wager a guess as to what happened at 8:42 this morning?
What was attempted? How was it done? I password protected my JBoss
JMX and Management consoles, but of course it's only with basic
authentication, which is really nothing if someone wants to snoop. Is
there something in one of the interfaces that get installed with JBoss
that would allow for someone to start a remote copy?
Description TCP/IP Remote Copy Command requested permission to
access the internet.
Date / Time 2005/04/01 08:42:04-5:00 GMT
Type New Program
Destination IP 18.104.22.168:514
Direction Outgoing (connect)
Action Taken Blocked (once)/Manual
CustName: The Computer Guy
Address: 5306 McCorkle Ave
NetRange: 22.214.171.124 - 126.96.36.199
OrgTechName: FiberNet IP Administrator