agree!

Noticed this also as has a friend.

firewall started registering all sorts of attempted connections.....
useing netstat i thing people are gathering ip addresses and trying to open various ports on target systems. perhapse looking to be unnoticed among DC connecitons.

i also recon that a lot of software from dc has been modified to attract connections also.

i installed black ice defender in a new system and straigt away it started getting 'hit'

if you find out more, would be good to know as i know a lot of people who use dc be4 anything else

cheers

Whoa, whoa, whoa.

Before everyone gets all paranoid about what's going on, might I suggest actually looking at the source to determine what's causing the behaviour you're seeing?

While I am not personally familiar with this application, speaking from my own experience in trawling through literally hundreds of traffic captures from machines running various filesharing clients, I can say that they do make connections in the background which are not normally visible to the user. This is usually to perform things like network selection, network heartbeat, and other housekeeping tasks. It seems reasonable to assume that DC++ does the same thing.

So, before going off the deep end, let's all do some research and see what the issue is. Everything you need to do that is right in front of you.

And you're basing this on what, exactly? Go look at the source.

Well, yes. There were undoubtedly inbound connections to said box that weren't initiated from it. Of course it's going to trip your firewall.

Suggestions:

1) Do your own research

2) Stop using SMS-speak, it's retarded

Thank you .. I have downloaded the source code and will study it and see how much I understand.

As for myself, I am not paranoid. I had a serious attack which came from DC++, and after I blocked it , there have been done several attempts to connect to me again. Some of the traffic are "normal" , but not all. I also have a feeling what is going on, but I am unfortunately not good enough to see the whole picture.
That is why I asked about anybody was familiar with this program.
Advises will help me to find other ways to look for solutions.

I guess you are right and that the source code is the main answer to a fully understanding of this, and that it is the right end to start.

I also need to learn more about packet decoding, because this is one of the things that confuse me most.
What I see is that 3 different suspicious IP's has the same MAC adress (not my own), and when I block this MAC adress I block my whole Internet connection. If anybody has can recommend a good site which explains packet decoding in an easy way, I would be grateful.

OK. Define 'serious attack'. Note that I'm not doing all this to be difficult, but to get an understanding of what's going on, which should ultimately help you to figure out what the issue is.

Depending on how your router is set up, this may be a result of NATting your internal addresses; it could also be a device at your ISP's end. Why are you blocking the addresses? Are they inside or outside of your network?

ok I shall try to be more concrete. I am just careful with what I am saying.

With serious attack, I mean I was hacked. I left my house for some days with the computer turned on. When I came back both the machine and the connection was slow (I have 10mB) , the clock showed 5 hours behind normal time, and some specific programs acted weirdo. I checked the registry and found "Cygwin" installed , which I know for sure I never had done myself. Nor do I have any programs which needs it.
In the system log (dhcp) I found a specific IP adress which had "taken over" . I formatted, reinstalled, choosed Sygate Fw and started to watch the traffic while i was running DC++. (There are certain ppl on DC++ which has showed too strong interest for my connection) What I first found was a person downloading the same file from me, a small txt document, with an interval of 2 minutes. This went on for a long time, and I identified his IP in Sygate and blocked it. This is one of the IP's which has continued to connect for months. Another IP also showed up regulary from the same program, without me having any up -or downloads. I blocked this too, and also this has continued for months.

So to the question about the MAC adress..
Sygate has a very good packet log which shows the header detailed. I tried as a test to block other IP's from DC++. All of them showed different MAC adresses than the "suspected" ones which were both the same, even they came from different countries. Afterwards there has also showed up another IP with "abnormal" activity, and this same MAC adress.
I blocked it because I was thinking that this was the same person that faked his IP but not his MAC , and was just curious of what would happen. This is why I don't think it has someething to do with my ISP. Why then only those IP adresses from DC++?
As I have said, I am no expert, and don't fully understand those packet codes. I get very intense when something happens to my machine, and don't give up before I understand it. It is maybe the best way of learning !

The MAC address is the component of an Ethernet frame which originates anywhere between your system and the default gateway (i.e. the local subnet). All traffic headed to your computer from the Internet will pass through whatever router/system is acting as your default gateway, and will thus the frames will originate from this router/system.

Thank you Bascule. I think i got you. I have always thought of the MAC adressess which shows up in the packet log as more "personal". I understand now that I have been very wrong.

I have tried to discuss this with people which are supposed to know about Networking, packet decoding and MAC adresses but nobody has been able to explain how to interpret the log correctly, even I have showed them.
Is my country full of idiots, is this not a basic part of an education, or is the people here on Defcon "simply the best" ?
Anyway, Thank you

People on Def Con

The people here on defcon are simply the best in the world, well from my experience they are.