Skip to main content

Serious attack? Or just unharm?

More
14 years 11 months ago #33073 by FishNBone
Hi All!!

I got this log about all the attacks that I have got recently

2009-12-14T19:40:39+08:00 info Previous log entry repeated 1 times
2009-12-14T19:40:39+08:00 low src=174.36.178.72 dst=219.74.147.213 ipprot=17 sport=11239 dport=1568 UDP Port Scan Detected
2009-12-14T19:40:39+08:00 info src=174.36.178.72 dst=219.74.147.213 ipprot=17 sport=11239 dport=1568 Unknown inbound session stopped
2009-12-14T19:41:33+08:00 info src=192.168.1.65 dst=208.43.33.48 ipprot=1 icmp_type=3 icmp_code=3 ICMP Dest Unreachable, session terminated
2009-12-14T19:41:33+08:00 info src=208.43.33.48 dst=219.74.147.213 ipprot=17 sport=11243 dport=1601 Unknown inbound session stopped
2009-12-14T19:41:33+08:00 info Previous log entry repeated 1 times
2009-12-14T19:41:33+08:00 low src=208.43.33.48 dst=219.74.147.213 ipprot=17 sport=11243 dport=1601 UDP Port Scan Detected
2009-12-14T19:41:33+08:00 info src=208.43.33.48 dst=219.74.147.213 ipprot=17 sport=11243 dport=1601 Unknown inbound session stopped
2009-12-14T19:41:33+08:00 info Previous log entry repeated 1 times
2009-12-14T19:41:46+08:00 info src=192.168.1.65 dst=67.228.1.166 ipprot=1 icmp_type=3 icmp_code=3 ICMP Dest Unreachable, session terminated
2009-12-14T19:41:46+08:00 info src=67.228.1.166 dst=219.74.147.213 ipprot=17 sport=11246 dport=1604 Unknown inbound session stopped
2009-12-14T19:41:46+08:00 info Previous log entry repeated 1 times
2009-12-14T19:41:46+08:00 low src=67.228.1.166 dst=219.74.147.213 ipprot=17 sport=11246 dport=1604 UDP Port Scan Detected
2009-12-14T19:41:46+08:00 info src=67.228.1.166 dst=219.74.147.213 ipprot=17 sport=11246 dport=1604 Unknown inbound session stopped
2009-12-14T19:42:08+08:00 info src=192.168.1.65 dst=67.231.240.234 ipprot=1 icmp_type=3 icmp_code=3 ICMP Dest Unreachable, session terminated
2009-12-14T19:42:08+08:00 info src=67.231.240.234 dst=219.74.147.213 ipprot=17 sport=11250 dport=1607 Unknown inbound session stopped
2009-12-14T19:42:08+08:00 info Previous log entry repeated 1 times
2009-12-14T19:42:08+08:00 low src=67.231.240.234 dst=219.74.147.213 ipprot=17 sport=11250 dport=1607 UDP Port Scan Detected
2009-12-14T19:42:08+08:00 info src=67.231.240.234 dst=219.74.147.213 ipprot=17 sport=11250 dport=1607 Unknown inbound session stopped
2009-12-14T19:43:53+08:00 info src=192.168.1.65 dst=174.36.178.72 ipprot=1 icmp_type=3 icmp_code=3 ICMP Dest Unreachable, session terminated
2009-12-14T19:43:53+08:00 info src=174.36.178.72 dst=219.74.147.213 ipprot=17 sport=11239 dport=1620 Unknown inbound session stopped
2009-12-14T19:43:53+08:00 info Previous log entry repeated 1 times

anyone can help me see what the attacker is trying to do?
More
14 years 11 months ago #33074 by talk2sp
Replied by talk2sp on topic the 3rd Entry...
Hello fishBone.

This is my analysis.

- from the 3rd line a port scan was initiated to see what ports u have opened.

- from what i see from the other logs the "attacker" (why i put attacker in quote is cos some of this application and network monitoring softwares know how to forge attacks, has any one noticed this?) tried same thing over and over again. He or it tries to scan to see what u have opened and may be gets a bounce.

Let me ask U fishbone around this time the logger logged this entries what did u experience, either on ur network or on workstations?


Cheers.


C0DE - 3

BORN TO BE GREAT

c0de - 3
..........................................................
Take Responsibility! Don't let failures define you
More
14 years 11 months ago #33083 by donanak
From what I can see from your logs, I can only say its just normal port scan that any system will experience. As far as you have all inbound connections blocked you should be OK. Its annoying and sometimes create more work for admins. If you are hosting services to the outside world then I'd advise you to ensure your servers are hardened and patches applied as such numerous portscans should depicts something "interesting" is available. I'd do a scan outside your network to see what is visible and lock down that which is an issue.

For the internal connections its important as well to investigate as according to most reports inside threat can be malicious too. ICMP connections could be applications or users testing outbound connections to services. I'd run an internal audit on all systems and network to isolate the application/user initiating these outbound connections.

Depending on your environment (company/home) these could be rated as higher risk. For a company this should raise concerns. If personal/home network then its a good way to learn.

My approach above is not orderly arranged but you can work this through based on your company procedures.

Good luck.

-d-

A smart person knows what to say, but a wise person knows whether or not to say it.

'When perfection comes, the imperfect disappear.'
More
14 years 11 months ago #33085 by FishNBone
hihi!

talk2sp: Hi thanks for the info, well after these stuffs logged, i did not experience any difficulties in trying to access sites or lagness however sometimes i do get 0.1sec disconnection like in msn (suddenly your icon in your chat with flash (like refreshing)).

donanak:Hi thank you! I was trying to configure my router to ignore these port scan by going stealth mode, still when i am using any nodes to type in my router's IP address, they can enter the main page. Is there any way to totally block them from even entering to the main page of my router?

Btw is there any thing/software i can use to see/scan my router's "uncontrolled" ports?

Thanks to all!

Fishnbone
More
14 years 11 months ago #33102 by S0lo

Btw is there any thing/software i can use to see/scan my router's "uncontrolled" ports?


If your looking for a ports scanner, there are many out there. Here are a few that stand out:

Free IP Tools: www.all-nettools.com/network-utilities-2...e-ip-tools-48453.htm

Super Scan: www.snapfiles.com/get/superscan.html

Angry IP Scanner: www.angryip.org/w/Home

Lan Spy: lantricks.com/download/

Most of these come with other tools too, so you might need to play with the GUI a bit.

Studying CCNP...

Ammar Muqaddas
Forum Moderator
www.firewall.cx
More
14 years 11 months ago #33108 by talk2sp
Replied by talk2sp on topic cant believe....
Fish Bone Said -

donanak:Hi thank you! I was trying to configure my router to ignore these port scan by going stealth mode, still when i am using any nodes to type in my router's IP address, they can enter the main page. Is there any way to totally block them from even entering to the main page of my router?


Well correct me if i am wrong how do they get to ur routers main config page, and alter ur settings to something?

Dlink with all their flaws on routers its really not easy to get into the main config page. Linksys u cant even dare it especially when the Admin on board is not the dormant type. Bro i hope u changed the default passwords that came with ur equipment. Not to forget also change the default guest password.



C0DE - 3

BORN TO BE GREAT

c0de - 3
..........................................................
Take Responsibility! Don't let failures define you
Time to create page: 0.146 seconds