Home page logo
/

basics logo Security Basics mailing list archives

Re: Home firewall Hits
From: "me null" <me_null () hotmail com>
Date: Thu, 06 Nov 2003 15:27:17 -0500

hello, i havent read through the replys you have got but ill chime in non the less. i would amagine some have sayed part of what i will.

1 im not sure what u ment here bout it sounds like a port scan

">From reading the firewall log, I would think that my router is continuously
hitting
Port 162  with a UDP message.  The odd thing is that it is doing this by
using an
incrementing port from  192.168.1.1, I see many of these every day, it is
continuous."

2 these are DHCP ports 67 / 68 UDP a DHCP server would tell DHCP clients where thay are and info regarding you network.

3 is this is EXACTLY your setup ...
" [cable modem] <----> [ Linksys Wireless Router] ~~~ [ Windows ME W/
firewall ]"
than theres nothing blocking access from the internet to your router. witch means some 1 can (if thay havent yet) crack you routers password. you would be amased at how easy this can be like a user name of "admin" and a password of "admin" and BAM thay have CONTROL of your router. either put a fire wall between your router and the internet or ATLEAST change you login credintals for your router

hope this helps and wasnt too redundant


From: "Preston, Tony" <Tony.Preston () acs-inc com>
To: "'security-basics () securityfocus com'" <security-basics () securityfocus com>
Subject: Home firewall Hits
Date: Fri, 31 Oct 2003 08:56:15 -0500

I am hoping someone here can explain what I am seeing on my home network.
I use Kerio's tiny personal firewall and Windows ME.  I have everything up
to date with the latest patches.

This is my home network and something strange is happening.  The
configurations is


  [cable modem] <----> [ Linksys Wireless Router] ~~~ [ Windows ME W/
firewall ]


From reading the firewall log, I would think that my router is continuously
hitting
Port 162  with a UDP message.  The odd thing is that it is doing this by
using an
incrementing port from  192.168.1.1, I see many of these every day, it is
continuous.

I have the latest firmware from linksys, the firewall is rejecting all the
packets.

While I am an experienced programmer, I do not have alot of network
experience, probably
I would classify myself as knowing enough to be dangerous...:)

The activity is at a moderate rate from a couple per second to one every 20
seconds.  If it
is some sort of attack attempt it is using a randomized delay between
packets.

Here is a summary of the hits.

[30/Oct/2003 23:53:48] Rule 'Packet to unopened port received': Blocked: In
UDP,
  192.168.1.1:40826->localhost:162, Owner: no owner
      thru
  192.168.1.1:40899->localhost:162, Owner: no owner


I do see other "hits" which are much less frequent which are an occasional
hit here or
there, I am not as concerned about these, but would be curious if anyone has
ideas about
why they occur.   The first one, I might see one or two a day.   The second
one would
show up in sets of 5-10, maybe a couple of times a day.

[30/Oct/2003 23:53:56] Rule 'TCP ack packet attack': Blocked: In TCP,
 207.46.197.121:80->localhost:1452, Owner: no owner

[31/Oct/2003 00:00:02] Rule 'Packet to unopened port received': Blocked: In
UDP,
 0.0.0.0:68->localhost:67, Owner: no owner

Anything here I should be concerned with??

I am hoping someone here can explain what I am seeing on my home network.
I use Kerio's tiny personal firewall and Windows ME.  I have everything up
to date with the latest patches.

The configurations is:

  [cable modem] <----> [ Linksys Wireless Router] ~~~ [ Windows ME W/
firewall ]


From reading the firewall log, I would think that my router is continuously
hitting
Port 162  with a UDP message.  The odd thing is that it is doing this by
using an
incrementing port from  192.168.1.1, I see many of these every day, it is
continuous.

I have the latest firmware from linksys, the firewall is rejecting all the
packets.

While I am an experienced programmer, I do not have alot of network
experience, probably
I would classify myself as knowing enough to be dangerous...:)

The activity is at a moderate rate from a couple per second to one every 20
seconds.  If it
is some sort of attack attempt it is using a randomized delay between
packets.

Here is a summary of the hits.

[30/Oct/2003 23:53:48] Rule 'Packet to unopened port received': Blocked: In
UDP,
  192.168.1.1:40826->localhost:162, Owner: no owner
      thru
  192.168.1.1:40899->localhost:162, Owner: no owner


I do see other "hits" which are much less frequent which are an occasional
hit here or
there, I am not as concerned about these, but would be curious if anyone has
ideas about
why they occur.   The first one, I might see one or two a day.   The second
one would
show up in sets of 5-10, maybe a couple of times a day.

[30/Oct/2003 23:53:56] Rule 'TCP ack packet attack': Blocked: In TCP,
 207.46.197.121:80->localhost:1452, Owner: no owner

[31/Oct/2003 00:00:02] Rule 'Packet to unopened port received': Blocked: In
UDP,
 0.0.0.0:68->localhost:67, Owner: no owner

Anything here I should be concerned with??



---------------------------------------------------------------------------
Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
The Presidio integrates PGP data encryption and XML Web Services security to
simplify the management and deployment of PGP and reduce overall PGP costs
by up to 80%.
FREE WHITEPAPER & 30 Day Trial -
http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027
----------------------------------------------------------------------------


_________________________________________________________________
Compare high-speed Internet plans, starting at $26.95. https://broadband.msn.com (Prices may vary by service area.)


---------------------------------------------------------------------------
Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
The Presidio integrates PGP data encryption and XML Web Services security to simplify the management and deployment of PGP and reduce overall PGP costs by up to 80%. FREE WHITEPAPER & 30 Day Trial - http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 ----------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]