Home page logo
/

basics logo Security Basics mailing list archives

RE: I need help with Firewall Hits
From: "jm" <jm () mindless com>
Date: Mon, 3 Nov 2003 18:05:28 -0000

Are they all coming at regular intervals?  Sounds like SNMP to me.

I think it is your router, trying to send SNMP packets to you.

Maybe someone else can confirm, but are there SNMP settings on your
router?

http://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-8&q=port+162&btnG=Goo
gle+Search 




-----Original Message-----
From: Preston, Tony [mailto:Tony.Preston () acs-inc com] 
Sent: 03 November 2003 16:09
To: security-basics () securityfocus com
Subject: I need help with Firewall Hits

I thought I posted this information the other day(with a different set
of
data), but did not see it so I am re-asking my questions...

I have a Win/Me with the latest patches, a linksys wireless router with
the
latest firmware (BEFS4W11 V 1.44).  My Wireless card has the latest
drivers.
I have Kerio tiny personal firewall (latest version) installed and it is
collecting about 700 hits per day of the same type.  I am no expert on
this
kind of thing so any help is appreciated.

 My system looks like:

   ~~~~[Cable modem]~~~~~[Linksys Wireless Router]  ...  [ Win/ME, TPF ]

I have changed the ssid and channel (althought the channel is apparently
not
used) from the default, WEP is not enabled.   There are three systems
that
could be on my wireless network (my system and two laptops, the hits
occur
even when the laptops are not connected so I have assumed they are not
the
cause).  I only see the MAC addresses of the three systems in my router
tables.

The hits are a continuous attempt to hit port 162 on my system, the
"sender"
is always ip address 192.168.1.1, my router's ip address, with a port
that
varies on each hit, increments on each hit. Over the last few days it
was
40901 to 42925 (almost 2000 hits over the last 3 days)

A summary of the report is:

1,[31/Oct/2003 07:12:30] Rule 'Packet to unopened port received':
Blocked:
In UDP, 

192.168.1.1:40901->localhost:162, Owner: no owner
... 
192.168.1.1:42925->localhost:162, Owner: no owner

I do get other hits, but those are few enough, blocked, and I can
identify
the exploits (msblaster trying to infect my system for example) so they
are
of a lesser concern that this one.  

I would like to resolve who/why I am getting these hits and identify
what
the exploit is.

How can I figure out where these are coming from?

I have reset the router (to ensure it wasn't the router that was doing
them)
and cable modem.

Anyone have any ideas on what I can do to track this down and possibly
stop
it?

Tony Preston
Systems Engineer, AS&T Inc.
Division of L3 Corporation
(609) 485-0205 x 181


-----Original Message-----
From: Ivan Hernandez [mailto:ivan.hernandez () globalsis com ar] 
Sent: Wednesday, October 29, 2003 2:21 PM
To: Ansgar -59cobalt- Wiechers
Cc: security-basics () securityfocus com
Subject: Re: Personal Firewall for Business use

Ansgar -59cobalt- Wiechers wrote:

On 2003-10-27 Ivan Hernandez wrote:

[ Windows TCP filtering ]
 

"Application level protection" is ridiculous if the protecting agent is
running on the same box. I keep wondering how people can expect
software
that allows user interaction (like most personal firewalls do) to
prevent other (malicious) software from doint whatever it pleases.
Regards
Ansgar Wiechers
 

I would reccomend you to read the good information about on the Gibson 
Research site at http://www.grc.com
Try the information leak utility that's very usefull with all the other 
toys written in assembly. It's a nice and educational site. Windows 
Kernel Filtering will not stop a trojan from making connections on the 
internet, and that's one of the most important risks on a personal 
computer. Most worms are going via email today, and the filter will do 
nothing with that, but with some application level filtering, like Zone 
Alarm has, you can catch them before they go to the internet. Windows 
Kernel Filter also is very bad option to filter UDP traffic. For 
example... you would, just want to recieve responses of DNS queryies you

have made, but this is just impossible because you have no way to keep 
track of your connections.
I think you must take a little more time before saying that somthing 
that other said is "ridiculous" and, in doubt ask first what did the 
other exactly mean, and ask for more information if necessary.

Cheers...

Ivan Hernandez
http://biromeponja.8k.com


------------------------------------------------------------------------
---
Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
The Presidio integrates PGP data encryption and XML Web Services
security to

simplify the management and deployment of PGP and reduce overall PGP
costs 
by up to 80%.
FREE WHITEPAPER & 30 Day Trial - 
http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027

------------------------------------------------------------------------
----

------------------------------------------------------------------------
---
Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
The Presidio integrates PGP data encryption and XML Web Services
security to 
simplify the management and deployment of PGP and reduce overall PGP
costs 
by up to 80%.
FREE WHITEPAPER & 30 Day Trial - 
http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027

------------------------------------------------------------------------
----



---------------------------------------------------------------------------
Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
The Presidio integrates PGP data encryption and XML Web Services security to 
simplify the management and deployment of PGP and reduce overall PGP costs 
by up to 80%.
FREE WHITEPAPER & 30 Day Trial - 
http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 
----------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]