From: Preston, Tony [mailto:Tony.Preston () acs-inc com]
Sent: November 3, 2003 08:09
To: security-basics () securityfocus com
Subject: I need help with Firewall Hits
I thought I posted this information the other day(with a
different set of
data), but did not see it so I am re-asking my questions...
I have a Win/Me with the latest patches, a linksys wireless
router with the
latest firmware (BEFS4W11 V 1.44). My Wireless card has the
I have Kerio tiny personal firewall (latest version)
installed and it is
collecting about 700 hits per day of the same type. I am no
expert on this
kind of thing so any help is appreciated.
My system looks like:
~~~~[Cable modem]~~~~~[Linksys Wireless Router] ... [
Win/ME, TPF ]
I have changed the ssid and channel (althought the channel is
used) from the default, WEP is not enabled. There are three
could be on my wireless network (my system and two laptops,
the hits occur
even when the laptops are not connected so I have assumed
they are not the
cause). I only see the MAC addresses of the three systems in
The hits are a continuous attempt to hit port 162 on my
system, the "sender"
is always ip address 192.168.1.1, my router's ip address,
with a port that
varies on each hit, increments on each hit. Over the last few
days it was
40901 to 42925 (almost 2000 hits over the last 3 days)
A summary of the report is:
1,[31/Oct/2003 07:12:30] Rule 'Packet to unopened port
192.168.1.1:40901->localhost:162, Owner: no owner
192.168.1.1:42925->localhost:162, Owner: no owner
I do get other hits, but those are few enough, blocked, and I
the exploits (msblaster trying to infect my system for
example) so they are
of a lesser concern that this one.
I would like to resolve who/why I am getting these hits and
the exploit is.
How can I figure out where these are coming from?
I have reset the router (to ensure it wasn't the router that
was doing them)
and cable modem.
Anyone have any ideas on what I can do to track this down and
Systems Engineer, AS&T Inc.
Division of L3 Corporation
(609) 485-0205 x 181
From: Ivan Hernandez [mailto:ivan.hernandez () globalsis com ar]
Sent: Wednesday, October 29, 2003 2:21 PM
To: Ansgar -59cobalt- Wiechers
Cc: security-basics () securityfocus com
Subject: Re: Personal Firewall for Business use
Ansgar -59cobalt- Wiechers wrote:
On 2003-10-27 Ivan Hernandez wrote:
[ Windows TCP filtering ]
"Application level protection" is ridiculous if the
protecting agent is
running on the same box. I keep wondering how people can
that allows user interaction (like most personal firewalls do) to
prevent other (malicious) software from doint whatever it pleases.
I would reccomend you to read the good information about on
Research site at http://www.grc.com
Try the information leak utility that's very usefull with all
toys written in assembly. It's a nice and educational site. Windows
Kernel Filtering will not stop a trojan from making
connections on the
internet, and that's one of the most important risks on a personal
computer. Most worms are going via email today, and the
filter will do
nothing with that, but with some application level filtering,
Alarm has, you can catch them before they go to the internet. Windows
Kernel Filter also is very bad option to filter UDP traffic. For
example... you would, just want to recieve responses of DNS
have made, but this is just impossible because you have no
way to keep
track of your connections.
I think you must take a little more time before saying that somthing
that other said is "ridiculous" and, in doubt ask first what did the
other exactly mean, and ask for more information if necessary.
Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
The Presidio integrates PGP data encryption and XML Web
Services security to
simplify the management and deployment of PGP and reduce
overall PGP costs
by up to 80%.
FREE WHITEPAPER & 30 Day Trial -