Home page logo
/

basics logo Security Basics mailing list archives

Re: I need help with Firewall Hits
From: ~Kevin Davis³ <kevin.davis () mindless com>
Date: Mon, 3 Nov 2003 19:43:25 -0500

Linksys routers transmit their router logs via port 162.  Go into your admin
(web) interface and turn off your logging.  Or, get some software to help
process the logs (for one example www.wallwatcher.com)


~Kevin Davis³

What possibly could go wrong?
----- Original Message ----- 
From: "Preston, Tony" <Tony.Preston () acs-inc com>
To: <security-basics () securityfocus com>
Sent: Monday, November 03, 2003 11:08 AM
Subject: I need help with Firewall Hits


I thought I posted this information the other day(with a different set of
data), but did not see it so I am re-asking my questions...

I have a Win/Me with the latest patches, a linksys wireless router with
the
latest firmware (BEFS4W11 V 1.44).  My Wireless card has the latest
drivers.
I have Kerio tiny personal firewall (latest version) installed and it is
collecting about 700 hits per day of the same type.  I am no expert on
this
kind of thing so any help is appreciated.

 My system looks like:

   ~~~~[Cable modem]~~~~~[Linksys Wireless Router]  ...  [ Win/ME, TPF ]

I have changed the ssid and channel (althought the channel is apparently
not
used) from the default, WEP is not enabled.   There are three systems that
could be on my wireless network (my system and two laptops, the hits occur
even when the laptops are not connected so I have assumed they are not the
cause).  I only see the MAC addresses of the three systems in my router
tables.

The hits are a continuous attempt to hit port 162 on my system, the
"sender"
is always ip address 192.168.1.1, my router's ip address, with a port that
varies on each hit, increments on each hit. Over the last few days it was
40901 to 42925 (almost 2000 hits over the last 3 days)

A summary of the report is:

1,[31/Oct/2003 07:12:30] Rule 'Packet to unopened port received': Blocked:
In UDP,

192.168.1.1:40901->localhost:162, Owner: no owner
...
192.168.1.1:42925->localhost:162, Owner: no owner

I do get other hits, but those are few enough, blocked, and I can identify
the exploits (msblaster trying to infect my system for example) so they
are
of a lesser concern that this one.

I would like to resolve who/why I am getting these hits and identify what
the exploit is.

How can I figure out where these are coming from?

I have reset the router (to ensure it wasn't the router that was doing
them)
and cable modem.

Anyone have any ideas on what I can do to track this down and possibly
stop
it?

Tony Preston
Systems Engineer, AS&T Inc.
Division of L3 Corporation
(609) 485-0205 x 181


-----Original Message-----
From: Ivan Hernandez [mailto:ivan.hernandez () globalsis com ar]
Sent: Wednesday, October 29, 2003 2:21 PM
To: Ansgar -59cobalt- Wiechers
Cc: security-basics () securityfocus com
Subject: Re: Personal Firewall for Business use

Ansgar -59cobalt- Wiechers wrote:

On 2003-10-27 Ivan Hernandez wrote:

[ Windows TCP filtering ]


"Application level protection" is ridiculous if the protecting agent is
running on the same box. I keep wondering how people can expect software
that allows user interaction (like most personal firewalls do) to
prevent other (malicious) software from doint whatever it pleases.
Regards
Ansgar Wiechers


I would reccomend you to read the good information about on the Gibson
Research site at http://www.grc.com
Try the information leak utility that's very usefull with all the other
toys written in assembly. It's a nice and educational site. Windows
Kernel Filtering will not stop a trojan from making connections on the
internet, and that's one of the most important risks on a personal
computer. Most worms are going via email today, and the filter will do
nothing with that, but with some application level filtering, like Zone
Alarm has, you can catch them before they go to the internet. Windows
Kernel Filter also is very bad option to filter UDP traffic. For
example... you would, just want to recieve responses of DNS queryies you
have made, but this is just impossible because you have no way to keep
track of your connections.
I think you must take a little more time before saying that somthing
that other said is "ridiculous" and, in doubt ask first what did the
other exactly mean, and ask for more information if necessary.

Cheers...

Ivan Hernandez
http://biromeponja.8k.com


--------------------------------------------------------------------------
-
Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
The Presidio integrates PGP data encryption and XML Web Services security
to

simplify the management and deployment of PGP and reduce overall PGP costs
by up to 80%.
FREE WHITEPAPER & 30 Day Trial -
http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027
--------------------------------------------------------------------------
--

--------------------------------------------------------------------------
-
Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
The Presidio integrates PGP data encryption and XML Web Services security
to
simplify the management and deployment of PGP and reduce overall PGP costs
by up to 80%.
FREE WHITEPAPER & 30 Day Trial -
http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027
--------------------------------------------------------------------------
--



---------------------------------------------------------------------------
Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
The Presidio integrates PGP data encryption and XML Web Services security to 
simplify the management and deployment of PGP and reduce overall PGP costs 
by up to 80%.
FREE WHITEPAPER & 30 Day Trial - 
http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 
----------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]