Hot Downloads

Welcome, Guest
Username: Password: Remember me
  • Page:
  • 1
  • 2

TOPIC: Serious attack? Or just unharm?

Serious attack? Or just unharm? 6 years 11 months ago #33073

  • FishNBone
  • FishNBone's Avatar
  • Offline
  • Frequent Member
  • Posts: 33
  • Karma: 0
Hi All!!

I got this log about all the attacks that I have got recently

2009-12-14T19:40:39+08:00 info Previous log entry repeated 1 times
2009-12-14T19:40:39+08:00 low src=174.36.178.72 dst=219.74.147.213 ipprot=17 sport=11239 dport=1568 UDP Port Scan Detected
2009-12-14T19:40:39+08:00 info src=174.36.178.72 dst=219.74.147.213 ipprot=17 sport=11239 dport=1568 Unknown inbound session stopped
2009-12-14T19:41:33+08:00 info src=192.168.1.65 dst=208.43.33.48 ipprot=1 icmp_type=3 icmp_code=3 ICMP Dest Unreachable, session terminated
2009-12-14T19:41:33+08:00 info src=208.43.33.48 dst=219.74.147.213 ipprot=17 sport=11243 dport=1601 Unknown inbound session stopped
2009-12-14T19:41:33+08:00 info Previous log entry repeated 1 times
2009-12-14T19:41:33+08:00 low src=208.43.33.48 dst=219.74.147.213 ipprot=17 sport=11243 dport=1601 UDP Port Scan Detected
2009-12-14T19:41:33+08:00 info src=208.43.33.48 dst=219.74.147.213 ipprot=17 sport=11243 dport=1601 Unknown inbound session stopped
2009-12-14T19:41:33+08:00 info Previous log entry repeated 1 times
2009-12-14T19:41:46+08:00 info src=192.168.1.65 dst=67.228.1.166 ipprot=1 icmp_type=3 icmp_code=3 ICMP Dest Unreachable, session terminated
2009-12-14T19:41:46+08:00 info src=67.228.1.166 dst=219.74.147.213 ipprot=17 sport=11246 dport=1604 Unknown inbound session stopped
2009-12-14T19:41:46+08:00 info Previous log entry repeated 1 times
2009-12-14T19:41:46+08:00 low src=67.228.1.166 dst=219.74.147.213 ipprot=17 sport=11246 dport=1604 UDP Port Scan Detected
2009-12-14T19:41:46+08:00 info src=67.228.1.166 dst=219.74.147.213 ipprot=17 sport=11246 dport=1604 Unknown inbound session stopped
2009-12-14T19:42:08+08:00 info src=192.168.1.65 dst=67.231.240.234 ipprot=1 icmp_type=3 icmp_code=3 ICMP Dest Unreachable, session terminated
2009-12-14T19:42:08+08:00 info src=67.231.240.234 dst=219.74.147.213 ipprot=17 sport=11250 dport=1607 Unknown inbound session stopped
2009-12-14T19:42:08+08:00 info Previous log entry repeated 1 times
2009-12-14T19:42:08+08:00 low src=67.231.240.234 dst=219.74.147.213 ipprot=17 sport=11250 dport=1607 UDP Port Scan Detected
2009-12-14T19:42:08+08:00 info src=67.231.240.234 dst=219.74.147.213 ipprot=17 sport=11250 dport=1607 Unknown inbound session stopped
2009-12-14T19:43:53+08:00 info src=192.168.1.65 dst=174.36.178.72 ipprot=1 icmp_type=3 icmp_code=3 ICMP Dest Unreachable, session terminated
2009-12-14T19:43:53+08:00 info src=174.36.178.72 dst=219.74.147.213 ipprot=17 sport=11239 dport=1620 Unknown inbound session stopped
2009-12-14T19:43:53+08:00 info Previous log entry repeated 1 times

anyone can help me see what the attacker is trying to do?
The administrator has disabled public write access.

the 3rd Entry... 6 years 11 months ago #33074

  • talk2sp
  • talk2sp's Avatar
  • Offline
  • Expert Member
  • Posts: 528
  • Thank you received: 1
  • Karma: 1
Hello fishBone.

This is my analysis.

- from the 3rd line a port scan was initiated to see what ports u have opened.

- from what i see from the other logs the "attacker" (why i put attacker in quote is cos some of this application and network monitoring softwares know how to forge attacks, has any one noticed this?) tried same thing over and over again. He or it tries to scan to see what u have opened and may be gets a bounce.

Let me ask U fishbone around this time the logger logged this entries what did u experience, either on ur network or on workstations?


Cheers.


C0DE - 3
I AM MADE TO SHINE... BORN TO BE GREAT


C0dE - 3
..........................................................
Take Responsibility! Don't let failures define you
The administrator has disabled public write access.

Re: Serious attack? Or just unharm? 6 years 11 months ago #33083

  • donanak
  • donanak's Avatar
  • Offline
  • Frequent Member
  • Posts: 53
  • Karma: 0
From what I can see from your logs, I can only say its just normal port scan that any system will experience. As far as you have all inbound connections blocked you should be OK. Its annoying and sometimes create more work for admins. If you are hosting services to the outside world then I'd advise you to ensure your servers are hardened and patches applied as such numerous portscans should depicts something "interesting" is available. I'd do a scan outside your network to see what is visible and lock down that which is an issue.

For the internal connections its important as well to investigate as according to most reports inside threat can be malicious too. ICMP connections could be applications or users testing outbound connections to services. I'd run an internal audit on all systems and network to isolate the application/user initiating these outbound connections.

Depending on your environment (company/home) these could be rated as higher risk. For a company this should raise concerns. If personal/home network then its a good way to learn.

My approach above is not orderly arranged but you can work this through based on your company procedures.

Good luck.

-d-
A smart person knows what to say, but a wise person knows whether or not to say it.

'When perfection comes, the imperfect disappear.'
The administrator has disabled public write access.

Re: Serious attack? Or just unharm? 6 years 11 months ago #33085

  • FishNBone
  • FishNBone's Avatar
  • Offline
  • Frequent Member
  • Posts: 33
  • Karma: 0
hihi!

talk2sp: Hi thanks for the info, well after these stuffs logged, i did not experience any difficulties in trying to access sites or lagness however sometimes i do get 0.1sec disconnection like in msn (suddenly your icon in your chat with flash (like refreshing)).

donanak:Hi thank you! I was trying to configure my router to ignore these port scan by going stealth mode, still when i am using any nodes to type in my router's IP address, they can enter the main page. Is there any way to totally block them from even entering to the main page of my router?

Btw is there any thing/software i can use to see/scan my router's "uncontrolled" ports?

Thanks to all!

Fishnbone
The administrator has disabled public write access.

Re: Serious attack? Or just unharm? 6 years 11 months ago #33102

  • S0lo
  • S0lo's Avatar
  • Offline
  • Moderator
  • Posts: 1577
  • Thank you received: 7
  • Karma: 3
Btw is there any thing/software i can use to see/scan my router's "uncontrolled" ports?

If your looking for a ports scanner, there are many out there. Here are a few that stand out:

Free IP Tools: www.all-nettools.com/network-utilities-2...e-ip-tools-48453.htm

Super Scan: www.snapfiles.com/get/superscan.html

Angry IP Scanner: www.angryip.org/w/Home

Lan Spy: lantricks.com/download/

Most of these come with other tools too, so you might need to play with the GUI a bit.
Studying CCNP...

Ammar Muqaddas
Forum Moderator
www.firewall.cx
The administrator has disabled public write access.

cant believe.... 6 years 11 months ago #33108

  • talk2sp
  • talk2sp's Avatar
  • Offline
  • Expert Member
  • Posts: 528
  • Thank you received: 1
  • Karma: 1
Fish Bone Said -
donanak:Hi thank you! I was trying to configure my router to ignore these port scan by going stealth mode, still when i am using any nodes to type in my router's IP address, they can enter the main page. Is there any way to totally block them from even entering to the main page of my router?

Well correct me if i am wrong how do they get to ur routers main config page, and alter ur settings to something?

Dlink with all their flaws on routers its really not easy to get into the main config page. Linksys u cant even dare it especially when the Admin on board is not the dormant type. Bro i hope u changed the default passwords that came with ur equipment. Not to forget also change the default guest password.



C0DE - 3
I AM MADE TO SHINE... BORN TO BE GREAT


C0dE - 3
..........................................................
Take Responsibility! Don't let failures define you
The administrator has disabled public write access.
  • Page:
  • 1
  • 2
Time to create page: 0.089 seconds

CCENT/CCNA

Cisco Routers

  • SSL WebVPN
  • Securing Routers
  • Policy Based Routing
  • Router on-a-Stick

VPN Security

  • Understand DMVPN
  • GRE/IPSec Configuration
  • Site-to-Site IPSec VPN
  • IPSec Modes

Cisco Help

  • VPN Client Windows 8
  • VPN Client Windows 7
  • CCP Display Problem
  • Cisco Support App.

Windows 2012

  • New Features
  • Licensing
  • Hyper-V / VDI
  • Install Hyper-V

Linux

  • File Permissions
  • Webmin
  • Groups - Users
  • Samba Setup