|
-
August 13th, 2004, 08:25 AM
#1
China attack??? Massive FW Alerts
In the past 30 minutes I have recieved over 80 firewall alerts all coming from the same IP range of 218.13.0.0 - 218.18.255.255
heres a couple alerts.
Intrusion: Invalid TCP Flags
Intruder: 218.18.15.17
Risk Level: Medium
Source IP address: 218.18.15.17
Destination IP address: MAIN(208.180.xx.xxx)
TCP Source Port: microsoft-ds(445)
TCP Destination Port: 18362
TCP Flags invalid: 0x00000015
Intrusion: Invalid TCP Flags
Intruder: 218.18.124.3
Risk Level: Medium
Source IP address: 218.18.124.3
Destination IP address: MAIN(208.180.xx.xxx)
TCP Source Port: microsoft-ds(445)
TCP Destination Port: 22010
TCP Flags invalid: 0x00000015.
Those are coming up like crazy, now I'm getting it from poland as well from a 81.0.173.181
After those alerts pop up at a rate of 2-5 at one time then I get these immediately afterwards
Intrusion: Invalid Destination IP Address
Intruder: MAIN(208.180.xxx.xxx) <-- My Ip
Risk Level: Low
Source IP address: MAIN(208.180.xx.xxx) <-- My IP
Destination IP address: 0.73.92.61. This IP address is invalid. <-- That IP address changes.
Protocol: TCP.
Have I been rooted?
/edit now the attacks are comign from Amsterdam to
@ 150.145.85.89
These are happening at abotu 20-30 a second
-
August 13th, 2004, 08:37 AM
#2
Hrmm, no unusual traffic here.. just your usual port probes and whatnot. I would go to your favorite portlist and see what service is running on the port's targetted. I don't think you've been rooted, but 20-30 a second is quite a number. I would block all incoming traffic or something of that nature until you figure out the problem.
-
August 13th, 2004, 08:39 AM
#3
Yeah I'm just trying to figure it out.
After I get the invalid TCP flags, I then get a alert saying my machine is sendind data to a invalid IP on my machine. lol
Also when I said 20-30 a second, I meant 20-30 a minute, but it inceases and decreases I In the past minute I have had 40 alerts.
/edit now its coming from 2 other IP's, same exact warnings. Still at the same rate.
I'm going to bed now, but am going to block all traffic till I wake up in the morning to see whats gong on.
-
August 13th, 2004, 08:49 AM
#4
Hrmm, so your figuring around 0.8-1.4 attacks per second. As for the services the port's are running, I'm having a hard time finding what exactly they are. Keep me posted on exactly what's going on and if anything changes in the mean time.
EDIT: K, that's smart for now. Sorry, tried my best to help.
EDIT 2: Sorry, but so you know:
Port 22010 is where something called "RealServer" listen's on.
-
August 13th, 2004, 10:30 AM
#5
Yeah, it was quiet for a period of weeks now, but it started again. Here in greece im getting a ton of alerts too on my firewall. Also have a look at
http://www.antionline.com/showthread...109#post772109
Cheers.
Ubuntu-: Means in African : "Im too dumb to use Slackware"
-
August 13th, 2004, 05:29 PM
#6
Well I just now allowed traffic again, and am still getting quite a few hits, but from a different IP this time.
Intrusion: Invalid TCP Flags
Intruder: 201.254.152.137
Risk Level: Medium
Source IP address: 201.254.152.137
Destination IP address: MAIN(208.180.xx.xxx)
TCP Source Port: microsoft-ds(445)
TCP Destination Port: 53787
TCP Flags invalid: 0x00000015.
whats really bothering me though is all the "Invalid Destination IP Address" Going from my computer to my computer
Intrusion: Invalid Destination IP Address
Intruder: MAIN(208.180.xx.xx) <-- My IP
Risk Level: Low
Source IP address: MAIN(208.180.xx.xx) <-- My IP
Destination IP address: 0.164.194.58. This IP address is invalid.
Protocol: TCP.
The alerts not going off as much as it was, but it sure was going crazy, now its mostly that invalid destination alert, then about 5-10 of the invalid TCP flags from some other computer.
Seems attacks were coming from
China
Poland
Amsterdam
Carribean
I'm use to beig scanned from different places, but just not quite this much.
-
August 13th, 2004, 05:55 PM
#7
or someone is preparing to DDos you... and source addresses dont matter (fake crafted packets) 
Stupid question: your defense (1st level) has source-route and icmp redirection disabled, right?
Meu sítio
FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
If I die before I sleep, I pray the Lord my soul to encrypt. If I die before I wake, I pray the Lord my soul to brake.
-
August 13th, 2004, 06:01 PM
#8
My only defence since I'm on a 56k computer at the moment is the Norton firewall, but I do have norto configured to drop ICMP, not sure about source route, but I do know if you scan my computer with languard or nmap it doesn' see it.
-
August 13th, 2004, 06:10 PM
#9
Are you sure you are just now seeing these?
I've been seeing them for as long as I can remember. I was/am getting so many of them filling my logs that I disabled logging on that port until thing die down a bit. (If ever...)
http://isc.sans.org/port_details.php?port=445
Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.
-
August 13th, 2004, 06:14 PM
#10
Yeah just in the past day phish.
It wasn't doing this till about 1. a.m last night.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote
