Firewall intrusion attempt log question
Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: Firewall intrusion attempt log question

  1. #1

    Question Firewall intrusion attempt log question

    This is a copy of the intrusion attempts for my firewall logs for the past roughly two weeks. These are only the days when someone has been persistant enough to make me log the attempts. I'm not particularly worried about the attempts, because as far as I can tell, all the idiots are doing is banging their heads against my firewall. Nor for that matter do I have the services running on those ports to make them vulnerable anyway.

    http://www.treachery.net/security_to...rts/lookup.cgi <--Handy little thing.

    My question is thus: Is it worth the time and effort to bother tracing the most persistant little wannabe and reporting them to their ISP? 128.11.13.132 being the one that concerns me.

    5/20/2002 5:42:29 PM Connection request 216.136.226.118 TCP(1597)
    5/20/2002 5:41:25 PM Connection request 216.136.226.118 TCP(1597)
    5/20/2002 5:40:21 PM Connection request 216.136.226.118 TCP(1597)
    5/20/2002 5:39:17 PM Connection request 216.136.226.118 TCP(1597)
    5/20/2002 5:38:13 PM Connection request 216.136.226.118 TCP(1597)
    5/20/2002 5:37:09 PM Connection request 216.136.226.118 TCP(1597)
    5/20/2002 5:36:05 PM Connection request 216.136.226.118 TCP(1597)
    5/20/2002 5:35:01 PM Connection request 216.136.226.118 TCP(1597)
    5/20/2002 5:33:57 PM Connection request 216.136.226.118 TCP(1597)

    5/21/2002 10:35:18 PM Connection request 152.163.226.77 TCP(1896)
    5/21/2002 5:04:04 PM Port scanned 61.219.250.188 TCP(111)
    5/21/2002 5:04:04 PM Connection request 61.219.250.188 TCP(111)
    5/21/2002 4:23:58 PM Connection request 152.163.226.3 TCP(1652)
    5/21/2002 4:23:44 PM Connection request 152.163.226.25 TCP(1632)

    6/3/2002 5:47:52 PM Connection request 192.232.30.60 TCP(1179)
    6/3/2002 5:42:24 PM Connection request 128.11.18.132 TCP(1100)
    6/3/2002 5:40:24 PM Connection request 128.11.18.132 TCP(1100)
    6/3/2002 5:38:24 PM Connection request 128.11.18.132 TCP(1100)
    6/3/2002 5:36:24 PM Connection request 128.11.18.132 TCP(1100)
    6/3/2002 5:34:24 PM Connection request 128.11.18.132 TCP(1100)
    6/3/2002 5:32:24 PM Connection request 128.11.18.132 TCP(1100)
    6/3/2002 5:30:24 PM Connection request 128.11.18.132 TCP(1100)
    6/3/2002 5:28:24 PM Connection request 128.11.18.132 TCP(1100)
    6/3/2002 5:26:24 PM Connection request 128.11.18.132 TCP(1100)
    6/3/2002 5:24:24 PM Connection request 128.11.18.132 TCP(1100)
    6/3/2002 5:22:24 PM Connection request 128.11.18.132 TCP(1100)
    6/3/2002 5:20:48 PM Connection request 128.11.18.132 TCP(1100)
    6/3/2002 5:19:18 PM Connection request 128.11.18.132 TCP(1100)
    6/3/2002 5:15:08 PM Connection request 207.46.182.140 TCP(1513)

    6/6/2002 11:35:28 PM Port scanned 128.11.18.132 TCP(1121) TCP(1073)
    6/6/2002 11:35:28 PM Connection request 128.11.18.132 TCP(1121)
    6/6/2002 11:35:09 PM Connection request 128.11.18.132 TCP(1073)
    6/6/2002 11:23:50 PM Port scanned 128.11.18.132 TCP(1121) TCP(1073)
    6/6/2002 11:23:50 PM Connection request 128.11.18.132 TCP(1121)
    6/6/2002 11:23:09 PM Connection request 128.11.18.132 TCP(1073)
    6/6/2002 11:21:09 PM Connection request 128.11.18.132 TCP(1073)
    6/6/2002 11:19:30 PM Connection request 128.11.18.132 TCP(1073)
    6/6/2002 11:17:58 PM Connection request 128.11.18.132 TCP(1073)

    Any suggestions are appreciated.
    -Keisha
    www.notinourname.net
    www.nion.us

    Read them.

  2. #2
    Member
    Join Date
    May 2002
    Posts
    82
    My approach to this is simple....

    Right now, it may not matter whether they're looking for ways to get in because they can't... yet... What about tomorrow? Or the day after?

    I would report it to the ISP (it's not like the police can do anything about it because he hasn't actually met the standard of "breaking and entering"). On the same note, you might keep him from having to go to jail one day. I guess that's an alt+way of "giving back to society." For real, though... I would do him the favor.

    By the way... It may be better to contact your ISP about it instead and let them deal with it (if they're willing to contact his ISP about it, his ISP will be less likely to ignore it).

    (my "open ion" of course)

    Best regards,

    Rev
    Many will ask, \"Where do you want to go today?\" because they\'re still scratching for ideas.

    With *NIX, there\'s already a way. The sum of us just need roadmaps to get there.

  3. #3
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,786
    I really don't think its a hack attempt, more likely its push technology, observe what your doing when you get these connection requests.

    This is the 'culprit':

    Real Networks (NETBLK-REALNET-18-14)
    2601 Elliott Avenue
    Seattle, WA 98121
    US

    Netname: REALNET-18-14
    Netblock: 128.11.18.0 - 128.11.18.255

    Coordinator:
    Center, Network Operations (NOC6-ARIN) [No mailbox]
    814-274-9830
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  4. #4
    Senior Member
    Join Date
    Oct 2001
    Posts
    638
    Yeah I have the same problems as I'm sure most of the people at AO do. My firewall logs are full of stuff like this. During last month, my firewall logged countless attempts to connect to port 1433 because of the SQL worm. You're obviously being scanned by a kiddy who doesn't understand how to be discreet.

    Unfortunately, this isn't illegal unless the number of connection attempts is causing the performance of your box to suffer, in which case it's a DOS attack. Just keep an eye on it and keep your logs as evidence in case something does happen in the future.
    OpenBSD - The proactively secure operating system.

  5. #5
    Senior Member
    Join Date
    Sep 2001
    Posts
    1,027
    And Yahoo:

    Yahoo (NETBLK-EC20-2-YAHOO2)
    701 First Avenue
    Sunnyvale, CA 94089
    US

    Netname: EC20-2-YAHOO2
    Netblock: 216.136.224.0 - 216.136.227.255
    Maintainer: YHOO



    Ammo
    Credit travels up, blame travels down -- The Boss

  6. #6
    Junior Member
    Join Date
    Jun 2002
    Posts
    3
    Can someone explain the the firewall log in the beggining??? Do the ip adresses mentioned there belong to the "intruder"

  7. #7
    Senior Member
    Join Date
    Jul 2001
    Posts
    461
    It seems to me that the ports listed are the "source ports" and not the destination ports.

    combining that with the owners of the IP addresses, I would think, like tedob1 that you are not under attack at all(from those IP addresses, although the port 111 probe strikes me as a network scanner looking for a particular vulnerability. Especially as the IP address is from asia. There are lots of scanners that look for port 111 on the internet, and you really shouldnt have to worry about that.

    All the other scans seem to originate ( I assume that the port number your log shows next to the IP address is source port, and not destination) from ports above 1024, which are dolled out to applications on an as needed basis, and therefore, often mean nothing as a source port. Besides, a google search on most of them revealed nothing of note in the first 2 pages of results, as far as exploits specific to those ports (as a destination) numbers.

  8. #8
    Priapistic Monk KorpDeath's Avatar
    Join Date
    Dec 2001
    Posts
    2,628
    Originally posted here by almorga
    Can someone explain the the firewall log in the beggining??? Do the ip adresses mentioned there belong to the "intruder"
    Kind of...though 'intruder' is not quite the word. If you see a buttloasd of connection attempts or all of your ports being scanned in a matter of moments then yes, someone is trying to get in kind of hard. But to say that these attempts are someon trying to get in (1) they aren't trying too hard or (2) it's just internet noise.

    Now knowing that they come from mass marketing companies or "whores of the internet" is really speaking volumes. In other words, it's probably people trying to get marketing info off your system.

    It could be a million things, but chances are it's not worth your time to worry about.
    Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
    - Samuel Johnson

  9. #9
    Senior Member
    Join Date
    Apr 2002
    Posts
    889
    Port 1073 was an attempt to see if there is a web console, port 1100 is seeing if it is a checkpoint firewall 1652 is to see if remote console is there, port 1597 is looking for linux. A short port scan for services and OS and what they might use more of an info gathering thing. Hope that helps
    I believe that one of the characteristics of the human race - possibly the one that is primarily responsible for its course of evolution - is that it has grown by creatively responding to failure.- Glen Seaborg

  10. #10
    Senior Member
    Join Date
    Apr 2002
    Posts
    889
    Oh forgot to add this looks like a script kidde newbie scan, not sure of what they are looking for, just testing to see if it works. But upon checking the IP if the firewall cannot pick up an IP spoof I'd say the signature is Real Player as in RealNetworks pushing ads and attempting to get play lists. Funny how they use such odd ports
    I believe that one of the characteristics of the human race - possibly the one that is primarily responsible for its course of evolution - is that it has grown by creatively responding to failure.- Glen Seaborg

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •