Suspicious Firewall log entry!!
Results 1 to 9 of 9

Thread: Suspicious Firewall log entry!!

  1. #1
    Member
    Join Date
    May 2002
    Posts
    54

    Suspicious Firewall log entry!!

    While checking my firewall logs I found this entry:

    06/04/2003 14:45:12.800 TCP connection dropped 66.14.211.33, 3415, WAN 192.168.168.4, 80, LAN 'Web (HTTP)' 6
    06/04/2003 14:43:10.016 TCP connection dropped 66.14.211.33, 4396, WAN 192.168.168.4, 80, LAN 'Web (HTTP)' 6
    06/04/2003 14:41:34.352 TCP connection dropped 66.14.211.33, 3646, WAN 192.168.168.4, 80, LAN 'Web (HTTP)' 6


    Then I did this:

    Microsoft Windows 2000 [Version 5.00.2195]
    (C) Copyright 1985-2000 Microsoft Corp.

    C:\>tracert 66.14.211.33

    Tracing route to bdsl.66.14.211.33.gte.net [66.14.211.33]
    over a maximum of 30 hops:

    1 32 ms 31 ms 15 ms bdsl.66.14.8.145.gte.net [66.14.8.145]
    2 31 ms 31 ms 32 ms 4.24.46.149
    3 32 ms 31 ms 31 ms p3-2.lsanca2-cr1.bbnplanet.net [4.24.118.93]
    4 31 ms 31 ms 47 ms p3-0.lsanca2-br2.bbnplanet.net [4.25.111.2]
    5 15 ms 32 ms 15 ms p3-0.lsanca1-cr8.bbnplanet.net [4.24.5.54]
    6 31 ms 47 ms 31 ms p1-0.lsanca1-cr7.bbnplanet.net [4.24.7.125]
    7 16 ms 15 ms 31 ms a-7-1-4.lsanca1-ar2.bbnplanet.net [4.0.7.150]
    8 62 ms 63 ms 62 ms bdsl.66.14.211.33.gte.net [66.14.211.33]

    Trace complete.

    C:\>

    What does the above mean to you guys/gals?

    Is someone from Verizon(GTE) doing this?

    grassy-ass,
    retfarcratS

  2. #2
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    Something is not right about this...the private address space in the message bothers me a bit..

    What firewall product is this?

    Where is the firewall (is it a personal firewall running on your PC, a DSL router/firewall, is it a real firewall serving a DMZ and doing NAT)?

    Do you run a web server?

    /nebulus
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  3. #3
    Member
    Join Date
    May 2002
    Posts
    54
    Yes, it is a real firewall running DMZ and NAT.

    I am running an Exchng box and IIS (two different boxes however)...and, the Exchng box is assigned that 192.168.168.4.

  4. #4
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    Ok, that makes a little more sense. Are you running OWA on your exchange server? Someone may have been trying to see if you were...don't really see anything terribly suspicious here...did you only see 3 events or are you seeing more? If you are seeing more, or seeing events to all of your boxes, the person is probably running a scan to detect web servers. That person could also have some kind of a worm infection that is doing the scan for him (ala CodeRED or Nimda), or could be compromised and the hacker is using this PC as a launch point, or it could be a normal request of someone looking for OWA...almost impossible to tell from your log entries, which leads to:

    You really ought to consider installing a NIDS if you are going to run something as hideous as IIS and exchange. Snort makes a very good free one...If you had that, then you could display the packet contents and whatever alarm it tripped. That would go a long way to getting a better analysis...

    Cheers,

    /neb

    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  5. #5
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    Ok, so the connection's NAT'd the packets into the exchange box which has then dropped them with a firewall on there?

    A machine is trying to connect to port 80. This is totally normal for any box connected to the internet, it may be for a variety of reasons, but 99% of the time it's an IIS worm. Don't bother trying to contact the owner of the machine, they are a lamer because they haven't fully patched their IIS since the last IIS worm came out last year. In fact they've probably just left it turned on and forgotten about it.

  6. #6
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884
    Yes, and sometimes your ISP attempts to connect back to port 80.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  7. #7
    Member
    Join Date
    May 2002
    Posts
    54
    neb,

    Thanks for the assistance. I'm not running OWA but feel that i should in the near future.

    Hideous as it may be, IIS and Exchange are great products for us newbies, in that they are easy to set up and run. I would agree that they are not as secure as most would like.

    I will google Snort, and continue monitoring my firewall.

    I still am curious as to why the trace ended where it did. Any thoughts?
    I mean isn't that a box straight from Verizon?

  8. #8
    Jaded Network Admin nebulus200's Avatar
    Join Date
    Jun 2002
    Posts
    1,356
    If you run OWA, make sure it is over SSL. At least people can't sniff username/password pairs.

    Snort is at: www.snort.org

    It is a DSL user at GTE. Slarty is probably right in that it is some idiot with either no AV protection or old AV protection that has contracted a worm. I wouldn't really worry about it, especially since all you have is a log of the connection...

    /nebulus
    There is only one constant, one universal, it is the only real truth: causality. Action. Reaction. Cause and effect...There is no escape from it, we are forever slaves to it. Our only hope, our only peace is to understand it, to understand the 'why'. 'Why' is what separates us from them, you from me. 'Why' is the only real social power, without it you are powerless.

    (Merovingian - Matrix Reloaded)

  9. #9
    Member
    Join Date
    May 2002
    Posts
    54
    no worries then...ok

    Thanks for all the help everyone!

    You all rock the cazbah.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •