Results 1 to 6 of 6

Thread: MORE Suspicious Firewall Log Entries!!!

  1. #1
    Join Date
    May 2002

    MORE Suspicious Firewall Log Entries!!!

    I am running a real firewall with DMZ and NAT.

    I am running IIS/DNS on one box & Exchange on the other (...and i realize, after reading posts from this site, that i should be running a *nix based box, but i work with what i know, and that 'aint much)
    Anyhow, yesterday i posted something similar and people told me not to worry, but these types of entries below are a daily occurence. My site is fine...as far as i know. No complaints from eMail users.

    So...should i just forget about these "attacks"? Does this happen to all of you also?


    06/05/2003 08:50:08.640 Probable TCP FIN scan, 80, WAN xxx.xxx.xxx.xxx, 27690, LAN
    06/05/2003 08:46:18.032 Sub Seven Attack Dropped, 3265, WAN xxx.xxx.xxx.xxx, 1243, WAN

    06/05/2003 07:50:08.896 TCP connection dropped, 42300, WAN, 113, LAN 'Authentication' 6
    06/05/2003 07:49:07.320 UDP packet dropped, 56321, WAN xxx.xxx.xxx.xxx, 137, WAN
    06/05/2003 07:47:49.112 TCP connection dropped, 42209, WAN, 113, LAN 'Authentication' 6

    06/05/2003 02:57:38.480 TCP connection dropped, 3409, WAN, 1080, LAN 'Socks' 6

    06/05/2003 02:18:24.016 TCP connection dropped, 3222, WAN xxx.xxx.xxx.xxx, 25, WAN 'Send Email (SMTP)' 0

    06/04/2003 22:17:39.176 TCP connection dropped, 4476, WAN xxx.xxx.xxx.xxx, 135, WAN 'RPC Mapper' 0

    06/04/2003 19:19:15.896 TCP connection dropped, 1291, WAN xxx.xxx.xxx.xxx, 21, WAN 'File Transfer (FTP)'

  2. #2
    Senior Member
    Join Date
    Jan 2002
    I expect that someone's connected to IRC from the box (or somehow NAT'd to the same IP).

    A lot of IRC servers send back ident requests on port 113 - some also scan for open proxies (so they can ban users who are using one)

    But essentially, all of that is normal for a box on the internet:

    - Connections to port 80 (www) - IIS Worms
    - Port 25 - spammers scanning for open relays to spam through
    - Port 21 - Warez kiddies looking for open FTP servers to dump their warez in
    - 1080 (socks) or any other port commonly used by proxies - kiddies looking for open proxies (and sometimes IRC servers checking for open proxies that the kiddies might be using to attack them through)
    - Subseven - kiddies again

    The kiddies are usually responsible. They are looking for either an easy way in, or a proxy server to use to hide their tracks better.

    There really is no point trying to follow up any of this stuff as there is just too much of it. Any vigilant IDS admin will turn off these rules after a few days of looking at the logs

  3. #3
    Join Date
    May 2002
    Thank You Slarty.


  4. #4
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Washington D.C. area
    Yep, should you throw a "real" IDS up and sniff the perimeter router (as I do) you will see all kinds of stuff. We generate about 2GIG of IDS traffic a day and using signatures from the IDS manufacturer, we see all of the usual suspects knocking at the front door. NMAP scans, IIS, BugBear, WebDAV, source routed traffic, etc. The log entries that you need to worry about are the ones that aren't there if you catch my drift
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  5. #5
    Join Date
    May 2002

    Yesterday I downloaded Snort. However, I have NO idea how to get it to work...learning the language and all...etc.

    I'm sure there are other NDIS proggies out there that are a little easier for the "noob".

    Thanks for you help.


  6. #6
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Ret: Try PureSecure's Windows version based on Snort. It's free for non-commercial use and is easy to install with a nice interface and some additional features.

    Try it here
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts