June 5th, 2003, 05:54 PM
MORE Suspicious Firewall Log Entries!!!
I am running a real firewall with DMZ and NAT.
I am running IIS/DNS on one box & Exchange on the other (...and i realize, after reading posts from this site, that i should be running a *nix based box, but i work with what i know, and that 'aint much)
Anyhow, yesterday i posted something similar and people told me not to worry, but these types of entries below are a daily occurence. My site is fine...as far as i know. No complaints from eMail users.
So...should i just forget about these "attacks"? Does this happen to all of you also?
06/05/2003 08:50:08.640 Probable TCP FIN scan 22.214.171.124, 80, WAN xxx.xxx.xxx.xxx, 27690, LAN
06/05/2003 08:46:18.032 Sub Seven Attack Dropped 126.96.36.199, 3265, WAN xxx.xxx.xxx.xxx, 1243, WAN
06/05/2003 07:50:08.896 TCP connection dropped 188.8.131.52, 42300, WAN 192.168.168.4, 113, LAN 'Authentication' 6
06/05/2003 07:49:07.320 UDP packet dropped 184.108.40.206, 56321, WAN xxx.xxx.xxx.xxx, 137, WAN
06/05/2003 07:47:49.112 TCP connection dropped 220.127.116.11, 42209, WAN 192.168.168.4, 113, LAN 'Authentication' 6
06/05/2003 02:57:38.480 TCP connection dropped 18.104.22.168, 3409, WAN 192.168.168.4, 1080, LAN 'Socks' 6
06/05/2003 02:18:24.016 TCP connection dropped 22.214.171.124, 3222, WAN xxx.xxx.xxx.xxx, 25, WAN 'Send Email (SMTP)' 0
06/04/2003 22:17:39.176 TCP connection dropped 126.96.36.199, 4476, WAN xxx.xxx.xxx.xxx, 135, WAN 'RPC Mapper' 0
06/04/2003 19:19:15.896 TCP connection dropped 188.8.131.52, 1291, WAN xxx.xxx.xxx.xxx, 21, WAN 'File Transfer (FTP)'
June 5th, 2003, 06:12 PM
I expect that someone's connected to IRC from the box (or somehow NAT'd to the same IP).
A lot of IRC servers send back ident requests on port 113 - some also scan for open proxies (so they can ban users who are using one)
But essentially, all of that is normal for a box on the internet:
- Connections to port 80 (www) - IIS Worms
- Port 25 - spammers scanning for open relays to spam through
- Port 21 - Warez kiddies looking for open FTP servers to dump their warez in
- 1080 (socks) or any other port commonly used by proxies - kiddies looking for open proxies (and sometimes IRC servers checking for open proxies that the kiddies might be using to attack them through)
- Subseven - kiddies again
The kiddies are usually responsible. They are looking for either an easy way in, or a proxy server to use to hide their tracks better.
There really is no point trying to follow up any of this stuff as there is just too much of it. Any vigilant IDS admin will turn off these rules after a few days of looking at the logs
June 5th, 2003, 06:43 PM
Thank You Slarty.
June 5th, 2003, 07:12 PM
Yep, should you throw a "real" IDS up and sniff the perimeter router (as I do) you will see all kinds of stuff. We generate about 2GIG of IDS traffic a day and using signatures from the IDS manufacturer, we see all of the usual suspects knocking at the front door. NMAP scans, IIS, BugBear, WebDAV, source routed traffic, etc. The log entries that you need to worry about are the ones that aren't there if you catch my drift
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
June 5th, 2003, 08:42 PM
Yesterday I downloaded Snort. However, I have NO idea how to get it to work...learning the language and all...etc.
I'm sure there are other NDIS proggies out there that are a little easier for the "noob".
Thanks for you help.
June 5th, 2003, 09:20 PM
Ret: Try PureSecure's Windows version based on Snort. It's free for non-commercial use and is easy to install with a nice interface and some additional features.
Try it here
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides