Explanation needed
Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: Explanation needed

  1. #1
    Senior Member
    Join Date
    Dec 2001
    Posts
    119

    Explanation needed

    I have a linksys router/firewall, and I just recently downloaded ZoneAlarm as a more visual tool for my security experience. I configured the basics for it, and allowed 5 programs access, and then let it run while I went to work for a few hours. Upon coming back, it says that it has blocked 307,545 intrusion attempts, and that 24 of them have been high-rated attacks. So, I'm not sure what's up. I regularly scan my computer with Adaware, and Agnitum's Tauscan, and did so just before installing Zone Alarm.

    I thought I'd check out the logs of these attacks, and they all say they're originating from behind my firewall, 192.168.1.1, my computer. They're all UDP, and they're scanned in a sequential order from port 1024 to 65535. I know UDP packets are sessionless and used mainly for 'maintenance' or response/tracing. So, what exactly is going on?

    Here's a sample of the log:
    FWIN,2003/08/31,16:33:54 -7:00 GMT,192.168.1.1:65516,192.168.1.100:162,UDP
    FWIN,2003/08/31,16:33:54 -7:00 GMT,192.168.1.1:65517,192.168.1.100:162,UDP
    FWIN,2003/08/31,16:33:54 -7:00 GMT,192.168.1.1:65518,192.168.1.100:162,UDP
    FWIN,2003/08/31,16:33:54 -7:00 GMT,192.168.1.1:65519,192.168.1.100:162,UDP
    FWIN,2003/08/31,16:33:54 -7:00 GMT,192.168.1.1:65520,192.168.1.100:162,UDP
    FWIN,2003/08/31,16:33:54 -7:00 GMT,192.168.1.1:65521,192.168.1.100:162,UDP
    FWIN,2003/08/31,16:33:54 -7:00 GMT,192.168.1.1:65522,192.168.1.100:162,UDP


    Thanks!

  2. #2
    Senior Member
    Join Date
    Aug 2003
    Posts
    205
    Valor,

    UDP is not sessionless it is connectionless and "you most certainly can" establish sessions with UDP. It looks like your trace points to UDP port 162/aka snmp trap...

    Im not sure if whats happening to you is related to this article:
    http://xforce.iss.net/xforce/alerts/id/advise110

    Read it ,it "might" be useful..

    GoodLuck
    Cheers

  3. #3
    Member
    Join Date
    Aug 2003
    Posts
    49
    When you start to see portscans as the type of attack whipp out the old SAM SPADE app.
    http://www.zdnet.com/

    http://scan.sygate.com/
    scan your ports with either your LINUX box or this site make sure none of your ports have been closed they should all say stealthed expect for 2

    Ill come back with more info brb
    Spread Firefox.

  4. #4
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,192
    Not really my area mate, but I am running ZoneAlarm also. I quite like it in certain circumstances.

    I was getting thousands of hits on port 135, due to that MSBLAST virus, then a vast number (100 per minute or more?) of "pings" due to the anti-msblast virus.............are these pings? hell, you have better than a third of a million hits there

    Not my area, but just my personal experiences..........hope they help

    cheers
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  5. #5
    Member
    Join Date
    Aug 2003
    Posts
    98
    did you notice all those ip's have private addy's ? 192.168.xxx.xxx is the range your router dhcp's out to hosts on your network. It's not anyone external to your network, either one of your boxes is doing something funny or you need to fix something in ZA's configurations.
    I hate this place, nothing works here, I\'ve been here for 7 years, the medication does\'nt work...

  6. #6
    The Iceman Cometh
    Join Date
    Aug 2001
    Posts
    1,210
    Grr... my wireless network booted me right when I tried to post a message. I was going to say something along the line of what breakology said.

    192.168.1.1 is your router's address. 192.168.1.100 is your address. For some reason, your router is pinging your address. I know Linksys routers have been known for doing that, but I also know there's a way to resolve that... I just don't remember what it was... sorry...

    AJ

  7. #7
    Senior Member
    Join Date
    Dec 2001
    Posts
    119
    Yeah, I did notice that. I was just going to post it, haha. So, I guess I should look around for a paper on disabling the constant pinging by my router.

    I've got two more questions for all of you now. Awhile ago, when a program on my computer froze, and before it could close, another alert box popped up(the ones that say 'not responding') and it was titled "should not see me". Is there a way to find if any hidden processes are running? Since that time, I've downloaded and run my spyware, trojan, and virus scanners on a regular basis.

    And where can I find a well written paper on securing Win2k?

  8. #8
    The Iceman Cometh
    Join Date
    Aug 2001
    Posts
    1,210
    while ago, when a program on my computer froze, and before it could close, another alert box popped up(the ones that say 'not responding') and it was titled "should not see me"
    I don't remember exactly what it is, but it sometimes comes up after you install a new program (it might have been part of the MSI installer or something.... as I said, I don't remember). It's not a trojan or a virus, though. If it pops up, it means that whatever the process was didn't complete before the computer restarted or it couldn't complete properly and froze. Don't worry about it, unless it appears constantly. If it does, try doing some research through Google.

    And where can I find a well written paper on securing Win2k?
    Go here: http://www.microsoft.com/windows2000...hs/default.asp

    Should give you what you're looking for...

    AJ

  9. #9
    Senior Member
    Join Date
    Aug 2003
    Posts
    205
    Good point breakology,

    I took stupit pills today to not realize that..lol

    Then it seems like the router is sending SNMP traps to the PC.
    valor, check to see if SNMP is disabled on router. If not disable it, and the traffic will stop..

    Cheers

  10. #10
    Senior Member
    Join Date
    Dec 2001
    Posts
    119
    The only options I see are:

    Block WAN Request: Disabled
    IPSec Pass Through: Enabled
    PPTP Pass Through: Enabled
    Remote Management: Disabled
    Remote Upgrade: Disabled

    I don't see any options for turning SNMP off or on. Hmm :/ Are any of these synonymous with SNMP?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides