Need an opinion - firewall incident
Results 1 to 7 of 7

Thread: Need an opinion - firewall incident

  1. #1
    Member
    Join Date
    Nov 2003
    Posts
    48

    Need an opinion - firewall incident

    Last night it was late, but I read through the firewall log before going to bed.

    I see that 2 attempted port scans have happened - one from an isp in Japan and one in France.

    It's late, so I don't check much, but I did dig enough to see that the originating ip from Japan was a business in Tokyo. It appeared to be a legit business and had an admin contact, etc.

    My question is this:

    I "suspect" this corporation may have been hacked, and the hacker is using them to ip block scan for new victims.

    Either that or a really bored employee was goofing around.

    Should I write them and let them know in case my first suspicion was correct? I hate to get some bored employee in trouble if that was the case.

    Opinions?

    .: Aftiel

  2. #2
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,324
    I'd write to them, even with a minimum the concern. It's not your responsibility as to the issue of the employee. Bored or not they shouldn't do this.

    Make sure you copy the logs to them and to their ISP. What exactly did they do that made your firewall light up?
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  3. #3
    Webius Designerous Indiginous
    Join Date
    Mar 2002
    Location
    South Florida
    Posts
    1,123
    If they scanned your box, you have every right to bring this to the attention of the admin of the corporation. I have done this many times, and on almost all occasions the admins were very happy to know of any activity originating from their systems. I would simple email the admin with a copy of the logs so they can have a look if they choose to.


    As for a bored worker, If I were the admin I sure as hell wouldn't want workers scanning from my network.

  4. #4
    Member
    Join Date
    Nov 2003
    Posts
    48
    udp flood - then a sequential port scan. Or they attempted to - all packets were dropped by the firewall. The thing that surprised me is that they made no attempt whatsoever to be quiet about anything.

    They banged on the front door loudly.

    I have not checked into the address from France yet, but will do so this evening.

    I am sure my ip was just part of a block sweep, as I doubt I was specifically targetted. Makes me wonder how many ip's they hit that allowed the full scans and what info they got.

    I will drop them an e-mail along with pasting the log entries into it.

    Thanks for the reply.

    .: Aftiel

  5. #5
    Junior Member
    Join Date
    Jul 2002
    Posts
    6
    I certainly would like to know if one of my systems was scanning, especially if it was because of it being owned by someone else.
    mpkn3rd/k0pbx

  6. #6
    Member
    Join Date
    Nov 2003
    Posts
    48
    Thought I would post a small snippet of my firewall log just for everyone to see. It never ceases to amaze me that this is on a home network - the script kiddies are busy.

    ---------------------------- start of log section -----------------------------

    Date and Time Severity Details
    2003/11/20 22:59:45 EST high UDP Flood Detected (occurrence: 1)
    2003/11/22 01:40:22 EST low src=68.89.169.42 dst=68.158.182.135 ipprot=17 sport=137 dport=137 UDP Port Scan Detected, Packet Dropped
    2003/11/22 06:38:24 EST low src=202.118.219.65 dst=68.158.182.135 ipprot=17 sport=1343 dport=4002 UDP Port Scan Detected, Packet Dropped
    2003/11/23 11:00:52 EST low src=66.215.144.6 dst=68.158.164.164 ipprot=17 sport=4177 dport=1028 UDP Port Scan Detected, Packet Dropped
    2003/11/23 18:52:54 EST low src=24.49.246.239 dst=68.158.164.164 ipprot=6 sport=2505 dport=79 TCP Port Scan Detected, Packet Dropped
    2003/11/24 14:02:10 EST low src=68.212.160.125 dst=68.158.164.164 ipprot=17 sport=137 dport=137 UDP Port Scan Detected, Packet Dropped
    2003/11/28 00:15:18 EST low src=208.11.147.104 dst=68.158.164.164 ipprot=6 sport=65143 dport=3128 TCP Port Scan Detected, Packet Dropped
    2003/11/28 00:15:19 EST Previous log entry repeated 1 times.
    2003/11/28 03:14:56 EST low src=24.210.109.202 dst=68.158.164.164 ipprot=17 sport=137 dport=137 UDP Port Scan Detected, Packet Dropped
    2003/11/28 09:07:31 EST low src=66.215.144.6 dst=68.158.164.164 ipprot=17 sport=4177 dport=1028 UDP Port Scan Detected, Packet Dropped
    2003/11/29 05:50:23 EST low src=217.228.145.215 dst=68.158.164.164 ipprot=17 sport=137 dport=137 UDP Port Scan Detected, Packet Dropped
    2003/11/30 06:03:48 EST low src=213.103.206.104 dst=68.158.164.164 ipprot=17 sport=137 dport=137 UDP Port Scan Detected, Packet Dropped
    2003/12/01 11:09:04 EST low src=220.104.234.249 dst=68.158.164.164 ipprot=17 sport=137 dport=137 UDP Port Scan Detected, Packet Dropped
    2003/12/03 07:50:10 EST low src=66.215.144.6 dst=68.158.164.164 ipprot=17 sport=4177 dport=1028 UDP Port Scan Detected, Packet Dropped
    2003/12/03 18:04:54 EST low src=195.5.54.47 dst=68.158.164.164 ipprot=6 sport=38437 dport=8080 TCP Port Scan Detected, Packet Dropped

    ------------------------------------- end of log section --------------------------------------------------

    And yes, I will be contacting these ISP's and companies.

    .: Aftiel

  7. #7
    Senior Member
    Join Date
    Mar 2003
    Posts
    245
    It is good to be proactive about scanning and related activity; contacting the network administrator at the
    souce domain/ISP is a good idea and will coherce them to be more proactive themselves.

    I would also advise not getting too worked up about scans. Learn to tell the difference between someone playing with a port scanner, and someone targeting your site specifically. You'll save yourself an ulsar or
    three in the end.

    -- spurious
    Get OpenSolaris http://www.opensolaris.org/

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •