China attack??? Massive FW Alerts
Page 1 of 2 12 LastLast
Results 1 to 10 of 19

Thread: China attack??? Massive FW Alerts

  1. #1
    Senior Member
    Join Date
    Feb 2003
    Location
    Memphis, TN
    Posts
    3,747

    China attack??? Massive FW Alerts

    In the past 30 minutes I have recieved over 80 firewall alerts all coming from the same IP range of 218.13.0.0 - 218.18.255.255

    heres a couple alerts.

    Intrusion: Invalid TCP Flags
    Intruder: 218.18.15.17
    Risk Level: Medium
    Source IP address: 218.18.15.17
    Destination IP address: MAIN(208.180.xx.xxx)
    TCP Source Port: microsoft-ds(445)
    TCP Destination Port: 18362
    TCP Flags invalid: 0x00000015


    Intrusion: Invalid TCP Flags
    Intruder: 218.18.124.3
    Risk Level: Medium
    Source IP address: 218.18.124.3
    Destination IP address: MAIN(208.180.xx.xxx)
    TCP Source Port: microsoft-ds(445)
    TCP Destination Port: 22010
    TCP Flags invalid: 0x00000015.
    Those are coming up like crazy, now I'm getting it from poland as well from a 81.0.173.181


    After those alerts pop up at a rate of 2-5 at one time then I get these immediately afterwards

    Intrusion: Invalid Destination IP Address
    Intruder: MAIN(208.180.xxx.xxx) <-- My Ip
    Risk Level: Low
    Source IP address: MAIN(208.180.xx.xxx) <-- My IP
    Destination IP address: 0.73.92.61. This IP address is invalid. <-- That IP address changes.
    Protocol: TCP.
    Have I been rooted?

    /edit now the attacks are comign from Amsterdam to
    @ 150.145.85.89

    These are happening at abotu 20-30 a second
    =

  2. #2
    Senior Member
    Join Date
    Oct 2002
    Posts
    4,055
    Hrmm, no unusual traffic here.. just your usual port probes and whatnot. I would go to your favorite portlist and see what service is running on the port's targetted. I don't think you've been rooted, but 20-30 a second is quite a number. I would block all incoming traffic or something of that nature until you figure out the problem.
    Space For Rent.. =]

  3. #3
    Senior Member
    Join Date
    Feb 2003
    Location
    Memphis, TN
    Posts
    3,747
    Yeah I'm just trying to figure it out.

    After I get the invalid TCP flags, I then get a alert saying my machine is sendind data to a invalid IP on my machine. lol

    Also when I said 20-30 a second, I meant 20-30 a minute, but it inceases and decreases I In the past minute I have had 40 alerts.

    /edit now its coming from 2 other IP's, same exact warnings. Still at the same rate.

    I'm going to bed now, but am going to block all traffic till I wake up in the morning to see whats gong on.
    =

  4. #4
    Senior Member
    Join Date
    Oct 2002
    Posts
    4,055
    Hrmm, so your figuring around 0.8-1.4 attacks per second. As for the services the port's are running, I'm having a hard time finding what exactly they are. Keep me posted on exactly what's going on and if anything changes in the mean time.

    EDIT: K, that's smart for now. Sorry, tried my best to help.

    EDIT 2: Sorry, but so you know:

    Port 22010 is where something called "RealServer" listen's on.
    Space For Rent.. =]

  5. #5
    Antionline's Security Dude instronics's Avatar
    Join Date
    Dec 2002
    Posts
    901
    Yeah, it was quiet for a period of weeks now, but it started again. Here in greece im getting a ton of alerts too on my firewall. Also have a look at
    http://www.antionline.com/showthread...109#post772109

    Cheers.
    Ubuntu-: Means in African : "Im too dumb to use Slackware"

  6. #6
    Senior Member
    Join Date
    Feb 2003
    Location
    Memphis, TN
    Posts
    3,747
    Well I just now allowed traffic again, and am still getting quite a few hits, but from a different IP this time.

    Intrusion: Invalid TCP Flags
    Intruder: 201.254.152.137
    Risk Level: Medium
    Source IP address: 201.254.152.137
    Destination IP address: MAIN(208.180.xx.xxx)
    TCP Source Port: microsoft-ds(445)
    TCP Destination Port: 53787
    TCP Flags invalid: 0x00000015.
    whats really bothering me though is all the "Invalid Destination IP Address" Going from my computer to my computer

    Intrusion: Invalid Destination IP Address
    Intruder: MAIN(208.180.xx.xx) <-- My IP
    Risk Level: Low
    Source IP address: MAIN(208.180.xx.xx) <-- My IP
    Destination IP address: 0.164.194.58. This IP address is invalid.
    Protocol: TCP.
    The alerts not going off as much as it was, but it sure was going crazy, now its mostly that invalid destination alert, then about 5-10 of the invalid TCP flags from some other computer.

    Seems attacks were coming from
    China
    Poland
    Amsterdam
    Carribean

    I'm use to beig scanned from different places, but just not quite this much.
    =

  7. #7
    Senior Member
    Join Date
    Apr 2004
    Posts
    1,130
    or someone is preparing to DDos you... and source addresses dont matter (fake crafted packets)

    Stupid question: your defense (1st level) has source-route and icmp redirection disabled, right?
    Meu sítio

    FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
    If I die before I sleep, I pray the Lord my soul to encrypt.
    If I die before I wake, I pray the Lord my soul to brake.

  8. #8
    Senior Member
    Join Date
    Feb 2003
    Location
    Memphis, TN
    Posts
    3,747
    My only defence since I'm on a 56k computer at the moment is the Norton firewall, but I do have norto configured to drop ICMP, not sure about source route, but I do know if you scan my computer with languard or nmap it doesn' see it.
    =

  9. #9
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    Are you sure you are just now seeing these?

    I've been seeing them for as long as I can remember. I was/am getting so many of them filling my logs that I disabled logging on that port until thing die down a bit. (If ever...)

    http://isc.sans.org/port_details.php?port=445
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  10. #10
    Senior Member
    Join Date
    Feb 2003
    Location
    Memphis, TN
    Posts
    3,747
    Yeah just in the past day phish.

    It wasn't doing this till about 1. a.m last night.
    =

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •