May 17th, 2005 04:20 PM
Firewall violation questions
Have been having a bit of a read on your forums and find them to be an invaluable source of security related info.
Sorry to bust straight in and ask a question, but you look like the people to ask, so here goes -
(have some background first though)
I am currently in the position of managing a small business network, 4 x workstations (2 x xp, 1 x 98se 1 x me) & 1 x server (win2000). The server is used (mainly) for a stock tracking system based on symbol ppcs (taaaaaaasty!!) and related database. The computer used as an internet gateway has an always on 1 meg asdl connection.
Not having set up the network infastructure myself, and not being able to rip it all out and start again (24 hour site operation ... waaah) I am stuck using what my predecessor set up.
So, I thinks to myself, ok, the bloke must have known what he was doing to some degree, so I shall inspect how secure the system is.
So, I find NO antivirus software, at all, whatsoever, and the only firewall was windows firewall (set to allow everything) . . . ok. . . . the computers were set up in 2004. It's now 2006 . . .waaahaa panic. !!!
So, after a few weeks of asking, I get symantec client security 2.0 and install my head off.
I found one virus called Download. trojan in a file called counter.exe and counter.cab, and deleted them after quaranteen. There was an obscene amount of spyware found as well . . .
... so onto my main point.
Which violation events do I NEED to worry about ?
When I check the logs (specificly the 'intruder detection violation events'), as from the date of the installation , I keep getting what is reported as an http_activeperl_overflow intrusion from a certain ip range, which I have traced back to a company called Level 3 Communications, Inc.
The intrusion attempts started on the 03.05.05 and increment by one intrusion extra atempt, daily, untill the 06.05.05 when i reported the repeated events to the abuse handler @ lvl 3.
The atempts have since ceased.
However, when attempting to send an abuse report email to a company called Akamai Technologies, their abuse mail addy bounced, and I had to send it to their tech inq addy. I recieved an email from them requesting that I read their faq as it is a perfectly normal piece of network traffic.
If it is a perfectly normal traffic why does my firewall list it as an intrusion attempt 'redundant_slashes_in_URI' ?
Am I being too paranoid ...? (personaly i dont think there's a state of 'too paranoid'.. ; ) )
Any input that anyone has on any of the above mentioned things would be greatly apreciated.
May 17th, 2005 04:40 PM
I can't comment on the Akamai traffic without more information but I would like to add...
I have found that reporting networks who bounce "abuse@" emails to:
Can lead to the address soon being available. No way to make someone actually read the email but I have had luck on occasion.
May 17th, 2005 04:58 PM
Ubuntu-: Means in African : "Im too dumb to use Slackware"
May 17th, 2005 07:02 PM
i really wouldn't worry about Akamai planting trojans, loggers, viruses or spyware. they are a mega bucks company which has the contract to stream updates for companies like symantec. unfortunatly they also stream allot of bandwith consuming advertising. most of which i consider annoying and therefore block but certain Akamai connections are necessary if you want to keep certain apps updated.
Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”
May 19th, 2005 09:05 AM
heh, nah I wasn't worying about akami planting malarkey, I was worrying about firewall violation logs in general and used those two as examples.
Thanks for the info though
Liking the rcf-ignorant though, thanks a lot. I seem to get a lot of tigger abuse emails. . . (bouncey bouncey)