Firewall violation questions
Results 1 to 5 of 5

Thread: Firewall violation questions

  1. #1
    Junior Member
    Join Date
    May 2005
    Posts
    3

    Firewall violation questions

    Hi there,

    Have been having a bit of a read on your forums and find them to be an invaluable source of security related info.

    Sorry to bust straight in and ask a question, but you look like the people to ask, so here goes -

    (have some background first though)

    I am currently in the position of managing a small business network, 4 x workstations (2 x xp, 1 x 98se 1 x me) & 1 x server (win2000). The server is used (mainly) for a stock tracking system based on symbol ppcs (taaaaaaasty!!) and related database. The computer used as an internet gateway has an always on 1 meg asdl connection.

    Not having set up the network infastructure myself, and not being able to rip it all out and start again (24 hour site operation ... waaah) I am stuck using what my predecessor set up.

    So, I thinks to myself, ok, the bloke must have known what he was doing to some degree, so I shall inspect how secure the system is.

    So, I find NO antivirus software, at all, whatsoever, and the only firewall was windows firewall (set to allow everything) . . . ok. . . . the computers were set up in 2004. It's now 2006 . . .waaahaa panic. !!!

    So, after a few weeks of asking, I get symantec client security 2.0 and install my head off.

    I found one virus called Download. trojan in a file called counter.exe and counter.cab, and deleted them after quaranteen. There was an obscene amount of spyware found as well . . .

    ... so onto my main point.

    Which violation events do I NEED to worry about ?

    When I check the logs (specificly the 'intruder detection violation events'), as from the date of the installation , I keep getting what is reported as an http_activeperl_overflow intrusion from a certain ip range, which I have traced back to a company called Level 3 Communications, Inc.
    in nevada.

    The intrusion attempts started on the 03.05.05 and increment by one intrusion extra atempt, daily, untill the 06.05.05 when i reported the repeated events to the abuse handler @ lvl 3.

    The atempts have since ceased.

    However, when attempting to send an abuse report email to a company called Akamai Technologies, their abuse mail addy bounced, and I had to send it to their tech inq addy. I recieved an email from them requesting that I read their faq as it is a perfectly normal piece of network traffic.

    If it is a perfectly normal traffic why does my firewall list it as an intrusion attempt 'redundant_slashes_in_URI' ?

    Am I being too paranoid ...? (personaly i dont think there's a state of 'too paranoid'.. ; ) )

    Any input that anyone has on any of the above mentioned things would be greatly apreciated.

    cheers

    h3r4ty

    x

  2. #2
    Senior Member
    Join Date
    Mar 2004
    Location
    Colorado
    Posts
    421
    I can't comment on the Akamai traffic without more information but I would like to add...

    I have found that reporting networks who bounce "abuse@" emails to:

    http://www.rfc-ignorant.org

    http://www.rfc-ignorant.org/tools/su...hp?table=abuse

    Can lead to the address soon being available. No way to make someone actually read the email but I have had luck on occasion.

  3. #3

  4. #4
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,786
    i really wouldn't worry about Akamai planting trojans, loggers, viruses or spyware. they are a mega bucks company which has the contract to stream updates for companies like symantec. unfortunatly they also stream allot of bandwith consuming advertising. most of which i consider annoying and therefore block but certain Akamai connections are necessary if you want to keep certain apps updated.
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  5. #5
    Junior Member
    Join Date
    May 2005
    Posts
    3
    heh, nah I wasn't worying about akami planting malarkey, I was worrying about firewall violation logs in general and used those two as examples.

    Thanks for the info though

    Liking the rcf-ignorant though, thanks a lot. I seem to get a lot of tigger abuse emails. . . (bouncey bouncey)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •