Need an opinion - firewall incident

Printable View

December 3rd, 2003, 05:58 PM
Aftiel

Need an opinion - firewall incident

Last night it was late, but I read through the firewall log before going to bed.

I see that 2 attempted port scans have happened - one from an isp in Japan and one in France.

It's late, so I don't check much, but I did dig enough to see that the originating ip from Japan was a business in Tokyo. It appeared to be a legit business and had an admin contact, etc.

My question is this:

I "suspect" this corporation may have been hacked, and the hacker is using them to ip block scan for new victims.

Either that or a really bored employee was goofing around.

Should I write them and let them know in case my first suspicion was correct? I hate to get some bored employee in trouble if that was the case.

Opinions?

.: Aftiel
December 3rd, 2003, 06:00 PM
MrLinus

I'd write to them, even with a minimum the concern. It's not your responsibility as to the issue of the employee. Bored or not they shouldn't do this.

Make sure you copy the logs to them and to their ISP. What exactly did they do that made your firewall light up?
December 3rd, 2003, 06:02 PM
xmaddness

If they scanned your box, you have every right to bring this to the attention of the admin of the corporation. I have done this many times, and on almost all occasions the admins were very happy to know of any activity originating from their systems. I would simple email the admin with a copy of the logs so they can have a look if they choose to.

As for a bored worker, If I were the admin I sure as hell wouldn't want workers scanning from my network.
December 3rd, 2003, 06:06 PM
Aftiel

udp flood - then a sequential port scan. Or they attempted to - all packets were dropped by the firewall. The thing that surprised me is that they made no attempt whatsoever to be quiet about anything.

They banged on the front door loudly.

I have not checked into the address from France yet, but will do so this evening.

I am sure my ip was just part of a block sweep, as I doubt I was specifically targetted. Makes me wonder how many ip's they hit that allowed the full scans and what info they got.

I will drop them an e-mail along with pasting the log entries into it.

Thanks for the reply.

.: Aftiel
December 3rd, 2003, 06:59 PM
mkassner

I certainly would like to know if one of my systems was scanning, especially if it was because of it being owned by someone else.
December 4th, 2003, 12:55 AM
Aftiel

Thought I would post a small snippet of my firewall log just for everyone to see. It never ceases to amaze me that this is on a home network - the script kiddies are busy.

---------------------------- start of log section -----------------------------

Date and Time Severity Details
2003/11/20 22:59:45 EST high UDP Flood Detected (occurrence: 1)
2003/11/22 01:40:22 EST low src=68.89.169.42 dst=68.158.182.135 ipprot=17 sport=137 dport=137 UDP Port Scan Detected, Packet Dropped
2003/11/22 06:38:24 EST low src=202.118.219.65 dst=68.158.182.135 ipprot=17 sport=1343 dport=4002 UDP Port Scan Detected, Packet Dropped
2003/11/23 11:00:52 EST low src=66.215.144.6 dst=68.158.164.164 ipprot=17 sport=4177 dport=1028 UDP Port Scan Detected, Packet Dropped
2003/11/23 18:52:54 EST low src=24.49.246.239 dst=68.158.164.164 ipprot=6 sport=2505 dport=79 TCP Port Scan Detected, Packet Dropped
2003/11/24 14:02:10 EST low src=68.212.160.125 dst=68.158.164.164 ipprot=17 sport=137 dport=137 UDP Port Scan Detected, Packet Dropped
2003/11/28 00:15:18 EST low src=208.11.147.104 dst=68.158.164.164 ipprot=6 sport=65143 dport=3128 TCP Port Scan Detected, Packet Dropped
2003/11/28 00:15:19 EST Previous log entry repeated 1 times.
2003/11/28 03:14:56 EST low src=24.210.109.202 dst=68.158.164.164 ipprot=17 sport=137 dport=137 UDP Port Scan Detected, Packet Dropped
2003/11/28 09:07:31 EST low src=66.215.144.6 dst=68.158.164.164 ipprot=17 sport=4177 dport=1028 UDP Port Scan Detected, Packet Dropped
2003/11/29 05:50:23 EST low src=217.228.145.215 dst=68.158.164.164 ipprot=17 sport=137 dport=137 UDP Port Scan Detected, Packet Dropped
2003/11/30 06:03:48 EST low src=213.103.206.104 dst=68.158.164.164 ipprot=17 sport=137 dport=137 UDP Port Scan Detected, Packet Dropped
2003/12/01 11:09:04 EST low src=220.104.234.249 dst=68.158.164.164 ipprot=17 sport=137 dport=137 UDP Port Scan Detected, Packet Dropped
2003/12/03 07:50:10 EST low src=66.215.144.6 dst=68.158.164.164 ipprot=17 sport=4177 dport=1028 UDP Port Scan Detected, Packet Dropped
2003/12/03 18:04:54 EST low src=195.5.54.47 dst=68.158.164.164 ipprot=6 sport=38437 dport=8080 TCP Port Scan Detected, Packet Dropped

------------------------------------- end of log section --------------------------------------------------

And yes, I will be contacting these ISP's and companies.

.: Aftiel
December 5th, 2003, 03:10 AM
spurious_inode

It is good to be proactive about scanning and related activity; contacting the network administrator at the
souce domain/ISP is a good idea and will coherce them to be more proactive themselves.

I would also advise not getting too worked up about scans. Learn to tell the difference between someone playing with a port scanner, and someone targeting your site specifically. You'll save yourself an ulsar or
three in the end.

-- spurious