The SonicWALL on our DSL line reported the following activity:
TCP scanned port list, 2745, 1025, 3127, 6129, 5000
What do you guys make of this? What are these 5 ports for?
Printable View
The SonicWALL on our DSL line reported the following activity:
TCP scanned port list, 2745, 1025, 3127, 6129, 5000
What do you guys make of this? What are these 5 ports for?
5000 is Upnp, make sure thats disabled. Check out the shields up website for a tool to disable that. unplug and pray i think its called. You can find port listings everywhere, just google for them to see that the port scan possibly looked for. Then use Fport by foundstone to see if those services exist on your box, and open the ports that were scanned.
Get up veeeery slowly....... Move quietly to the kitchen, slide gently up to the fridge.... Try to open it without making a sound..... we don't want to scare the hacker off..... Reach in carefully and grab a bottle of beer firmly but gently by the neck. Extract it from the fridge and gently remove the cap, we don't want it to splash on the floor and scare the hacker.... Oh, remember to close the fridge..... the other beers will get warm..... Move quietly to the couch and sit down, turn on the TV.... The volume doesn't matter now, the hacker will think you are distracted.... Watch TV while drinking the beer until the bottle is empty..... Repeat process until done.... Go to bed.... sleep.... get up and get on with your life......
Of course, if you don't have beer in the fridge you are screwed..... Reformat and start from scratch.........
Relax... It's a portscan...... It's internet noise......
Normal activity of a worm. Possibly MyDoom or NetSky or Agobot or some other recent worm variant. I wouldn't worry about it since SonicWALL caught it.
Quote:
Port 2745 for backdoor left by the Bagle Virus
Port 3127 for MyDoom.A backdoor
Port 5000 for MS01-059 UPnP vulnerability
Port 6129 for Dameware vulnerability (OSVDB ID: 3042)
Port 1025 for MS03-032 vulnerability
Hey Knight,
I posted a very similar thread, with I believe the same ports that you mentioned awile back. Check it out here. http://www.antionline.com/showthread...hreadid=255793
Gah... MsM beat me to it, but I was gonna have a breakdown for you! Some of the things that I did are located in that other thread!
If your firewall caught it, don't worry about it! If you'd like further security put an explicit block on the attacking machines mac address and silence it for good!
Greetings All:
This is a great illustration of what I see as one of the major problems with information security today.
Consultants, and those that make security architectures, seem to expect that everyone should become an information security expert.
Why on earth do security software and hardware that was designed and marketed for home users spit out such logs? Do they expect home users to understand the significance of "ports" that are being "scanned", or even what the hell this strange "tcp" thing is to begin with? What on earth do they expect the home user to do after they read these messages?
At the governmental and corporate levels, sure, you need very detailed and robust logging. But you also presumably have expert personnel in place that can understand those logs, and that can actually do something about them if needed.
Security architectures for the home user should be "install and forget". Know that you installed your firewall, and that it will do its best to keep the bad bits and bytes out, and the good bits and bytes in. Understand that the firewall doesn't keep you 100% safe, but it keeps you safer than you were before you installed it.
I think often times in the computing industry, we forget how intimidating the world of computers can be for those who aren't experts with them, but simply use them to facilitate things that they are experts with.
Wow, do I ever feel special, MsM, Tiger, and JP responding to the same thread. ;)
Well, this is a small corporate setting, so it is important that I learn these things (which is why I'm posting here). You'd think having a fresh MIS degree (finally getting it Saturday!) that I should know this, but this is one thing the college courses never even touched base on (though I requested one of my professors to cover this), so I'm at a bit of a handicap. Which is why I'm here. :)
Darn.... That means no beer I suppose...... :(Quote:
Well, this is a small corporate setting
Seriously, if your firewall is set to block all incoming except essential services that you provide then you'll learn to ignore the "white noise" of the internet.... It's like crickets at night.... You learn to go to sleep despite them....;)
Depending upon other systems you employ such as IDS you will be able to see the types of scanning/enumeration attempts that should attract your attention and let the rest go. More than 99% of all the "scanning" traffic is an automated worm of some type..... Very rarely is there an actual skiddie sat at a console controlling the whole event looking to steal your stuff.
Security architectures for the home user should be "install and forget". Know that you installed your firewall, and that it will do its best to keep the bad bits and bytes out, and the good bits and bytes in. Understand that the firewall doesn't keep you 100% safe, but it keeps you safer than you were before you installed it.
Just remember that years ago there was no such thing as anti-virus or firewalls and most people using a Windows Platform didn't even have at least a firewall installed BEFORE they put their computer on the Internet. Which already makes their system a highly hackers playground. Remember that Windows leaves file and print sharing open for starters. We're talking about the majority of Windows users here.
trackit
What?? First, I believe that AngelicKnight is referring to his businesses firewall. Second, the policy of "install and forget" isn't a good one. Users do this with anti-virus software which is why we see so many users infected with worm/viruses crying "but I have AV software installed". It needs to be checked regularly. That's reality. Even for firewalls. ZoneAlarm, as an example, was found to have some flaws and required updating. If people use a "install and forget" attitude, they will get complacent and will not pay attention to the little details.Quote:
Security architectures for the home user should be "install and forget". Know that you installed your firewall, and that it will do its best to keep the bad bits and bytes out, and the good bits and bytes in.
Firewalls have been around since the 1980s and anti-virus has been around since the late 80s/early 90s. The usage of 1) both of them on the same machine is relatively new 2) the concept that their computer has something WORTH protecting is new. It is the last point that has made it more critical for users to protect what they've got. In addition, I suspect that companies like Gateway and Dell, who are installing OSes with AV and firewalls, are probably helping. It doesn't solve, however, the on-going issue of users turning this off because it "slows the sytem down/interfers with my Internet access/asks me all these questions".
We should encourage users to install and learn rather than forget, IMHO.
I have to say that I agree to an extent. They shouldn't, "set it and forget it" as the dude from Ronco says (I love infomercials), however, they realistically wont bother to learn the intricate details of securing their system(s). I compare this behavior to password policies that are too strict. Because most end users gravitate towards ease, after a certain point, they'll end up taping their strong password to the back of the keyboard. The same goes for securing their system. We have to remember that these people don't see computers and technology in the same light as IT professionals. To the end user, everything is magic and always referred to as a "thingy".
Give them enough information (presented in laymen's terms) to allow them to use the computer for the purposes they need.
my 2 cents
I _think_ what trakit might have meant, but the "meaning" was lost in his inimitable way, ;) , is that the firewall should manage itself. It should check every time it is started and every 24 hours that it has been running to see if there are any updates for itself. Maybe also it should monitor user input and make certain decisions for itself. For example it notices that a user is clicking on an attachment to an email and the attachment immediately attempts to open a port... It should block it without any warning. If the user continues to click on it then possibly the user knows that the app is supposed to open a port and it is for a reason, so after 3 clicks it will pop up a simple dialogue, "The app you keep trying to open is of a suspicious nature and I am blocking it's activity. Would you like to over-ride my protection or see more details first? If you are unsure please select No. Yes, Details, No"
For home networking it should be able to determine the network architecture. A quick look at the network settings of the local PC will tell it that it is on a 192.168 address, (thus private and not directly accessible over the net), and the default gateway is at 192.1681.1... Ok, it's probably a router. A quick scan of the subnet may reveal other computers.... Ok, it seems reasonable to assume that there is a private network behind a router of some kind, do nothing. Then if a remote computer on the private subnet requests a resource it would not be unreasonable to pop up a dialogue saying "It seems you have more than one computer on a private network and that another of your computers is trying to communicate with this one. Do you have more than one computer and are you networking these computers? If you have only one computer please select No. Yes, No". If the user is trying to network they will easily understand the concept - if they aren't they can easily understand that something bad may be going on. If the answer is yes, then 192.168.1.0/24 is automatically placed in the trusted zone and the firewall is never heard from again with regard to the network, otherwise no trusted zone is created.
I think there is a lot that can be done to make security apps pretty much "fire and forget". There is, without doubt, a long way to go at present.
Quote:
Security architectures for the home user should be "install and forget". Know that you installed your firewall, and that it will do its best to keep the bad bits and bytes out, and the good bits and bytes in. Understand that the firewall doesn't keep you 100% safe, but it keeps you safer than you were before you installed it.
This makes as much sense as saying, "We got gas in the car. I am not sure what this gauge on the dash with an E and F means. But we've got gas by god."
*shakes head in disapproval*
I _think_ what trakit might have meant, but the "meaning" was lost in his inimitable way, , is that the firewall should manage itself. It should check every time it is started and every 24 hours that it has been running to see if there are any updates for itself. Maybe also it should monitor user input and make certain decisions for itself. For example it notices that a user is clicking on an attachment to an email and the attachment immediately attempts to open a port...
This will be a quickie response, sorry. A number of my Window Platforms were using Blackice and Zonealarm and this was before the malicious hackers installed their Backdoors and Trojan Horses on these systems. This was before these systems had any firewall installed on the computer. Hint, hint, hint people. How hard do I have to try to get people to realize that a firewall is **** if you have not installed it from the beginning of sticking your computer online? Tell me what proof you'll would like to see and it will be shown to you.
trackit
So the Windows platforms were using Blackice and Zonealarm before they were infected, but they were infected after the firewalls were installed? That statement is contradictory. I realize you made a quickie response, when you have more time, work it out for us, thanks.Quote:
A number of my Window Platforms were using Blackice and Zonealarm and this was before the malicious hackers installed their Backdoors and Trojan Horses on these systems. This was before these systems had any firewall installed on the computer.