Firewall intrusion attempt log question

[Keisha]

This is a copy of the intrusion attempts for my firewall logs for the past roughly two weeks. These are only the days when someone has been persistant enough to make me log the attempts. I'm not particularly worried about the attempts, because as far as I can tell, all the idiots are doing is banging their heads against my firewall. Nor for that matter do I have the services running on those ports to make them vulnerable anyway.

http://www.treachery.net/security_to...rts/lookup.cgi <--Handy little thing.

My question is thus: Is it worth the time and effort to bother tracing the most persistant little wannabe and reporting them to their ISP? 128.11.13.132 being the one that concerns me.

5/20/2002 5:42:29 PM Connection request 216.136.226.118 TCP(1597)
5/20/2002 5:41:25 PM Connection request 216.136.226.118 TCP(1597)
5/20/2002 5:40:21 PM Connection request 216.136.226.118 TCP(1597)
5/20/2002 5:39:17 PM Connection request 216.136.226.118 TCP(1597)
5/20/2002 5:38:13 PM Connection request 216.136.226.118 TCP(1597)
5/20/2002 5:37:09 PM Connection request 216.136.226.118 TCP(1597)
5/20/2002 5:36:05 PM Connection request 216.136.226.118 TCP(1597)
5/20/2002 5:35:01 PM Connection request 216.136.226.118 TCP(1597)
5/20/2002 5:33:57 PM Connection request 216.136.226.118 TCP(1597)

5/21/2002 10:35:18 PM Connection request 152.163.226.77 TCP(1896)
5/21/2002 5:04:04 PM Port scanned 61.219.250.188 TCP(111)
5/21/2002 5:04:04 PM Connection request 61.219.250.188 TCP(111)
5/21/2002 4:23:58 PM Connection request 152.163.226.3 TCP(1652)
5/21/2002 4:23:44 PM Connection request 152.163.226.25 TCP(1632)

6/3/2002 5:47:52 PM Connection request 192.232.30.60 TCP(1179)
6/3/2002 5:42:24 PM Connection request 128.11.18.132 TCP(1100)
6/3/2002 5:40:24 PM Connection request 128.11.18.132 TCP(1100)
6/3/2002 5:38:24 PM Connection request 128.11.18.132 TCP(1100)
6/3/2002 5:36:24 PM Connection request 128.11.18.132 TCP(1100)
6/3/2002 5:34:24 PM Connection request 128.11.18.132 TCP(1100)
6/3/2002 5:32:24 PM Connection request 128.11.18.132 TCP(1100)
6/3/2002 5:30:24 PM Connection request 128.11.18.132 TCP(1100)
6/3/2002 5:28:24 PM Connection request 128.11.18.132 TCP(1100)
6/3/2002 5:26:24 PM Connection request 128.11.18.132 TCP(1100)
6/3/2002 5:24:24 PM Connection request 128.11.18.132 TCP(1100)
6/3/2002 5:22:24 PM Connection request 128.11.18.132 TCP(1100)
6/3/2002 5:20:48 PM Connection request 128.11.18.132 TCP(1100)
6/3/2002 5:19:18 PM Connection request 128.11.18.132 TCP(1100)
6/3/2002 5:15:08 PM Connection request 207.46.182.140 TCP(1513)

6/6/2002 11:35:28 PM Port scanned 128.11.18.132 TCP(1121) TCP(1073)
6/6/2002 11:35:28 PM Connection request 128.11.18.132 TCP(1121)
6/6/2002 11:35:09 PM Connection request 128.11.18.132 TCP(1073)
6/6/2002 11:23:50 PM Port scanned 128.11.18.132 TCP(1121) TCP(1073)
6/6/2002 11:23:50 PM Connection request 128.11.18.132 TCP(1121)
6/6/2002 11:23:09 PM Connection request 128.11.18.132 TCP(1073)
6/6/2002 11:21:09 PM Connection request 128.11.18.132 TCP(1073)
6/6/2002 11:19:30 PM Connection request 128.11.18.132 TCP(1073)
6/6/2002 11:17:58 PM Connection request 128.11.18.132 TCP(1073)

Any suggestions are appreciated.
-Keisha

[Rev Jazzman]

My approach to this is simple....

Right now, it may not matter whether they're looking for ways to get in because they can't... yet... What about tomorrow? Or the day after?

I would report it to the ISP (it's not like the police can do anything about it because he hasn't actually met the standard of "breaking and entering"). On the same note, you might keep him from having to go to jail one day. I guess that's an alt+way of "giving back to society." For real, though... I would do him the favor.

By the way... It may be better to contact your ISP about it instead and let them deal with it (if they're willing to contact his ISP about it, his ISP will be less likely to ignore it).

(my "open ion" of course)

Best regards,

Rev

[Tedob1]

I really don't think its a hack attempt, more likely its push technology, observe what your doing when you get these connection requests.

This is the 'culprit':

Real Networks (NETBLK-REALNET-18-14)
2601 Elliott Avenue
Seattle, WA 98121
US

Netname: REALNET-18-14
Netblock: 128.11.18.0 - 128.11.18.255

Coordinator:
Center, Network Operations (NOC6-ARIN) [No mailbox]
814-274-9830

[smirc]

Yeah I have the same problems as I'm sure most of the people at AO do. My firewall logs are full of stuff like this. During last month, my firewall logged countless attempts to connect to port 1433 because of the SQL worm. You're obviously being scanned by a kiddy who doesn't understand how to be discreet.

Unfortunately, this isn't illegal unless the number of connection attempts is causing the performance of your box to suffer, in which case it's a DOS attack. Just keep an eye on it and keep your logs as evidence in case something does happen in the future.

[ammo]

And Yahoo:

Yahoo (NETBLK-EC20-2-YAHOO2)
701 First Avenue
Sunnyvale, CA 94089
US

Netname: EC20-2-YAHOO2
Netblock: 216.136.224.0 - 216.136.227.255
Maintainer: YHOO



Ammo

[almorga]

Can someone explain the the firewall log in the beggining??? Do the ip adresses mentioned there belong to the "intruder"

[IchNiSan]

It seems to me that the ports listed are the "source ports" and not the destination ports.

combining that with the owners of the IP addresses, I would think, like tedob1 that you are not under attack at all(from those IP addresses, although the port 111 probe strikes me as a network scanner looking for a particular vulnerability. Especially as the IP address is from asia. There are lots of scanners that look for port 111 on the internet, and you really shouldnt have to worry about that.

All the other scans seem to originate ( I assume that the port number your log shows next to the IP address is source port, and not destination) from ports above 1024, which are dolled out to applications on an as needed basis, and therefore, often mean nothing as a source port. Besides, a google search on most of them revealed nothing of note in the first 2 pages of results, as far as exploits specific to those ports (as a destination) numbers.

[KorpDeath]

Originally posted here by almorga
Can someone explain the the firewall log in the beggining??? Do the ip adresses mentioned there belong to the "intruder"

Kind of...though 'intruder' is not quite the word. If you see a buttloasd of connection attempts or all of your ports being scanned in a matter of moments then yes, someone is trying to get in kind of hard. But to say that these attempts are someon trying to get in (1) they aren't trying too hard or (2) it's just internet noise.

Now knowing that they come from mass marketing companies or "whores of the internet" is really speaking volumes. In other words, it's probably people trying to get marketing info off your system.

It could be a million things, but chances are it's not worth your time to worry about.

[Palemoon]

Port 1073 was an attempt to see if there is a web console, port 1100 is seeing if it is a checkpoint firewall 1652 is to see if remote console is there, port 1597 is looking for linux. A short port scan for services and OS and what they might use more of an info gathering thing. Hope that helps

[Palemoon]

Oh forgot to add this looks like a script kidde newbie scan, not sure of what they are looking for, just testing to see if it works. But upon checking the IP if the firewall cannot pick up an IP spoof I'd say the signature is Real Player as in RealNetworks pushing ads and attempting to get play lists. Funny how they use such odd ports