Re: TCP port 5000 syn increasing

From: Harlan Carvey (keydet89_at_yahoo.com)
Date: 05/19/04

  • Next message: Paul Schmehl: "RE: TCP port 5000 syn increasing"
    Date: Wed, 19 May 2004 07:21:08 -0700 (PDT)
    To: incidents@securityfocus.com
    
    

    Andreas,

    > > I'm waiting for the first worm that tunnels over
    > HTTP port 80, as a number
    > > of protocols already do, to get around firewalls
    > that only pass 25 and 80. ;)
    >
    > It would have to be "de-tunneled" on the inside to
    > do something useful. Either
    > the network is already compromised, or it exploits
    > something on that specific service.

    Excellent point! It's about time something more lucid
    passed through this list. To be honest, there's way
    too much hand-waving and too much of a
    smoke-and-mirrors approach to infosec. It's so easy
    to say "worm that tunnels into the network over port
    80" and get the media (and following the domino
    effect, the general public) all hyped and spinning out
    of control. But you're right...it has to be
    "de-tunnelled" to something, unless it's an exploit
    against the web server itself - at which point it
    isn't tunnelling, then, is it?

    And you know, even this kind of thing is relatively
    easy to protect against. If you're going to configure
    your router or firewall in a default deny status, and
    then allow only specific traffic, why not then just
    restrict that traffic to specific hosts or ranges?
    Why allow port 25 into your entire infrastructure,
    when you've got only one email server? Why not just
    allow port 25 to the specific host, or to ranges
    depending upon the size of your infrastructure?

    ---------------------------------------------------------------------------
    Free 30-day trial: firewall with virus/spam protection, URL filtering, VPN,
    wireless security

    Protect your network against hackers, viruses, spam and other risks with Astaro
    Security Linux, the comprehensive security solution that combines six
    applications in one software solution for ease of use and lower total cost of
    ownership.

    Download your free trial at
    http://www.securityfocus.com/sponsor/Astaro_incidents_040517
    ----------------------------------------------------------------------------


  • Next message: Paul Schmehl: "RE: TCP port 5000 syn increasing"

    Relevant Pages

    • << SBS News of the week - Sept 26 >>
      ... And he points to the info you need to put the file on the server in the ... at the network perimeter. ... The Symantec Firewall/VPN and the Gateway Security ... by the firewall at risk. ...
      (microsoft.public.backoffice.smallbiz)
    • << SBS News of the week - Sept 26 >>
      ... And he points to the info you need to put the file on the server in the ... at the network perimeter. ... The Symantec Firewall/VPN and the Gateway Security ... by the firewall at risk. ...
      (microsoft.public.backoffice.smallbiz2000)
    • << SBS News of the week - Sept 26 >>
      ... And he points to the info you need to put the file on the server in the ... at the network perimeter. ... The Symantec Firewall/VPN and the Gateway Security ... by the firewall at risk. ...
      (microsoft.public.windows.server.sbs)
    • Re: Turning on Media Sharing in WMP11
      ... I believe it forms quite a reasonable network media device. ... Turning on SSDP (it was disabled as was uPnP) to Manual and then UPnP ... If there is a firewall, or NAT, built into your ... You need to open port s: ...
      (microsoft.public.windowsmedia.player)
    • Re: May need to move from SBS because of connection issues
      ... Just to make sure you are clear regarding port 4125, ... access remote systems and you are behind a firewall on a non-SBS network, ... established that RWW worked TO your SBS network from outside. ... have been proof that the required ports were forwarded to the SBS server. ...
      (microsoft.public.windows.server.sbs)