RE: Strange Firewall / IDS Events

From: Trevor Cushen (Trevor.Cushen@sysnet.ie)
Date: 02/20/03

  • Next message: H C: "RE: tools used to examine a computer"
    Date: Thu, 20 Feb 2003 09:30:07 -0000
    From: "Trevor Cushen" <Trevor.Cushen@sysnet.ie>
    To: <security-basics@securityfocus.com>
    
    

    ClearCase listens on port 371 more info at
    http://www.rational.com/docs/v2002/cc/cc_admin/net_intro7.html?SMSESSION
    =NO
     or http://www.rational.com/products/clearcase/index.jsp

    It is also listed on several incident sites as having security issues
    and the port can be exploited.

    If you are not running Clearcase then block the port or your machine
    going to the port. SamSpade shows your other address as a dial up as
    well so it's not a case of a product doing updates etc.

    Try getting more on the packets or getting fport on your machine and see
    what exe is running the 'scan' you are seeing.

    Hope this helps

    Trevor Cushen
    Sysnet Ltd

    www.sysnet.ie
    Tel: +353 1 2983000
    Fax: +353 1 2960499

    -----Original Message-----
    From: Donald V. Gerkin Jr. [mailto:dgerki1@tiger.towson.edu]
    Sent: 19 February 2003 17:43
    To: security-basics@securityfocus.com
    Subject: Strange Firewall / IDS Events

    Group,

    I have been reading the postings here for several months, and enjoy
    reading the threads and seeing the level of expertise. Now I have to
    post and ask for a little advice regarding some strange events that I
    have noticed on my home computer.

    Here's a little background info. I have your typical P4 system at home,
    running windows XP. Though I am immensely ashamed to admit it (it's more
    laziness than anything else, at least until my new house is done) I use
    AOL broadband for my 'net connection. I use Black Ice, and also have
    XP's built in firewall SW enabled. (any thought/opinions on Black Ice
    are welcome too). Here are some events that I have picked up on Black
    Ice. It appears to me that something on my computer is doing some
    scanning. DVG is my computer.

    TIME: 02/18/2003 09:05:04 AM EVENT: TCP port scan
    INTRUDER: DVG COUNT: 1
    TCP FLAGS: 0x00000002 PROTOCOL ID: TCP
    DESTINATION PORT: 0 SOURCE PORT: 0
    PARAMETERS: port=482-485 TARGET: 207.114.130.7
    TARGET IP: 207.114.130.7 INTRUDER IP:172.151.145.84
     

    TIME: 02/18/2003 10:17:34 PM EVENT: TCP port scan
    INTRUDER: DVG COUNT: 2
    TCP FLAGS: 0x00000002 PROTOCOL ID: TCP
    DESTINATION PORT: 0 SOURCE PORT: 0
    PARAMETERS: port=481-485 TARGET: 207.114.130.7
    TARGET IP: 207.114.130.7 INTRUDER IP:172.151.145.84

     
    TIME: 02/18/2003 11:22:15 PM EVENT: TCP port scan
    INTRUDER: DVG COUNT: 1
    TCP FLAGS: 0x00000002 PROTOCOL ID: TCP
    DESTINATION PORT: 0 SOURCE PORT: 0
    PARAMETERS: port=482-484|486 TARGET: 207.114.130.7
    TARGET IP: 207.114.130.7 INTRUDER IP:172.151.145.84

     

    At this point I shut off my computer for the night. Note that Black Ice
    did not "block" any of these events, but merely reported on them.

    Again, DVG is my computer. 172.151.145.84 was my AOL assigned IP at the
    time.

    This morning, I turned the computer back on, got online, and it started
    again. As of me sending this e-mail, this is what I have for today:

     
    TIME: 02/19/2003 10:04:01 AM EVENT: UDP port probe
    INTRUDER: DVG COUNT: 2
    TCP FLAGS: 0x00000000 PROTOCOL ID: ICMP
    DESTINATION PORT: 371 SOURCE PORT: 9370
    PARAMETERS: port=371&reason=ICMPsent
                                                    TARGET: 207.114.130.7

    TARGET IP: 207.114.130.7 INTRUDER IP:172.133.206.20

     
    ** Note that this was the only event "blocked."

     
    TIME: 02/19/2003 11:05:27 AM EVENT: TCP port scan
    INTRUDER: DVG COUNT: 1
    TCP FLAGS: 0x00000002 PROTOCOL ID: TCP
    DESTINATION PORT: 0 SOURCE PORT: 0
    PARAMETERS: port=482|484-486 TARGET: 207.114.130.7
    TARGET IP: 207.114.130.7 INTRUDER IP:172.133.206.20

     
    TIME: 02/19/2003 12:07:40 PM EVENT: TCP port scan
    INTRUDER: DVG COUNT: 1
    TCP FLAGS: 0x00000002 PROTOCOL ID: TCP
    DESTINATION PORT: 0 SOURCE PORT: 0
    PARAMETERS: port=482|484-486 TARGET: 207.114.130.7
    TARGET IP: 207.114.130.7 INTRUDER IP:172.133.206.20

     
    This is what I have, and I am not sure what to make of it.

    ARIN tells me this about the Target:

     Search results for: 207.114.130.7

     
    Call America CAMNET-BLK-2 (NET-207-114-128-0-1)
                                      207.114.128.0 - 207.114.255.255 The
    Grid Network THEGRID3 (NET-207-114-130-0-1)
                                      207.114.130.0 - 207.114.130.255
     
    # ARIN WHOIS database, last updated 2003-02-18 20:00
    # Enter ? for additional hints on searching ARIN's WHOIS database.
     
    However, last night it was some corporation in NJ. I am not quite sure
    if I understand the change.
     
    So, with what I have here, are there any suggestions, or opinions anyone
    can lend? Feel free to e-mail me privately or through the group. And
    though it goes without saying, thanks in advance for your opinions and
    suggestions!!
     
    Regards,
     
    Don
     

    **************************************************************************************

    This email and any files transmitted with it are confidential and intended
    solely for the use of the individual or entity to whom they are addressed.

    If you have received this message in error please notify SYSNET Ltd., at
    telephone no: +353-1-2983000 or postmaster@sysnet.ie

    **************************************************************************************