Re: I need help with Firewall Hits

bp1974_at_comcast.net
Date: 11/03/03

  • Next message: Brian Jones: "Re: Possible Virus or trojan?"
    To: "Preston, Tony" <Tony.Preston@acs-inc.com>
    Date: Mon, 03 Nov 2003 19:03:00 +0000
    
    

    UDP port 162 is used for listeing to incoming snmp traps. Since the traffic is originating from a local non-routable address (192.168.x.x) it looks more like a misconfiguration, than an attack.
    do you have an snmp agent running on the router by any chance? It is possible it is trying to send a legitimate trap for any snmp event and that your Windows box is configured as the trap reciever.

    Balaji
    > I thought I posted this information the other day(with a different set of
    > data), but did not see it so I am re-asking my questions...
    >
    > I have a Win/Me with the latest patches, a linksys wireless router with the
    > latest firmware (BEFS4W11 V 1.44). My Wireless card has the latest drivers.
    > I have Kerio tiny personal firewall (latest version) installed and it is
    > collecting about 700 hits per day of the same type. I am no expert on this
    > kind of thing so any help is appreciated.
    >
    > My system looks like:
    >
    > ~~~~[Cable modem]~~~~~[Linksys Wireless Router] ... [ Win/ME, TPF ]
    >
    > I have changed the ssid and channel (althought the channel is apparently not
    > used) from the default, WEP is not enabled. There are three systems that
    > could be on my wireless network (my system and two laptops, the hits occur
    > even when the laptops are not connected so I have assumed they are not the
    > cause). I only see the MAC addresses of the three systems in my router
    > tables.
    >
    > The hits are a continuous attempt to hit port 162 on my system, the "sender"
    > is always ip address 192.168.1.1, my router's ip address, with a port that
    > varies on each hit, increments on each hit. Over the last few days it was
    > 40901 to 42925 (almost 2000 hits over the last 3 days)
    >
    > A summary of the report is:
    >
    > 1,[31/Oct/2003 07:12:30] Rule 'Packet to unopened port received': Blocked:
    > In UDP,
    >
    > 192.168.1.1:40901->localhost:162, Owner: no owner
    > ...
    > 192.168.1.1:42925->localhost:162, Owner: no owner
    >
    > I do get other hits, but those are few enough, blocked, and I can identify
    > the exploits (msblaster trying to infect my system for example) so they are
    > of a lesser concern that this one.
    >
    > I would like to resolve who/why I am getting these hits and identify what
    > the exploit is.
    >
    > How can I figure out where these are coming from?
    >
    > I have reset the router (to ensure it wasn't the router that was doing them)
    > and cable modem.
    >
    > Anyone have any ideas on what I can do to track this down and possibly stop
    > it?
    >
    > Tony Preston
    > Systems Engineer, AS&T Inc.
    > Division of L3 Corporation
    > (609) 485-0205 x 181
    >
    >
    > -----Original Message-----
    > From: Ivan Hernandez [mailto:ivan.hernandez@globalsis.com.ar]
    > Sent: Wednesday, October 29, 2003 2:21 PM
    > To: Ansgar -59cobalt- Wiechers
    > Cc: security-basics@securityfocus.com
    > Subject: Re: Personal Firewall for Business use
    >
    > Ansgar -59cobalt- Wiechers wrote:
    >
    > >On 2003-10-27 Ivan Hernandez wrote:
    > >
    > >[ Windows TCP filtering ]
    > >
    > >
    > >"Application level protection" is ridiculous if the protecting agent is
    > >running on the same box. I keep wondering how people can expect software
    > >that allows user interaction (like most personal firewalls do) to
    > >prevent other (malicious) software from doint whatever it pleases.
    > >Regards
    > >Ansgar Wiechers
    > >
    > >
    > I would reccomend you to read the good information about on the Gibson
    > Research site at http://www.grc.com
    > Try the information leak utility that's very usefull with all the other
    > toys written in assembly. It's a nice and educational site. Windows
    > Kernel Filtering will not stop a trojan from making connections on the
    > internet, and that's one of the most important risks on a personal
    > computer. Most worms are going via email today, and the filter will do
    > nothing with that, but with some application level filtering, like Zone
    > Alarm has, you can catch them before they go to the internet. Windows
    > Kernel Filter also is very bad option to filter UDP traffic. For
    > example... you would, just want to recieve responses of DNS queryies you
    > have made, but this is just impossible because you have no way to keep
    > track of your connections.
    > I think you must take a little more time before saying that somthing
    > that other said is "ridiculous" and, in doubt ask first what did the
    > other exactly mean, and ask for more information if necessary.
    >
    > Cheers...
    >
    > Ivan Hernandez
    > http://biromeponja.8k.com
    >
    >
    > ---------------------------------------------------------------------------
    > Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
    > The Presidio integrates PGP data encryption and XML Web Services security to
    >
    > simplify the management and deployment of PGP and reduce overall PGP costs
    > by up to 80%.
    > FREE WHITEPAPER & 30 Day Trial -
    > http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027
    > ----------------------------------------------------------------------------
    >
    > ---------------------------------------------------------------------------
    > Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
    > The Presidio integrates PGP data encryption and XML Web Services security to
    > simplify the management and deployment of PGP and reduce overall PGP costs
    > by up to 80%.
    > FREE WHITEPAPER & 30 Day Trial -
    > http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027
    > ----------------------------------------------------------------------------
    >

    ---------------------------------------------------------------------------
    Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
    The Presidio integrates PGP data encryption and XML Web Services security to
    simplify the management and deployment of PGP and reduce overall PGP costs
    by up to 80%.
    FREE WHITEPAPER & 30 Day Trial -
    http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027
    ----------------------------------------------------------------------------


  • Next message: Brian Jones: "Re: Possible Virus or trojan?"