Re: Home firewall Hits

• Previous message: Steve Chadsey: "Re: bash_history to track users"
• Maybe in reply to: Preston, Tony: "Home firewall Hits"
• Next in thread: Preston, Tony: "RE: Home firewall Hits"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: Tony.Preston@acs-inc.com, security-basics@securityfocus.com
Date: Thu, 06 Nov 2003 15:27:17 -0500

hello, i havent read through the replys you have got but ill chime in non
the less. i would amagine some have sayed part of what i will.

1 im not sure what u ment here bout it sounds like a port scan

">From reading the firewall log, I would think that my router is
continuously
>hitting
>Port 162 with a UDP message. The odd thing is that it is doing this by
>using an
>incrementing port from 192.168.1.1, I see many of these every day, it is
>continuous."

2 these are DHCP ports 67 / 68 UDP a DHCP server would tell DHCP clients
where thay are and info regarding you network.

3 is this is EXACTLY your setup ...
" [cable modem] <----> [ Linksys Wireless Router] ~~~ [ Windows ME W/
>firewall ]"
than theres nothing blocking access from the internet to your router. witch
means some 1 can (if thay havent yet) crack you routers password. you would
be amased at how easy this can be like a user name of "admin" and a password
of "admin" and BAM thay have CONTROL of your router. either put a fire wall
between your router and the internet or ATLEAST change you login credintals
for your router

hope this helps and wasnt too redundant

>From: "Preston, Tony" <Tony.Preston@acs-inc.com>
>To: "'security-basics@securityfocus.com'"
><security-basics@securityfocus.com>
>Subject: Home firewall Hits
>Date: Fri, 31 Oct 2003 08:56:15 -0500
>
>I am hoping someone here can explain what I am seeing on my home network.
>I use Kerio's tiny personal firewall and Windows ME. I have everything up
>to date with the latest patches.
>
>This is my home network and something strange is happening. The
>configurations is
>
>
> [cable modem] <----> [ Linksys Wireless Router] ~~~ [ Windows ME W/
>firewall ]
>
>
>From reading the firewall log, I would think that my router is continuously
>hitting
>Port 162 with a UDP message. The odd thing is that it is doing this by
>using an
>incrementing port from 192.168.1.1, I see many of these every day, it is
>continuous.
>
>I have the latest firmware from linksys, the firewall is rejecting all the
>packets.
>
>While I am an experienced programmer, I do not have alot of network
>experience, probably
>I would classify myself as knowing enough to be dangerous...:)
>
>The activity is at a moderate rate from a couple per second to one every 20
>seconds. If it
>is some sort of attack attempt it is using a randomized delay between
>packets.
>
>Here is a summary of the hits.
>
>[30/Oct/2003 23:53:48] Rule 'Packet to unopened port received': Blocked: In
>UDP,
> 192.168.1.1:40826->localhost:162, Owner: no owner
> thru
> 192.168.1.1:40899->localhost:162, Owner: no owner
>
>
>I do see other "hits" which are much less frequent which are an occasional
>hit here or
>there, I am not as concerned about these, but would be curious if anyone
>has
>ideas about
>why they occur. The first one, I might see one or two a day. The second
>one would
>show up in sets of 5-10, maybe a couple of times a day.
>
>[30/Oct/2003 23:53:56] Rule 'TCP ack packet attack': Blocked: In TCP,
> 207.46.197.121:80->localhost:1452, Owner: no owner
>
>[31/Oct/2003 00:00:02] Rule 'Packet to unopened port received': Blocked: In
>UDP,
> 0.0.0.0:68->localhost:67, Owner: no owner
>
>Anything here I should be concerned with??
>
>I am hoping someone here can explain what I am seeing on my home network.
>I use Kerio's tiny personal firewall and Windows ME. I have everything up
>to date with the latest patches.
>
>The configurations is:
>
> [cable modem] <----> [ Linksys Wireless Router] ~~~ [ Windows ME W/
>firewall ]
>
>
>From reading the firewall log, I would think that my router is continuously
>hitting
>Port 162 with a UDP message. The odd thing is that it is doing this by
>using an
>incrementing port from 192.168.1.1, I see many of these every day, it is
>continuous.
>
>I have the latest firmware from linksys, the firewall is rejecting all the
>packets.
>
>While I am an experienced programmer, I do not have alot of network
>experience, probably
>I would classify myself as knowing enough to be dangerous...:)
>
>The activity is at a moderate rate from a couple per second to one every 20
>seconds. If it
>is some sort of attack attempt it is using a randomized delay between
>packets.
>
>Here is a summary of the hits.
>
>[30/Oct/2003 23:53:48] Rule 'Packet to unopened port received': Blocked: In
>UDP,
> 192.168.1.1:40826->localhost:162, Owner: no owner
> thru
> 192.168.1.1:40899->localhost:162, Owner: no owner
>
>
>I do see other "hits" which are much less frequent which are an occasional
>hit here or
>there, I am not as concerned about these, but would be curious if anyone
>has
>ideas about
>why they occur. The first one, I might see one or two a day. The second
>one would
>show up in sets of 5-10, maybe a couple of times a day.
>
>[30/Oct/2003 23:53:56] Rule 'TCP ack packet attack': Blocked: In TCP,
> 207.46.197.121:80->localhost:1452, Owner: no owner
>
>[31/Oct/2003 00:00:02] Rule 'Packet to unopened port received': Blocked: In
>UDP,
> 0.0.0.0:68->localhost:67, Owner: no owner
>
>Anything here I should be concerned with??
>
>
>
>---------------------------------------------------------------------------
>Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
>The Presidio integrates PGP data encryption and XML Web Services security
>to
>simplify the management and deployment of PGP and reduce overall PGP costs
>by up to 80%.
>FREE WHITEPAPER & 30 Day Trial -
>http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027
>----------------------------------------------------------------------------
>

_________________________________________________________________
Compare high-speed Internet plans, starting at $26.95.
https://broadband.msn.com (Prices may vary by service area.)

---------------------------------------------------------------------------
Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
The Presidio integrates PGP data encryption and XML Web Services security to
simplify the management and deployment of PGP and reduce overall PGP costs
by up to 80%.
FREE WHITEPAPER & 30 Day Trial -
http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027
----------------------------------------------------------------------------

• Previous message: Steve Chadsey: "Re: bash_history to track users"
• Maybe in reply to: Preston, Tony: "Home firewall Hits"
• Next in thread: Preston, Tony: "RE: Home firewall Hits"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: Routers Firewall ... I ask him do you have a firewall and he says yes. ... I still have an IDS/firewall on all my machines behind the router. ... > to connect to a port your public IP address the router would reject the ... > An open port on the router could be connected to a service running on the ... (comp.security.firewalls) Re: Possible Mail Relay or just new usages of returned mail by spammers ... If you have ANY type of firewall, be it a NAT router or true firewall ... ISA can be used in conjunction with the router/firewall, but if you do, you ... to be done twice...once in ISA, and once in the router to port forward to ... (microsoft.public.windows.server.sbs) Re: Routers Firewall ... > indicates that it has firewall technology, then the router doesn't have a ... What your router does have is NAT. ... ZA is a fine product which will protect a computer ... Port 80 is the WEB access port and port 21 is the FTP ... (comp.security.firewalls) Re: Bypassing the firewall ... Firewall in the router but i think it comes with Zone Alarm. ... >> The one thing you MUST remember is that an open port is an open port no ... >> So start your game and then start TCPview to see the ports the game is ... (comp.security.firewalls) RE: Home firewall Hits ... Subject: Home firewall Hits ... >Port 162 with a UDP message. ... >simplify the management and deployment of PGP and reduce overall PGP costs ... (Security-Basics)