Re: Help me to diagnose !!!

From: Lutz Donnerhacke (lutz@iks-jena.de)
Date: 02/15/02


From: lutz@iks-jena.de (Lutz Donnerhacke)
Date: Fri, 15 Feb 2002 09:07:09 +0000 (UTC)


* Steven wrote:
>Following is log from my sygate personal firewall:
>
>Time: 02/14/2002 20:14:35
>ACtion: Blocked TCP
>Direction: Outgoing
>Remote Host: Mailserver( I omit the ip here )
>Remote Port: 445
>Local Host: My IP ( I omit the ip here )
>Local Port: 2296
>
>Rule name: GUI%GUICONFIG#SRULE@NBENABLEYOU#BLOCKALL
>
>
>"The rule name" is not easy to understand, but from the words there,
>it seems like it is about netbios.

No it's the fallback default "block all" rule.

>So what function has port 445 of my mailserver ? After a quick search, 445
>is used for Microsoft-DS, is that correct ?

No. 445 is used by encrypted mailexchange protocols (POP3/... via SSL).

>I live in a univ dormitory, since several weeks, my internet connection is
>not stabil, although my neighbour have no problem. We have been assigned
>to static ip. Sometimes I can not ping the gateway, dns server.

The reason might be your personal firewall. Uninstall it.

>Through arp -a, I found the ip of one of my neighbour in the cache.
>Because that guy has little knowledge of computer, so the reason my pc has
>been pinged by him manualy is impossible. Now comes the question, is there
>possible that his pc has been compromised, to launch DoS attack by someone
>else ? I know there are many new comer try to practice such things now.

It's possible, but more likely is a simple "network neighborhood search".

>or the second reason I guess, some used my IP, while there is limit
>of volumn imposed on the user.

Even that is possible, if your network admins do not secure the network
internally.

>How can I find out the truth ?

Using a network sniffer:
  http://www.blood-thirsty-barbarians.de/Firewall.html#Zuschauen
  "How can i find out what's happening on my interfaces/network?"



Relevant Pages

  • Re: Help me to diagnose !!!
    ... >Remote Host: Mailserver(I omit the ip here) ... >Remote Port: 445 ... but more likely is a simple "network neighborhood search". ...
    (comp.security.misc)
  • Was I hacked?
    ... My system is running Mandriva LE 2005.) ... I have ADSL and a small home network running behind a 3com OfficeConnect ... REMOTE HOST IDENTIFICATION HAS CHANGED! ... Password authentication is disabled to avoid man-in-the-middle attacks. ...
    (comp.os.linux.security)
  • Re: How to tell if a firewall alert is suspicious or not
    ... but I maintain a list of daily requests and this is ... And, why, does my network still work even though I said ... has received a Multicast packet from the remote machine. ... using remote port 443. ...
    (comp.security.firewalls)
  • Re: How to tell if a firewall alert is suspicious or not
    ... but I maintain a list of daily requests and this is ... And, why, does my network still work even though I said ... has received a Multicast packet from the remote machine. ... using remote port 443. ...
    (microsoft.public.security)
  • Re: How to tell if a firewall alert is suspicious or not
    ... but I maintain a list of daily requests and this is ... And, why, does my network still work even though I said ... has received a Multicast packet from the remote machine. ... using remote port 443. ...
    (microsoft.public.windowsxp.security_admin)