Re: What does this log file mean- Intrusion, Noise, or ISP?
From: John S (nospam@yahoo.com)Date: 02/18/02
- Next message: John S: "Re: Norton Firewall speed"
- Previous message: Lee Higdon: "Re: My Remarks About Malicious Hackers"
- In reply to: guid0: "Re: What does this log file mean- Intrusion, Noise, or ISP?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "John S" <nospam@yahoo.com> Date: Mon, 18 Feb 2002 17:48:12 -0500
Thanks again for the reply. I added the offending IP to the Block List
(Restricted Zone) in NIS2002 and the alerts stopped. I have the latest
NAV2002 with updates and just scanned with ANTS trojan scanner (from
wilders.org) and no trojans found. Now that the alerts stopped I am happy,
but I may contact Charter and let them know about the IP of concern.
"guid0" <guid0@techemail.com> wrote in message
news:3c715c8d.284726625@news.uottawa.ca...
> On Sun, 17 Feb 2002 16:37:58 -0500, "John S" <nospam@yahoo.com> wrote:
>
> >NIS 2002 constantly blocks the remote IP below trying to connect to Port
> >12345 on a WinXP machine on cable. Doing a whois reveals we are on the
same
> >ISP which is Charter Communications. Any ideas why I get this alert so
> >often? Is it noise or an intrusion attempt? This appears in my log about
> >every hour. I am considering adding a rule to block all traffic with this
> >IP. Please reply to this newsgroup.
> >
> >From NIS firewall log using Log Viewer-
> >
> >2/17/2002 16:25:30:812 - Default Block NetBus Trojan horse
> >Action: Blocked Inbound TCP connection
> >Local IP, Port: xx.xxx.xx.xx, 12345
> >Remote IP, Port: 24.158.88.141, 3079
> >This port number is commonly chosen whenever somebody is asked to
configure
> >a port number. It is likewise chosen by programmers when creating default
> >port numbers for their products. It is most commonly used by the NetBus
> >Remote Administration Software. Trend Micro's OfficeScan products may use
> >this port too. Sending random data to this port or opening too many
> >connections can cause this service to crash (affects version 3.5).
> >
>
> What this means is that the person with the aforementioned ip is
> infected by a trojan and this trojan is now active, trying to ferret
> other machines to infect. Make sure you have an up to date AV on your
> machine and scan it to make sure you didn't get bit.
>
> All this means is that your firewall is working and blocks the trojan
> from your machine. You could contact Charter and report the annoying
> IP adress. They'll communicate with the person who's probably unaware
> that he/she is spreading trojan attacks all over the place.
>
>
> G.../0
- Next message: John S: "Re: Norton Firewall speed"
- Previous message: Lee Higdon: "Re: My Remarks About Malicious Hackers"
- In reply to: guid0: "Re: What does this log file mean- Intrusion, Noise, or ISP?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
