Re: Lan Computer shows intruder attempt

From: David (davidwnh_at_adelphia.net)
Date: 05/08/03 

Date: Thu, 08 May 2003 11:44:25 GMT

This is due to an http scanner, script, or worm trying to exploit
vulnerabilities in IIS. If you have the server open to the internet look at
your apache logs and you will see the entries. They will show the uri
request and with this particular one that it failed. The sequence of uri's
will often indicate whether it is typical of a particular worm or a random
scan.
> Attempted Intrusion "HTTP_IIS_ISAPI_Extension" against your machine was
> detected and blocked
> Attacked IP: My_first_machine_IP.
> Attacked Port: http(80)
>

This is typical of an nMAP scan. Certain other scanner will do these types
of stealth scans also. I would think a scan of this type would also show on
the gateway firewall. Did this also show in the gateway computers firewall
log or are they different brands of firewalls? What port(s) were these
indication for? Were they all within ongoing sessions for a specific program
or to a port which is being forwarded to the second machine? If it is port
that is associated with a specific program, does that program keep access
logs? Port information and type of firewalls would be helpful. This may help
delineate between a scan, someone trying to exploit a specific program or
it's sessions, or a problem with a specific application dealing with NAT.

> I recently had an intrusion attempt on my 'hideden' second computers
> firewall! It stated Invalid TCP Flags. I checked the statistics and I have
7
> recent attempts! Does this mean someone has broken through my first
> computers firewall to try to access the second??

Relevant Pages

  • Worm in XP that kills updates, etc
    ... seems pretty much impossible to kill it off. ... you have a firewall installed, ... and look at your port settings, ... means the worm can't communicate with its farty breathed ...
    (microsoft.public.scripting.virus.discussion)
  • Re: Controlling ports used by natd
    ... >>How is this problem confined to NAT? ... > firewall can't trust it not to be infected just because it's inside. ... it'd retry and would get another port the next time. ... > but so that a worm that's gotten into the system is detected. ...
    (freebsd-net)
  • Re: How did it get through?
    ... >The router is not going to stop a worm from coming down any port. ... if the port is already in use so that SPI will think it is OK. ... >router with a *true* firewall. ...
    (comp.security.firewalls)
  • Re: Controlling ports used by natd
    ... firewall can't trust it not to be infected just because it's inside. ... it'd retry and would get another port the next time. ... With NAT, there's a bigger problem: the firewall that's doing NAT may ... but so that a worm that's gotten into the system is detected. ...
    (freebsd-net)
  • Re: keeping ports open
    ... If a port is open, it means that 1) a software or service is running on your ... and 2) you're not using a firewall or your firewall isn't ... Use firewall software and hardware and antivirus software that is ... Follow the instructions for hardening Windows and IIS at ...
    (microsoft.public.security)