Re: kitty.avast.com scanning my ports and internal process trying to access their ip
From: Claudio (Delete_fa1_at_italtrade.net)
Date: 05/03/04
- Previous message: Claudio: "Re: kitty.avast.com scanning my ports and internal process trying to access their ip"
- In reply to: Lars M. Hansen: "Re: kitty.avast.com scanning my ports and internal process trying to access their ip"
- Next in thread: Lars M. Hansen: "Re: kitty.avast.com scanning my ports and internal process trying to access their ip"
- Reply: Lars M. Hansen: "Re: kitty.avast.com scanning my ports and internal process trying to access their ip"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 03 May 2004 10:10:42 +0200
On Sun, 02 May 2004 18:48:43 -0400, Lars M. Hansen
<badnews@hansenonline.net> wrote:
>Are there any more details in these logs? A port scan often indicates
>something coming from the outside trying to get in, not the other way
>around.
>
>How about providing a bit more about these connections. Source and
>destination would be nice, as well as port numbers (both source and
>destination as well).
(from copy/paste action)
>From Kerio's ids.log:
[01/May/2004 10:20:46] "Ids" action = permitted, raddr = 66.98.166.72,
msg = '"Port scan has been detected"', url = '', direc = in,
class = 'network-scan', priority = portscan
>From Kerio's network.log:
[01/May/2004 22:25:23] "Network" action = 'denied', descr = 'Avast
anti virus site', proto = 1, laddr = 192.168.0.184, raddr =
66.98.166.72, direc = 'out', ruleId = 473153536, proc = '<Tcpip Kernel
Driver>'
[01/May/2004 22:25:29] "Network" action = 'denied', descr = 'Avast
anti virus site', proto = 1, laddr = 192.168.0.184, raddr =
66.98.166.72, direc = 'out', ruleId = 473153536, proc = '<Tcpip Kernel
Driver>'
Notes:
- The 'Avast anti virus site' description is mine.
After the morning portscan I wrote a rule blocking the 66.98.166.72 IP
(and others) with that name.
- proto = 1 means ICMP, this is how it is visualized the log in
Kerio's graphical interface.
- IP 66.98.166.72 is kitty.avast.com
>The ICMP you see is most likely an ICMP port unreachable or host
>unreachable message, and it's because you are blocking that IP address
>(or addresses). What caused the ICMP is still unclear, since we've seen
>no log data from you ...
I am not sure of what you mean.
However you do rise some doubts.
I verified what you seem to imply: I tried to reach www.avast.com
with Opera while the firewal is set to block the IP (I blocked ALL
their IPs, about 5 or 6).
The log shows:
[03/May/2004 09:48:07] "Network" action = 'denied', descr = 'Avast
anti virus site', proto = 6, laddr = 0.0.0.0, raddr = 216.12.202.5,
lport = 3049, rport = 80, direc = 'out', ruleId = 204652544, proc =
'C:\PROGRAMMI\INTERNET\OPERA\OPERA.EXE'
a) the protocol is TCP not ICMP
b) the local address is 0.0.0.0 instead of 192.168.0.184
c) the process is Opera not <Tcpip Kernel Driver>
d) the remote IP is 216.12.202.5
[based on my logs, www.avast.com was resolved as 66.98.166.72
(kitty.avast.com) on Sunday and as 216.12.202.5 (lynx.avast.com) on
monday].
In other words, the situation with ICMP packets going out is not
reproduced.
Was that what you meant ?
- Previous message: Claudio: "Re: kitty.avast.com scanning my ports and internal process trying to access their ip"
- In reply to: Lars M. Hansen: "Re: kitty.avast.com scanning my ports and internal process trying to access their ip"
- Next in thread: Lars M. Hansen: "Re: kitty.avast.com scanning my ports and internal process trying to access their ip"
- Reply: Lars M. Hansen: "Re: kitty.avast.com scanning my ports and internal process trying to access their ip"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
