Re: What is broken:McAfeee firewall or my router ????? Urgent, ple
- From: unstablemicrosoft <unstablemicrosoft@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 27 Jul 2006 16:27:01 -0700
Ok, I just got something in.
Three entries on Thursday, first one at 21:50:09 hours, probably CET time.
Second one at 22:35:31 hours, third at 22:35:32 hours.
I will describe these entries in the order mentioned above.
First one: source-Ip (as it's called): 80.67.86.138 No hostname. A computer
at this IP address has attempted to establish an unwanted connection at TCP
Port 1799 on your computer. TCP Port 1799 is usually used by NETRISK (service
of program). Eventinformation (literal translation from Dutch, I have Dutch
Windows XP and McAfee programs): Netrisk
When trying to get information from the McAfee firewall, by connection to
hackerwatch.org, it said "TCP connection Attempted on Protected Port" and
"This event may be linked to attempted Hacker activity. Reporting this event
is recommended. Use the 'Report This Event' link in the firewall Log to
report the event" I did report it.
Whois information, using two different sources, is contradictory. A trace
seems to indicate that the origin was in Boston, one WHOIS of the IP address
gave Amsterdam (The Netherlands, where I live), the other WHOIS gave an
american address/point of origin.
The second intrusion: Source IP 69.59.175.210 Hostname
customer-reverse-entry.69.59.175.210 Event Information Precise-VIP. I'll
abbreviate some things here: attempt to make undesirable connection with port
2924 on your computer.
Seeking more information and I was advised to report this to
hackerwatch.org. A trace was inconclusive, it leads to either the USA or a
city in The Netherlands. Two different WHOIS services indicate that the IP is
in the USA.
Third intrusion: Source-IP: 69.59.175.208 Port 2925 attempted connection.
Hostname: fusionquest.com Eventinformation: Firewall Redundancy Protocol.
Hackerwatch.org didn't recognize it, and advised me to report it. A trace led
me to this:
Registrant:
FusionQuest, Inc.
4464 Acord Cir.
West Valley City, UT 84120
US
Registrar: NAMESDIRECT
Domain Name: FUSIONQUEST.COM
Created on: 21-JUN-03
Expires on: 22-JUN-07
Last Updated on: 14-JUL-05
Administrative, Technical Contact:
Bowers, Joel jb@xxxxxxxxxxxxxxx
FusionQuest, Inc.
4464 Acord Cir.
West Valley City, UT 84120
US
801-969-6010
801-880-0420
"
For this one, I just performed one WHOIS, and it said:"
69.59.175.208
Record Type: IP Address
OrgName: ServePath, LLC
OrgID: SERVEP
Address: 360 Spear Street.
Address: Suite 200
City: San Francisco
StateProv: CA
PostalCode: 94105
Country: US
ReferralServer: rwhois://rwhois.servepath.com:4321
NetRange: 69.59.128.0 - 69.59.191.255
CIDR: 69.59.128.0/18
NetName: SERVEPATH-BLK2
NetHandle: NET-69-59-128-0-1
Parent: NET-69-0-0-0-0
NetType: Direct Allocation
NameServer: NS.SERVEPATH.COM
NameServer: NS1.SERVEPATH.COM
Comment: http://www.servepath.com/
RegDate: 2003-06-24
Updated: 2003-10-06
RNOCHandle: SN458-ARIN
RNOCName: NOC, ServePath, ServePath
RNOCPhone: +1-415-252-3600
RNOCEmail: noc@xxxxxxxxxxxxx
OrgTechHandle: SN458-ARIN
OrgTechName: NOC, ServePath, ServePath
OrgTechPhone: +1-415-252-3600
OrgTechEmail: noc@xxxxxxxxxxxxx
"
All these three (attempted?) connections were TCP. As I had stated earlier,
recently I had one UDP attempt.
And some of the previous attempts clearly seemed to come from people with
bad intentions, one had the name "trojan", and of one other either the trace
or the WHOIS information clearly indicated an attempt to hack or a probe from
hackable systems.
I don't like hackers banging on my door. But even if it's "benign", I'd
rather not have this stuff penetrate the firewall of the router.
As I have said earlier, I don't understand how these got past the firewall
of my router. My router seems to have at least something that LOOKS like a
firewall.
I could archive this stuff, but it's partly in Dutch, and I don't know if I
could post such an archive/log here, and I doubt if you could read it.
Undoubtedly, more examples will follow.
"karl levinson, mvp" schreef:
.
"unstablemicrosoft" <unstablemicrosoft@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:2D482029-4B7A-4962-82F8-0082C4B54B05@xxxxxxxxxxxxxxxx
Yet, mysteriously in my events log (maybe it's called a bit different in
English) it shows over the past three days that at least 8 times the
McAfee
firewall met a probe, an attempt to establish a connection.
Hackerwatch.org
says that most these are probably hacking attempts. One "event" even had
the
name trojan in it. And using a WHOIS on one other probe clearly indicated
that it was a hacking attempt.
We'd need more information on these log entries. Source and destination
port numbers, protocol, remote IP address would be helpful.
- References:
- What is broken:McAfeee firewall or my router ????? Urgent, please
- From: unstablemicrosoft
- Re: What is broken:McAfeee firewall or my router ????? Urgent, please
- From: karl levinson, mvp
- What is broken:McAfeee firewall or my router ????? Urgent, please
- Prev by Date: Re: Security Center
- Next by Date: Re: What is broken:McAfeee firewall or my router ????? Urgent, ple
- Previous by thread: Re: What is broken:McAfeee firewall or my router ????? Urgent, please
- Next by thread: Please address this issue
- Index(es):
Relevant Pages
|
