fair dinkum

Feedback/Comments/Announcements/News
1

Date/Time :2007-03-12 21:07:21
Severity :High
Reporter :Network Monitor
Description: UDP Port Scan
Attacker: xxx.xxx.xxx.xxx
Ports: 54021, 50437, 50693, 51205, 51461, 59397, 53253, 47877, 48645, 53765, 50949, 54277, 60421, 53509, 59909, 51973, 52229, 47365, 47621, 51717, 49157, 48389, 52997, 62213, 57349, 0, 0, 2626, 0, 0, 0, 40313, 6744, 0, 0, 43458, 30, 0, 0, 65535, 65535, 24, 0, 4096, 0, 1, 0, 0, 0, 2624
The attacker has been temporarily blocked
Date/Time :2007-03-12 17:52:32

Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 200.117.25.111, Port = 3706)
Protocol: TCP Incoming
Source: 200.117.25.111:16539
Destination: 192.168.1.100:3706
TCP Flags: SYN ACK
Reason: Network Control Rule ID = 12

Date/Time :2007-03-12 16:27:19
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = xxxx.xxx.xxx.xxx, Port = 2769)
Protocol: UDP Incoming
Source: xxx.xxx.xxx.xxx:dns(53)
Destination: 192.168.1.100:2769
Reason: Network Control Rule ID = 12

Date/Time :2007-03-12 17:52:32
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 200.117.25.111, Port = 3706)
Protocol: TCP Incoming
Source: 200.117.25.111:16539
Destination: 192.168.1.100:3706
TCP Flags: SYN ACK
Reason: Network Control Rule ID = 12

Date/Time :2007-03-12 16:27:19
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = xxx.xxx.xxx.xxx, Port = 2769)
Protocol: UDP Incoming
Source: xxx.xxx.xxx.xxx:dns(53)
Destination: 192.168.1.100:2769
Reason: Network Control Rule ID = 12

xxx.xxx.xxx.xxx=isp dns server address

Date/Time :2007-03-12 16:27:19
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 63.245.209.21, Port = 2768)
Protocol: TCP Incoming
Source: 63.245.209.21:http(80)
Destination: 192.168.1.100:2768
TCP Flags: SYN ACK
Reason: Network Control Rule ID = 12

Date/Time :2007-03-12 16:27:14
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 66.102.7.99, Port = 2766)
Protocol: TCP Incoming
Source: 66.102.7.99:http(80)
Destination: 192.168.1.100:2766
TCP Flags: SYN ACK
Reason: Network Control Rule ID = 12
In the attackers’ world, this port is usually used by Trojan.W32.hllw.deadhat.b(2766)

Date/Time :2007-03-12 16:27:14
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = xxx.xxx.xxx.xxx, Port = 2769)
Protocol: UDP Incoming
Source: xxx.xxx.xxx.xxx:dns(53)
Destination: 192.168.1.100:2769
Reason: Network Control Rule ID = 12

xxx.xxx.xxx.xxx = isp dns server

Finishing up for the night thought I would scan the logs (I always start from the earliest entry). Usually it’s mostly icmp unreachables (utorrent ) and most of tonights looked as if it would be the same. Then noticed these ip entrys with low port numbers , utorrent has a high number. The closer I looked the more interesting it got.
(V)

2

And none match up with legitimate IP addresses, such as your ISP’s DNS or DHCP servers?

LM

3

Date/Time :2007-03-13 15:59:51
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = xxxxxxxxxx, Port = 1897)
Protocol: UDP Incoming
Source: xxxxxxxxxx:dns(53)
Destination: 192.168.1.100:1897
Reason: Network Control Rule ID = 12

Been getting quite a lot of these lately from my isp dns server. The high severity in my last post was from isp dns server.
8 so far today sames as the one above with ports ranging from 1034 to 1897.

The one below is a telecom in argentina, utorrent running at the time

Date/Time :2007-03-12 17:52:32
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 200.117.25.111, Port = 3706)
Protocol: TCP Incoming
Source: 200.117.25.111:16539
Destination: 192.168.1.100:3706
TCP Flags: SYN ACK
Reason: Network Control Rule ID = 12

Don’t usually get many high severity alerts. Some svchost and malformed packets on the odd occasion. Most of the log is usually unreachables.

Date/Time :2007-03-12 16:27:14
Severity :Medium
Reporter :Network Monitor
Description: Inbound Policy Violation (Access Denied, IP = 66.102.7.99, Port = 2766)
Protocol: TCP Incoming
Source: 66.102.7.99:http(80)
Destination: 192.168.1.100:2766
TCP Flags: SYN ACK
Reason: Network Control Rule ID = 12
In the attackers’ world, this port is usually used by Trojan.W32.hllw.deadhat.b(2766)

That ones from google.

Sometimes when bored will whois some of the address, most are other providers. Without utorrent running don’t have much in the log to get excited about. :THNK

4

Have you contacted your ISP about the entries that relate to them?

5

Not as yet. Will do that. Trouble is they are not the brightest of tech support. :slight_smile:

6

;D

7

Ha! I knew it they have no idea. If they ever lost their support flow charts they would be ******.
These are the same guys that I had to explain what newsgroups were.
Thank god I don’t have many problems I can’t fix myself.

Old Irish saying
“May you be in heaven half an hour before the devil knows your dead” :■■■■

8

And even with the flowchart they’re not much help…

With my last job, we used a special software that was rather problematic at times, and my boss always insisted that we needed to call tech support, since he was paying for it anyway. When I had to tell their level 3 techs how their software actually worked, I just gave up.

Slante’ mhath! :■■■■

LM