Why is this always in my logs over 20 times in succesetion I thought that ICMP was internal system stuff or am I getting confused over something else?
Also what does HOST ACCESS PROHIBITED mean?
I have only started to receive outgoing ones recently could it be a virus or is it something really insignificant?
Hi sanctuary24.
ICMP (Internet Control Message Protocol) is used for a wide range of things , for instance PING uses the prtocol for message passing. it’s also used by routers for sharing information and a variety of other things.
To beter understand your situation we will need a little more information from your log files. Please see this post for details on what and how to post:
Important - Please read before posting
Toggie
Apparently there trying to be sent to my ISP, is this malicious or is my ISP spying on me?
“Host Access Prohibited”… ICMP 3 subcode 10? If so, its a router or a firewall application that has been programmed to block access to the host in question. An ISP or an Internet “backbone/trunk” carrier likely would put such a rule in place to block a site that is known to have a problem or is compromised. Usually it’s a very short term measure until the site owner can fix whatever the problem is.
If it isn’t a 3 sub 10, then what is it? You’d need to post the log entry.
Date/Time :2007-11-10 13:47:42Severity :MediumReporter :Network MonitorDescription:Outbound Policy Violation (Access Denied, ICMP = PORT UNREACHABLE)Protocol:ICMP OutgoingSource: xx.xx.xx.xx Destination: 81.154.78.244 Message: PORT UNREACHABLE Reason: Network Control Rule ID = 5
this is one entry from my logs, all the other entries also originate from this IP but from different ports on the attacking computer
Also this keeps appearing in my logs, I’m under attck from who ever uses this IP (see below)
Date/Time :2007-11-10 13:39:01Severity :MediumReporter :Network MonitorDescription: Inbound Policy Violation (Access Denied, IP = xx.xx.xxx.xxx, Port = 5900)Protocol: TCP IncomingSource: 79.68.203.181:45448 Destination: xx.xx.xx.xx:5900 TCP Flags: SYN Reason: Network Control Rule ID = 5In the attackers’ world, this port is usually used by Trojan.Backdoor.Evivinc(5900)
Date/Time :2007-11-10 13:47:42 Severity :Medium Reporter :Network Monitor Description:Outbound Policy Violation (Access Denied, ICMP = PORT UNREACHABLE) Protocol:ICMP Outgoing Source: xx.xx.xx.xx Destination: 81.154.78.244 Message: PORT UNREACHABLE Reason: Network Control Rule ID = 5
Outbound “Port Unreachable” is your machine telling another machine that it tried to connect to a port that is now closed. If you’re running any kind of filesharing, then its best to let these go out. It’s how your machine tells remote fileshare clients that your fileshare has been turned off. If you’re not running any kind of filesharing, then it’s a judgment call as to whether or not to let the ICMP packet go thru or not.
Date/Time :2007-11-10 13:39:01 Severity :Medium Reporter :Network Monitor Description: Inbound Policy Violation (Access Denied, IP = xx.xx.xxx.xxx, Port = 5900) Protocol: TCP Incoming Source: 79.68.203.181:45448 Destination: xx.xx.xx.xx:5900 TCP Flags: SYN Reason: Network Control Rule ID = 5 In the attackers' world, this port is usually used by Trojan.Backdoor.Evivinc(5900)
Port 5900 is used by many things. It’s also the standard port for VNC connections (for example, RealVNC, among others, details RealVNC - Wikipedia ).
If you’re not running a VNC with a known remote client who is a customer of as9105.com, I’d say this is hostile in intent, but harmless in effect.
VNC is a remote console facility, and a great many people set these up with trivial passwords. There is presently a VNC attack running around “in the wild” that will try to brute force a password. If you’re seeing a lot of port 5900 connection attempts, I’d suggest saving the log information, and then sending it the support or abuse departments at as9105.com to let them know one of their customers machines has likely been infected by malware that’s being used to probe other machines.
So are both being blocked as I will take your advice but just want re-assurance that I’m currently protected. When you say contact as9105.com I dont know who/what that is, is it something to do with my ISP and can they help in this matter?
ps Does anyone else have these issues with attacks or am I doing something wrong?
Lastly am I at risk of him breaching the firewall, I thought the firewall stealthed ports as it passed the tests ar Grc.com and other sites
as9105.com is a UK ISP, and the port 5900 packet probe came from 79.68.203.181, which belongs to that ISP.
If you’re seeing CFP block things, then you’re protected. It’s when you don’t see CFP blocking anything that your machine is in contact with the Internet.
Probes and such are, unfortunately, the normal traffic on the Internet these days. It’s not directed to you, or to anybody, in particular. The probes are simply walking IP addresses, whether there is a machine on that address or not. It’s difficult to know that when all you have is the one address of your connection. But, any kind of address block allocation, even as small as 8 IP addresses, will see the probes walk from one address to the next to the next, trying the same set of ports in turn, just to see if something answers, or worse, actually opens. Being “stealthed”, means that your machine doesn’t answer, so a probe can’t determine if there is a machine at that IP address or not.
But the short answer, without all the detail, is that you’re safe, and you seem to be doing things right.