OK, that worked. But, 158.43.128.1 is my primary DNS. I have a secondary defined, so I didn’t even notice it at the time (shouldn’t CPF have told me?). Can I be scanned via my own DNS or would the DNS have a legitimate reason for doing this? And should CPF block a DNS? Actually, is CPF aware of the system defined DNS servers? Sorry for all the questions… way too much coffee I guess. ;D
As far as i see from your logs, your DNS server sends lots of requests in a short period of time. This is a port scanning no matter where it comes from. It may not be an attacker but something else. I dont know. But even if CPF blocks the attacker temporarily, it block its incoming access to your host. So you will always be able to make your DNS queries with no problem. You can even transfer files etc. But tha attacker PC cant.
I am seeing port 24 probed. This log is suspcious. If the DNS server belongs to your local network, i recommend further analysis if you get this log frequently.
Thanks for your reply Egemem. I’ll keep an eye on it.
Whilst the DNS was recommended to me by my provider, it is not actually within my provider’s domain. The alternative DNS however, is within my provider’s domain (they’ve been having a lot of problems with their DNS recently). I use the external DNS as the preferred one because it’s a lot faster & more reliable than any of my provider’s DNS. Sad huh?
On another front (which I probably should have started a new topic for), But it is sort of related (the same DNS was mentioned again… I yes know… slim)… CPF did say something that was a little… off later. At the time I was running Firefox & I had just selected “Open Link in IE Tab”, something that I hadn’t done since updating Firefox to 1.5.0.6. So, CPF noticed… But, it seemed to get confused as to what was happening. Because it generated the follwing 2 popups (these are log copies).
Date/Time :2006-08-13 12:51:39
Severity :High
Reporter :Application Behavior Analysis
Description: Suspicious Behaviour (B2.exe)
Application: D:\B2\B2.exe
Parent: C:\WINDOWS\explorer.exe
Protocol: TCP Out
Remote: 127.0.0.1:12110
Details: D:\Firefox\firefox.exe has tried to use the Parent application C:\WINDOWS\explorer.exe through OLE Automation, which can be used to hijack other applications.
Date/Time :2006-08-13 12:51:37
Severity :High
Reporter :Application Behavior Analysis
Description: Suspicious Behaviour (B2.exe)
Application: D:\B2\B2.exe
Parent: C:\WINDOWS\explorer.exe
Protocol: UDP Out
Remote: 193.35.133.10:dns(53)
Details: D:\Firefox\firefox.exe has tried to use the Parent application C:\WINDOWS\explorer.exe
through OLE Automation, which can be used to hijack other applications.
Now, B2.exe (an email client) was running minimized in the tray & may well have been active (checking for or downloading emails). But, I really don’t believe it required CPF’s attention. It certainly was not doing anything that had not been previously authorised by CPF.
I agree, it is outrageous. But, it is Orange’s (a Mobile Telco & now Internet Provider via acquisition) own DNS. Could it be another user spoofing the source?
Why was PE accessing the DNS server? Well, it has a properties tab for each process & one those properties tabs is the processes networks connections. By default, PE will attempt to resolve the IP addresses. Thus, the DNS access.
So, given the time scale between PE’s start & the UDP scan… could these be related? Could it be possible that PE managed to get some requests by CPF (whilst it was waiting for me to respond… only a few seconds) & that these inbound UDPs were nothing more than the responses to PE’s resolve requests?
