Brad Klinghagen wrote:
This isn't the full format of the log file. I sent the full file to Tom Eastep to look at. As for virus, doubtful, since the computer is running the latest version of Symantec Anti-Virus 2004 and get updates whenever available (initiates the updates). I've set up the firewall rules so that if a computer on the LAN side initiates a request, then the response is allowed in; so if this were a response, it would be allowed in. But since I have latest virus stuff, viruses should be wiped out quickly - and my wife practices "safe Internet."
I should also note, the computer is a Win2k workstation, and I have shut down the web server so there is no port 80 or 443 service port open on it and the firewall rules do not allow DNAT to this computer. Right now the only DNAT rules are for a VoIP phone from Vonage and Linux Web Server which happens to be shut down for right now.
I believe I encountered the IIS issue Saturday night when I set up another firewall for someone. They had a couple thousand entries over a two hour period that looked suspicious. That's what prompted me to ask this question.
Thank you for the thoughts though. bpk
On Tue, 2004-06-29 at 23:42, Ronny Aasen wrote:
On Wed, 2004-06-30 at 01:16, Brad Klinghagen wrote:
I just wanted to check to make sure I'm looking at the Shorewall logs correctly. Below, I've pasted a small sample of what I'm seeing in my log file. The particular IP address that begins with 66 is the source and 10.1.1.65 is the destination. Obviously the 10 IP address is within my LAN. The second to last column shows the destination port number that is trying to be used. This is only a small portion of the list, there are hundreds of listings, and the destination port number keeps changing, while the source port number stays at 80, and this source IP is always trying to get to the same destination.
I am DROPing these packets and logging them because they are unwanted traffic. When I trace the public IP, there is no site there. In similar cases, sometimes there is a Microsoft IIS server there under construction. I did a 'dig -x 66.232.154.8,' and I got no answer as far as the owner of the IP address. Sometimes when I execute the 'dig -x' instruction, there will be some information, but usually the IP address is a client IP of an ISP (like Verizon, or Comcast).
Is it right to assume that this traffic is a hacker using automated software trying to probe for weaknesses in my firewall or computer setup? Or is it something else completely, something much less sinister? Could this be some ad software, or something like it? If this isn't someone trying to get in, how can you tell in your log files. I've got a number of various entries of unwanted IP attempts to access my network; some I believe is just spurious traffic, but others look like concerted effort to get at my computers.
The issue with this sample is I don't know how this person, or software is using the internal IP address of 10.1.1.65 because I'm using NAT (I suppose they stripped off the TCP/IP header, does that not suggest maliciousness?). Also, that IP address corresponds to the only Win2k computer in my whole network, and there is no other access attempts to any other internal computer.
eth0 eth1 66.232.154.8 10.1.1.65 TCP 80 1986 Jun 26 07:28:43 eth0 eth1 66.232.154.8 10.1.1.65 TCP 80 1986 Jun 26 07:28:49 eth0 eth1 66.232.154.8 10.1.1.65 TCP 80 1986 Jun 26 07:28:49 eth0 eth1 66.232.154.8 10.1.1.65 TCP 80 1986 Jun 26 07:29:01 eth0 eth1 66.232.154.8 10.1.1.65 TCP 80 1986 Jun 26 07:29:26 eth0 eth1 66.232.154.8 10.1.1.65 TCP 80 1986 Jun 26 07:30:14 eth0 eth1 66.232.154.8 10.1.1.65 TCP 80 1986 Jun 26 07:30:44 eth0 eth1 66.232.154.8 10.1.1.65 TCP 80 2039 Jun 26 07:30:47 eth0 eth1 66.232.154.8 10.1.1.65 TCP 80 2039 Jun 26 07:30:48 eth0 eth1 66.232.154.8 10.1.1.65 TCP 80 2039 Jun 26 07:30:53
eth0 eth1 66.232.154.8 10.1.1.65 TCP 80 2039 Jun 26 07:30:54 eth0 eth1 66.232.154.8 10.1.1.65 TCP 80 2039 Jun 26 07:31:06 eth0 eth1 66.232.154.8 10.1.1.65 TCP 80 2039 Jun 26 07:31:30 eth0 eth1 66.232.154.8 10.1.1.65 TCP 80 2039 Jun 26 07:32:18 eth0 eth1 66.232.154.8 10.1.1.65 TCP 80 2039
does your log realy look like that ? always port the orginal
since it's from port 80 i'd have 2 wild guesses
1. your w2k box has a virus, that do httpd requests and you see the
responses beeing blocked in the firewall.
2 the remote iis is infected by one of the iss exploit viruses making it spew out packages seen a few of those lately. but that it would find your 1 w2k box must be a huge coincidence
if you change the ip of the w2k and the packages dop in your log followes to the new ip, then i'd take the w2k off the net for a forencis.
-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
-------------------------------------------------------
This SF.Net email sponsored by Black Hat Briefings & Training.
Attend Black Hat Briefings & Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
