Security Basics mailing list archives

Re: Home firewall Hits

From: "me null" <me_null () hotmail com>
Date: Thu, 06 Nov 2003 15:27:17 -0500

hello, i havent read through the replys you have got but ill chime in nonthe less. i would amagine some have sayed part of what i will.


1 im not sure what u ment here bout it sounds like a port scan

">From reading the firewall log, I would think that my router iscontinuously

hitting
Port 162  with a UDP message.  The odd thing is that it is doing this by
using an
incrementing port from  192.168.1.1, I see many of these every day, it is
continuous."

2 these are DHCP ports 67 / 68 UDP a DHCP server would tell DHCP clientswhere thay are and info regarding you network.


3 is this is EXACTLY your setup ...
" [cable modem] <----> [ Linksys Wireless Router] ~~~ [ Windows ME W/

firewall ]"

than theres nothing blocking access from the internet to your router. witchmeans some 1 can (if thay havent yet) crack you routers password. you wouldbe amased at how easy this can be like a user name of "admin" and a passwordof "admin" and BAM thay have CONTROL of your router. either put a fire wallbetween your router and the internet or ATLEAST change you login credintalsfor your router


hope this helps and wasnt too redundant

From: "Preston, Tony" <Tony.Preston () acs-inc com>

To: "'security-basics () securityfocus com'"<security-basics () securityfocus com>

Subject: Home firewall Hits
Date: Fri, 31 Oct 2003 08:56:15 -0500

I am hoping someone here can explain what I am seeing on my home network.
I use Kerio's tiny personal firewall and Windows ME.  I have everything up
to date with the latest patches.

This is my home network and something strange is happening.  The
configurations is

  [cable modem] <----> [ Linksys Wireless Router] ~~~ [ Windows ME W/
firewall ]

From reading the firewall log, I would think that my router is continuously
hitting
Port 162  with a UDP message.  The odd thing is that it is doing this by
using an
incrementing port from  192.168.1.1, I see many of these every day, it is
continuous.

I have the latest firmware from linksys, the firewall is rejecting all the
packets.

While I am an experienced programmer, I do not have alot of network
experience, probably
I would classify myself as knowing enough to be dangerous...:)

The activity is at a moderate rate from a couple per second to one every 20
seconds.  If it
is some sort of attack attempt it is using a randomized delay between
packets.

Here is a summary of the hits.

[30/Oct/2003 23:53:48] Rule 'Packet to unopened port received': Blocked: In
UDP,
  192.168.1.1:40826->localhost:162, Owner: no owner
      thru
  192.168.1.1:40899->localhost:162, Owner: no owner

I do see other "hits" which are much less frequent which are an occasional
hit here or

there, I am not as concerned about these, but would be curious if anyonehas

ideas about
why they occur.   The first one, I might see one or two a day.   The second
one would
show up in sets of 5-10, maybe a couple of times a day.

[30/Oct/2003 23:53:56] Rule 'TCP ack packet attack': Blocked: In TCP,
 207.46.197.121:80->localhost:1452, Owner: no owner

[31/Oct/2003 00:00:02] Rule 'Packet to unopened port received': Blocked: In
UDP,
 0.0.0.0:68->localhost:67, Owner: no owner

Anything here I should be concerned with??

I am hoping someone here can explain what I am seeing on my home network.
I use Kerio's tiny personal firewall and Windows ME.  I have everything up
to date with the latest patches.

The configurations is:

  [cable modem] <----> [ Linksys Wireless Router] ~~~ [ Windows ME W/
firewall ]


From reading the firewall log, I would think that my router is continuously
hitting
Port 162  with a UDP message.  The odd thing is that it is doing this by
using an
incrementing port from  192.168.1.1, I see many of these every day, it is
continuous.

I have the latest firmware from linksys, the firewall is rejecting all the
packets.

While I am an experienced programmer, I do not have alot of network
experience, probably
I would classify myself as knowing enough to be dangerous...:)

The activity is at a moderate rate from a couple per second to one every 20
seconds.  If it
is some sort of attack attempt it is using a randomized delay between
packets.

Here is a summary of the hits.

[30/Oct/2003 23:53:48] Rule 'Packet to unopened port received': Blocked: In
UDP,
  192.168.1.1:40826->localhost:162, Owner: no owner
      thru
  192.168.1.1:40899->localhost:162, Owner: no owner


I do see other "hits" which are much less frequent which are an occasional
hit here or

there, I am not as concerned about these, but would be curious if anyonehas

ideas about
why they occur.   The first one, I might see one or two a day.   The second
one would
show up in sets of 5-10, maybe a couple of times a day.

[30/Oct/2003 23:53:56] Rule 'TCP ack packet attack': Blocked: In TCP,
 207.46.197.121:80->localhost:1452, Owner: no owner

[31/Oct/2003 00:00:02] Rule 'Packet to unopened port received': Blocked: In
UDP,
 0.0.0.0:68->localhost:67, Owner: no owner

Anything here I should be concerned with??



---------------------------------------------------------------------------
Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE

The Presidio integrates PGP data encryption and XML Web Services securityto

simplify the management and deployment of PGP and reduce overall PGP costs
by up to 80%.
FREE WHITEPAPER & 30 Day Trial -
http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027
----------------------------------------------------------------------------


_________________________________________________________________

Compare high-speed Internet plans, starting at $26.95.https://broadband.msn.com (Prices may vary by service area.)



---------------------------------------------------------------------------
Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE

The Presidio integrates PGP data encryption and XML Web Services security tosimplify the management and deployment of PGP and reduce overall PGP costsby up to 80%.FREE WHITEPAPER & 30 Day Trial -http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027----------------------------------------------------------------------------

Current thread:

Home firewall Hits Preston, Tony (Nov 03)
- RE: Home firewall Hits Omar Khawaja (Nov 03)
- Re: Home firewall Hits Tijl DULLERS (Nov 04)
  - RE: Home firewall Hits Andreas Freyvogel (Nov 05)
- <Possible follow-ups>
- Re: Home firewall Hits rjemckay (Nov 04)
- RE: Home firewall Hits Preston, Tony (Nov 04)
  - hopster bypass that firewall! K a r l i @ Y a h o o ! (Nov 05)
- Re: Home firewall Hits me null (Nov 06)
- RE: Home firewall Hits Preston, Tony (Nov 07)