Security Basics mailing list archives
Strange Firewall / IDS Events
From: "Donald V. Gerkin Jr." <dgerki1 () tiger towson edu>
Date: Wed, 19 Feb 2003 12:42:41 -0500
Group,
I have been reading the postings here for several months, and enjoy reading
the threads and seeing the level of expertise. Now I have to post and ask
for a little advice regarding some strange events that I have noticed on my
home computer.
Here's a little background info. I have your typical P4 system at home,
running windows XP. Though I am immensely ashamed to admit it (it's more
laziness than anything else, at least until my new house is done) I use AOL
broadband for my 'net connection. I use Black Ice, and also have XP's built
in firewall SW enabled. (any thought/opinions on Black Ice are welcome too).
Here are some events that I have picked up on Black Ice. It appears to me
that something on my computer is doing some scanning. DVG is my computer.
TIME: 02/18/2003 09:05:04 AM EVENT: TCP port scan
INTRUDER: DVG COUNT: 1
TCP FLAGS: 0x00000002 PROTOCOL ID: TCP
DESTINATION PORT: 0 SOURCE PORT: 0
PARAMETERS: port=482-485 TARGET: 207.114.130.7
TARGET IP: 207.114.130.7 INTRUDER IP:172.151.145.84
TIME: 02/18/2003 10:17:34 PM EVENT: TCP port scan
INTRUDER: DVG COUNT: 2
TCP FLAGS: 0x00000002 PROTOCOL ID: TCP
DESTINATION PORT: 0 SOURCE PORT: 0
PARAMETERS: port=481-485 TARGET: 207.114.130.7
TARGET IP: 207.114.130.7 INTRUDER IP:172.151.145.84
TIME: 02/18/2003 11:22:15 PM EVENT: TCP port scan
INTRUDER: DVG COUNT: 1
TCP FLAGS: 0x00000002 PROTOCOL ID: TCP
DESTINATION PORT: 0 SOURCE PORT: 0
PARAMETERS: port=482-484|486 TARGET: 207.114.130.7
TARGET IP: 207.114.130.7 INTRUDER IP:172.151.145.84
At this point I shut off my computer for the night. Note that Black Ice did
not "block" any of these events, but merely reported on them.
Again, DVG is my computer. 172.151.145.84 was my AOL assigned IP at the
time.
This morning, I turned the computer back on, got online, and it started
again. As of me sending this e-mail, this is what I have for today:
TIME: 02/19/2003 10:04:01 AM EVENT: UDP port probe
INTRUDER: DVG COUNT: 2
TCP FLAGS: 0x00000000 PROTOCOL ID: ICMP
DESTINATION PORT: 371 SOURCE PORT: 9370
PARAMETERS: port=371&reason=ICMPsent
TARGET: 207.114.130.7
TARGET IP: 207.114.130.7 INTRUDER IP:172.133.206.20
** Note that this was the only event "blocked."
TIME: 02/19/2003 11:05:27 AM EVENT: TCP port scan
INTRUDER: DVG COUNT: 1
TCP FLAGS: 0x00000002 PROTOCOL ID: TCP
DESTINATION PORT: 0 SOURCE PORT: 0
PARAMETERS: port=482|484-486 TARGET: 207.114.130.7
TARGET IP: 207.114.130.7 INTRUDER IP:172.133.206.20
TIME: 02/19/2003 12:07:40 PM EVENT: TCP port scan
INTRUDER: DVG COUNT: 1
TCP FLAGS: 0x00000002 PROTOCOL ID: TCP
DESTINATION PORT: 0 SOURCE PORT: 0
PARAMETERS: port=482|484-486 TARGET: 207.114.130.7
TARGET IP: 207.114.130.7 INTRUDER IP:172.133.206.20
This is what I have, and I am not sure what to make of it.
ARIN tells me this about the Target:
Search results for: 207.114.130.7
Call America CAMNET-BLK-2 (NET-207-114-128-0-1)
207.114.128.0 - 207.114.255.255
The Grid Network THEGRID3 (NET-207-114-130-0-1)
207.114.130.0 - 207.114.130.255
# ARIN WHOIS database, last updated 2003-02-18 20:00
# Enter ? for additional hints on searching ARIN's WHOIS database.
However, last night it was some corporation in NJ. I am not quite sure if I
understand the change.
So, with what I have here, are there any suggestions, or opinions anyone can
lend? Feel free to e-mail me privately or through the group. And though it
goes without saying, thanks in advance for your opinions and suggestions!!
Regards,
Don
Current thread:
- Strange Firewall / IDS Events Donald V. Gerkin Jr. (Feb 19)
- <Possible follow-ups>
- RE: Strange Firewall / IDS Events Trevor Cushen (Feb 20)