Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Strange Firewall / IDS Events

From: "Trevor Cushen" <Trevor.Cushen () sysnet ie>
Date: Thu, 20 Feb 2003 09:30:07 -0000

ClearCase listens on port 371 more info at
http://www.rational.com/docs/v2002/cc/cc_admin/net_intro7.html?SMSESSION
=NO
 or http://www.rational.com/products/clearcase/index.jsp


It is also listed on several incident sites as having security issues
and the port can be exploited.

If you are not running Clearcase then block the port or your machine
going to the port.  SamSpade shows your other address as a dial up as
well so it's not a case of a product doing updates etc.

Try getting more on the packets or getting fport on your machine and see
what exe is running the 'scan' you are seeing.

Hope this helps

Trevor Cushen
Sysnet Ltd

www.sysnet.ie
Tel: +353 1 2983000
Fax: +353 1 2960499



-----Original Message-----
From: Donald V. Gerkin Jr. [mailto:dgerki1 () tiger towson edu] 
Sent: 19 February 2003 17:43
To: security-basics () securityfocus com
Subject: Strange Firewall / IDS Events


Group,

I have been reading the postings here for several months, and enjoy
reading the threads and seeing the level of expertise. Now I have to
post and ask for a little advice regarding some strange events that I
have noticed on my home computer.

Here's a little background info. I have your typical P4 system at home,
running windows XP. Though I am immensely ashamed to admit it (it's more
laziness than anything else, at least until my new house is done) I use
AOL broadband for my 'net connection. I use Black Ice, and also have
XP's built in firewall SW enabled. (any thought/opinions on Black Ice
are welcome too). Here are some events that I have picked up on Black
Ice. It appears to me that something on my computer is doing some
scanning. DVG is my computer.


TIME: 02/18/2003 09:05:04 AM        EVENT: TCP port scan
INTRUDER: DVG                       COUNT: 1
TCP FLAGS:  0x00000002              PROTOCOL ID:  TCP
DESTINATION PORT:  0                    SOURCE PORT: 0
PARAMETERS: port=482-485            TARGET:  207.114.130.7            
TARGET IP:  207.114.130.7               INTRUDER IP:172.151.145.84
 

TIME:    02/18/2003 10:17:34 PM     EVENT: TCP port scan
INTRUDER: DVG                       COUNT: 2
TCP FLAGS:  0x00000002              PROTOCOL ID:  TCP
DESTINATION PORT:  0                    SOURCE PORT: 0
PARAMETERS: port=481-485            TARGET:  207.114.130.7            
TARGET IP:  207.114.130.7               INTRUDER IP:172.151.145.84

 
TIME:    02/18/2003 11:22:15 PM     EVENT: TCP port scan
INTRUDER: DVG                       COUNT: 1
TCP FLAGS:  0x00000002              PROTOCOL ID:  TCP
DESTINATION PORT:  0                    SOURCE PORT: 0
PARAMETERS: port=482-484|486        TARGET:  207.114.130.7            
TARGET IP:  207.114.130.7               INTRUDER IP:172.151.145.84

 

At this point I shut off my computer for the night.  Note that Black Ice
did not "block" any of these events, but merely reported on them.

Again, DVG is my computer. 172.151.145.84 was my AOL assigned IP at the
time.

This morning, I turned the computer back on, got online, and it started
again. As of me sending this e-mail, this is what I have for today:

 
TIME:    02/19/2003 10:04:01 AM     EVENT: UDP port probe
INTRUDER: DVG                       COUNT: 2
TCP FLAGS:  0x00000000              PROTOCOL ID:  ICMP
DESTINATION PORT:  371          SOURCE PORT: 9370
PARAMETERS: port=371&reason=ICMPsent       
                                                TARGET:  207.114.130.7

TARGET IP:  207.114.130.7               INTRUDER IP:172.133.206.20

 
** Note that this was the only event "blocked."

 
TIME:    02/19/2003 11:05:27 AM     EVENT: TCP port scan
INTRUDER: DVG                       COUNT: 1
TCP FLAGS:  0x00000002              PROTOCOL ID:  TCP
DESTINATION PORT:  0                    SOURCE PORT: 0
PARAMETERS: port=482|484-486        TARGET:  207.114.130.7            
TARGET IP:  207.114.130.7               INTRUDER IP:172.133.206.20

 
TIME:    02/19/2003 12:07:40 PM     EVENT: TCP port scan
INTRUDER: DVG                       COUNT: 1
TCP FLAGS:  0x00000002              PROTOCOL ID:  TCP
DESTINATION PORT:  0                    SOURCE PORT: 0
PARAMETERS: port=482|484-486        TARGET:  207.114.130.7            
TARGET IP:  207.114.130.7               INTRUDER IP:172.133.206.20

 
This is what I have, and I am not sure what to make of it.

ARIN tells me this about the Target:

 Search results for: 207.114.130.7 

 
Call America CAMNET-BLK-2 (NET-207-114-128-0-1)
                                  207.114.128.0 - 207.114.255.255 The
Grid Network THEGRID3 (NET-207-114-130-0-1)
                                  207.114.130.0 - 207.114.130.255
 
# ARIN WHOIS database, last updated 2003-02-18 20:00
# Enter ? for additional hints on searching ARIN's WHOIS database.
 
However, last night it was some corporation in NJ. I am not quite sure
if I understand the change. 
 
So, with what I have here, are there any suggestions, or opinions anyone
can lend? Feel free to e-mail me privately or through the group. And
though it goes without saying, thanks in advance for your opinions and
suggestions!!
 
Regards,
 
Don
 






**************************************************************************************

This email and any files transmitted with it are confidential and intended 
solely for the use of the individual or entity to whom they are addressed. 

If you have received this message in error please notify SYSNET Ltd., at
telephone no: +353-1-2983000 or postmaster () sysnet ie

**************************************************************************************
Previous By Date Next
Previous By Thread Next

Current thread: