Security Basics mailing list archives

I need help with Firewall Hits

From: "Preston, Tony" <Tony.Preston () acs-inc com>
Date: Mon, 3 Nov 2003 11:08:36 -0500

I thought I posted this information the other day(with a different set of
data), but did not see it so I am re-asking my questions...

I have a Win/Me with the latest patches, a linksys wireless router with the
latest firmware (BEFS4W11 V 1.44).  My Wireless card has the latest drivers.
I have Kerio tiny personal firewall (latest version) installed and it is
collecting about 700 hits per day of the same type.  I am no expert on this
kind of thing so any help is appreciated.

 My system looks like:

   ~~~~[Cable modem]~~~~~[Linksys Wireless Router]  ...  [ Win/ME, TPF ]

I have changed the ssid and channel (althought the channel is apparently not
used) from the default, WEP is not enabled.   There are three systems that
could be on my wireless network (my system and two laptops, the hits occur
even when the laptops are not connected so I have assumed they are not the
cause).  I only see the MAC addresses of the three systems in my router
tables.

The hits are a continuous attempt to hit port 162 on my system, the "sender"
is always ip address 192.168.1.1, my router's ip address, with a port that
varies on each hit, increments on each hit. Over the last few days it was
40901 to 42925 (almost 2000 hits over the last 3 days)

A summary of the report is:

1,[31/Oct/2003 07:12:30] Rule 'Packet to unopened port received': Blocked:
In UDP, 

192.168.1.1:40901->localhost:162, Owner: no owner
... 
192.168.1.1:42925->localhost:162, Owner: no owner

I do get other hits, but those are few enough, blocked, and I can identify
the exploits (msblaster trying to infect my system for example) so they are
of a lesser concern that this one.  

I would like to resolve who/why I am getting these hits and identify what
the exploit is.

How can I figure out where these are coming from?

I have reset the router (to ensure it wasn't the router that was doing them)
and cable modem.

Anyone have any ideas on what I can do to track this down and possibly stop
it?

Tony Preston
Systems Engineer, AS&T Inc.
Division of L3 Corporation
(609) 485-0205 x 181


-----Original Message-----
From: Ivan Hernandez [mailto:ivan.hernandez () globalsis com ar] 
Sent: Wednesday, October 29, 2003 2:21 PM
To: Ansgar -59cobalt- Wiechers
Cc: security-basics () securityfocus com
Subject: Re: Personal Firewall for Business use

Ansgar -59cobalt- Wiechers wrote:

On 2003-10-27 Ivan Hernandez wrote:

[ Windows TCP filtering ]
 

"Application level protection" is ridiculous if the protecting agent is
running on the same box. I keep wondering how people can expect software
that allows user interaction (like most personal firewalls do) to
prevent other (malicious) software from doint whatever it pleases.
Regards
Ansgar Wiechers

I would reccomend you to read the good information about on the Gibson 
Research site at http://www.grc.com
Try the information leak utility that's very usefull with all the other 
toys written in assembly. It's a nice and educational site. Windows 
Kernel Filtering will not stop a trojan from making connections on the 
internet, and that's one of the most important risks on a personal 
computer. Most worms are going via email today, and the filter will do 
nothing with that, but with some application level filtering, like Zone 
Alarm has, you can catch them before they go to the internet. Windows 
Kernel Filter also is very bad option to filter UDP traffic. For 
example... you would, just want to recieve responses of DNS queryies you 
have made, but this is just impossible because you have no way to keep 
track of your connections.
I think you must take a little more time before saying that somthing 
that other said is "ridiculous" and, in doubt ask first what did the 
other exactly mean, and ask for more information if necessary.

Cheers...

Ivan Hernandez
http://biromeponja.8k.com


---------------------------------------------------------------------------
Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
The Presidio integrates PGP data encryption and XML Web Services security to

simplify the management and deployment of PGP and reduce overall PGP costs 
by up to 80%.
FREE WHITEPAPER & 30 Day Trial - 
http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 
----------------------------------------------------------------------------

---------------------------------------------------------------------------
Forum Systems PRESIDIO: PGP / XML GATEWAY APPLIANCE
The Presidio integrates PGP data encryption and XML Web Services security to 
simplify the management and deployment of PGP and reduce overall PGP costs 
by up to 80%.
FREE WHITEPAPER & 30 Day Trial - 
http://www.securityfocus.com/sponsor/ForumSystems_security-basics_031027 
----------------------------------------------------------------------------

Current thread:

I need help with Firewall Hits Preston, Tony (Nov 03)
- RE: I need help with Firewall Hits jm (Nov 03)
- RE: I need help with Firewall Hits David Gillett (Nov 03)
- Re: I need help with Firewall Hits ~Kevin Davis³ (Nov 04)
- <Possible follow-ups>
- RE: I need help with Firewall Hits Thomson, Stuart A. (Nov 03)
- Re: I need help with Firewall Hits bp1974 (Nov 03)