Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Unknown Attempts on LAN Detected by Kerio Firewall

From: "Mark Sargent" <powderkeg () snow email ne jp>
Date: Fri, 5 Sep 2003 18:38:38 +0900
Hi All

I have been trying to get my client to access the net via a host machine
using ICS on the host. When attempting a connection via InternetExplorer I
get nothing. I can successfully ping sites etc. The full TCP/UDP block at
the bottom of my rule set is showing an attempt by localhost, port 1057, to
the server of the site I tried to reach. Weird thing, though; upon
unselecting the full block rule, the attempt doesn't register. I would have
thought it would pop up an alert asking me permission for the localhost's
attempt, but, nothing. Upon reselecting the fullblock, it's back again. What
is this..? I'm also getting a lot of UDP attempts to this IP, 61.111.231.60
at port 137 by localhost on the host machine via port 137(which are blocked
by my full block). Another regular alert is a UDP from localhost on port 137
to System at, 192.168.0.255 on port 137, again on the Host machine. Please
assist me in solving these things..cheers.

P.S. If anything doesn't make sense, then please, just ask me to clarify
more..cheers, again.

I'm also getting a lot of Other ICMP blocked; Out ICMP(3) Destination
Unreachable;LocalHost->192.168.0.1;Owner:Tcpip Kernel Driver attempts from
the Client to the Host. What are these..? Are they Trojans or legitimate
apps/processes etc..? 14 attempts in less that 5mins upon connecting the
LAN.

LAN = 2 Win2kPro machines (1 English OS and 1 Japanese)
LAN Type = Built in Ethernet on Laptop(Client) and LAN Adapted USB on
Desktop(Host)
IP = Manually set; Host = 192.168.0.1; Client = 192.168.0.2; Mask =
255.255.255.0
Firewall = 2.1.4
Filesharing is no problem
Pinging sites is no problem
Internet access from the Host is no problem

Mark Sargent.


---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Federal, September 29-30 (Training), 
October 1-2 (Briefings) in Tysons Corner, VA; the world's premier 
technical IT security event.  Modeled after the famous Black Hat event in 
Las Vegas! 6 tracks, 12 training sessions, top speakers and sponsors.  
Symantec is the Diamond sponsor.  Early-bird registration ends September 6.Visit us: www.blackhat.com
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: