Security Basics mailing list archives
Strange Firewall / IDS Events
From: "Donald V. Gerkin Jr." <dgerki1 () tiger towson edu>
Date: Wed, 19 Feb 2003 12:42:41 -0500
Group, I have been reading the postings here for several months, and enjoy reading the threads and seeing the level of expertise. Now I have to post and ask for a little advice regarding some strange events that I have noticed on my home computer. Here's a little background info. I have your typical P4 system at home, running windows XP. Though I am immensely ashamed to admit it (it's more laziness than anything else, at least until my new house is done) I use AOL broadband for my 'net connection. I use Black Ice, and also have XP's built in firewall SW enabled. (any thought/opinions on Black Ice are welcome too). Here are some events that I have picked up on Black Ice. It appears to me that something on my computer is doing some scanning. DVG is my computer. TIME: 02/18/2003 09:05:04 AM EVENT: TCP port scan INTRUDER: DVG COUNT: 1 TCP FLAGS: 0x00000002 PROTOCOL ID: TCP DESTINATION PORT: 0 SOURCE PORT: 0 PARAMETERS: port=482-485 TARGET: 207.114.130.7 TARGET IP: 207.114.130.7 INTRUDER IP:172.151.145.84 TIME: 02/18/2003 10:17:34 PM EVENT: TCP port scan INTRUDER: DVG COUNT: 2 TCP FLAGS: 0x00000002 PROTOCOL ID: TCP DESTINATION PORT: 0 SOURCE PORT: 0 PARAMETERS: port=481-485 TARGET: 207.114.130.7 TARGET IP: 207.114.130.7 INTRUDER IP:172.151.145.84 TIME: 02/18/2003 11:22:15 PM EVENT: TCP port scan INTRUDER: DVG COUNT: 1 TCP FLAGS: 0x00000002 PROTOCOL ID: TCP DESTINATION PORT: 0 SOURCE PORT: 0 PARAMETERS: port=482-484|486 TARGET: 207.114.130.7 TARGET IP: 207.114.130.7 INTRUDER IP:172.151.145.84 At this point I shut off my computer for the night. Note that Black Ice did not "block" any of these events, but merely reported on them. Again, DVG is my computer. 172.151.145.84 was my AOL assigned IP at the time. This morning, I turned the computer back on, got online, and it started again. As of me sending this e-mail, this is what I have for today: TIME: 02/19/2003 10:04:01 AM EVENT: UDP port probe INTRUDER: DVG COUNT: 2 TCP FLAGS: 0x00000000 PROTOCOL ID: ICMP DESTINATION PORT: 371 SOURCE PORT: 9370 PARAMETERS: port=371&reason=ICMPsent TARGET: 207.114.130.7 TARGET IP: 207.114.130.7 INTRUDER IP:172.133.206.20 ** Note that this was the only event "blocked." TIME: 02/19/2003 11:05:27 AM EVENT: TCP port scan INTRUDER: DVG COUNT: 1 TCP FLAGS: 0x00000002 PROTOCOL ID: TCP DESTINATION PORT: 0 SOURCE PORT: 0 PARAMETERS: port=482|484-486 TARGET: 207.114.130.7 TARGET IP: 207.114.130.7 INTRUDER IP:172.133.206.20 TIME: 02/19/2003 12:07:40 PM EVENT: TCP port scan INTRUDER: DVG COUNT: 1 TCP FLAGS: 0x00000002 PROTOCOL ID: TCP DESTINATION PORT: 0 SOURCE PORT: 0 PARAMETERS: port=482|484-486 TARGET: 207.114.130.7 TARGET IP: 207.114.130.7 INTRUDER IP:172.133.206.20 This is what I have, and I am not sure what to make of it. ARIN tells me this about the Target: Search results for: 207.114.130.7 Call America CAMNET-BLK-2 (NET-207-114-128-0-1) 207.114.128.0 - 207.114.255.255 The Grid Network THEGRID3 (NET-207-114-130-0-1) 207.114.130.0 - 207.114.130.255 # ARIN WHOIS database, last updated 2003-02-18 20:00 # Enter ? for additional hints on searching ARIN's WHOIS database. However, last night it was some corporation in NJ. I am not quite sure if I understand the change. So, with what I have here, are there any suggestions, or opinions anyone can lend? Feel free to e-mail me privately or through the group. And though it goes without saying, thanks in advance for your opinions and suggestions!! Regards, Don
Current thread:
- Strange Firewall / IDS Events Donald V. Gerkin Jr. (Feb 19)
- <Possible follow-ups>
- RE: Strange Firewall / IDS Events Trevor Cushen (Feb 20)