Security Basics mailing list archives
RE: Strange Firewall / IDS Events
From: "Trevor Cushen" <Trevor.Cushen () sysnet ie>
Date: Thu, 20 Feb 2003 09:30:07 -0000
ClearCase listens on port 371 more info at http://www.rational.com/docs/v2002/cc/cc_admin/net_intro7.html?SMSESSION =NO or http://www.rational.com/products/clearcase/index.jsp It is also listed on several incident sites as having security issues and the port can be exploited. If you are not running Clearcase then block the port or your machine going to the port. SamSpade shows your other address as a dial up as well so it's not a case of a product doing updates etc. Try getting more on the packets or getting fport on your machine and see what exe is running the 'scan' you are seeing. Hope this helps Trevor Cushen Sysnet Ltd www.sysnet.ie Tel: +353 1 2983000 Fax: +353 1 2960499 -----Original Message----- From: Donald V. Gerkin Jr. [mailto:dgerki1 () tiger towson edu] Sent: 19 February 2003 17:43 To: security-basics () securityfocus com Subject: Strange Firewall / IDS Events Group, I have been reading the postings here for several months, and enjoy reading the threads and seeing the level of expertise. Now I have to post and ask for a little advice regarding some strange events that I have noticed on my home computer. Here's a little background info. I have your typical P4 system at home, running windows XP. Though I am immensely ashamed to admit it (it's more laziness than anything else, at least until my new house is done) I use AOL broadband for my 'net connection. I use Black Ice, and also have XP's built in firewall SW enabled. (any thought/opinions on Black Ice are welcome too). Here are some events that I have picked up on Black Ice. It appears to me that something on my computer is doing some scanning. DVG is my computer. TIME: 02/18/2003 09:05:04 AM EVENT: TCP port scan INTRUDER: DVG COUNT: 1 TCP FLAGS: 0x00000002 PROTOCOL ID: TCP DESTINATION PORT: 0 SOURCE PORT: 0 PARAMETERS: port=482-485 TARGET: 207.114.130.7 TARGET IP: 207.114.130.7 INTRUDER IP:172.151.145.84 TIME: 02/18/2003 10:17:34 PM EVENT: TCP port scan INTRUDER: DVG COUNT: 2 TCP FLAGS: 0x00000002 PROTOCOL ID: TCP DESTINATION PORT: 0 SOURCE PORT: 0 PARAMETERS: port=481-485 TARGET: 207.114.130.7 TARGET IP: 207.114.130.7 INTRUDER IP:172.151.145.84 TIME: 02/18/2003 11:22:15 PM EVENT: TCP port scan INTRUDER: DVG COUNT: 1 TCP FLAGS: 0x00000002 PROTOCOL ID: TCP DESTINATION PORT: 0 SOURCE PORT: 0 PARAMETERS: port=482-484|486 TARGET: 207.114.130.7 TARGET IP: 207.114.130.7 INTRUDER IP:172.151.145.84 At this point I shut off my computer for the night. Note that Black Ice did not "block" any of these events, but merely reported on them. Again, DVG is my computer. 172.151.145.84 was my AOL assigned IP at the time. This morning, I turned the computer back on, got online, and it started again. As of me sending this e-mail, this is what I have for today: TIME: 02/19/2003 10:04:01 AM EVENT: UDP port probe INTRUDER: DVG COUNT: 2 TCP FLAGS: 0x00000000 PROTOCOL ID: ICMP DESTINATION PORT: 371 SOURCE PORT: 9370 PARAMETERS: port=371&reason=ICMPsent TARGET: 207.114.130.7 TARGET IP: 207.114.130.7 INTRUDER IP:172.133.206.20 ** Note that this was the only event "blocked." TIME: 02/19/2003 11:05:27 AM EVENT: TCP port scan INTRUDER: DVG COUNT: 1 TCP FLAGS: 0x00000002 PROTOCOL ID: TCP DESTINATION PORT: 0 SOURCE PORT: 0 PARAMETERS: port=482|484-486 TARGET: 207.114.130.7 TARGET IP: 207.114.130.7 INTRUDER IP:172.133.206.20 TIME: 02/19/2003 12:07:40 PM EVENT: TCP port scan INTRUDER: DVG COUNT: 1 TCP FLAGS: 0x00000002 PROTOCOL ID: TCP DESTINATION PORT: 0 SOURCE PORT: 0 PARAMETERS: port=482|484-486 TARGET: 207.114.130.7 TARGET IP: 207.114.130.7 INTRUDER IP:172.133.206.20 This is what I have, and I am not sure what to make of it. ARIN tells me this about the Target: Search results for: 207.114.130.7 Call America CAMNET-BLK-2 (NET-207-114-128-0-1) 207.114.128.0 - 207.114.255.255 The Grid Network THEGRID3 (NET-207-114-130-0-1) 207.114.130.0 - 207.114.130.255 # ARIN WHOIS database, last updated 2003-02-18 20:00 # Enter ? for additional hints on searching ARIN's WHOIS database. However, last night it was some corporation in NJ. I am not quite sure if I understand the change. So, with what I have here, are there any suggestions, or opinions anyone can lend? Feel free to e-mail me privately or through the group. And though it goes without saying, thanks in advance for your opinions and suggestions!! Regards, Don ************************************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this message in error please notify SYSNET Ltd., at telephone no: +353-1-2983000 or postmaster () sysnet ie **************************************************************************************
Current thread:
- Strange Firewall / IDS Events Donald V. Gerkin Jr. (Feb 19)
- <Possible follow-ups>
- RE: Strange Firewall / IDS Events Trevor Cushen (Feb 20)