Topic: Dizzy, here is my log file for all the attemped attacks  (Read 4251 times)

0 Members and 2 Guests are viewing this topic.

Offline IAF Lyrkiller

  • Semi retired, but I am still around
  • D.Net Beta Tester
  • Lt. Commander
  • *
  • Posts: 1321
  • Gender: Male
  • JAG & Tech Support
Dizzy, here is my log file for all the attemped attacks
« on: April 23, 2006, 10:55:11 am »
Intrusion Prevention has been enabled.
Intrusion Prevention Signature File Version: 4/10/2006 Rev. 80. Intrusion Prevention Engine Version: 2.0.0.50707.
Intrusion Prevention is monitoring 568 signatures.
Intrusion Prevention is monitoring 568 signatures.
Intrusion Prevention has been enabled.
Intrusion Prevention Signature File Version: 4/10/2006 Rev. 80. Intrusion Prevention Engine Version: 2.0.0.50707.
Intrusion Prevention Signature File Version: 4/10/2006 Rev. 80. Intrusion Prevention Engine Version: 2.0.0.50707.
Intrusion Prevention has been enabled.
Intrusion Prevention is monitoring 568 signatures.
Intrusion Prevention Signature File Version: 4/10/2006 Rev. 80. Intrusion Prevention Engine Version: 2.0.0.50707.
Intrusion Prevention has been enabled.
Intrusion Prevention is monitoring 568 signatures.
Intrusion Prevention has been enabled.
Intrusion Prevention is monitoring 568 signatures.
Intrusion Prevention Signature File Version: 4/10/2006 Rev. 80. Intrusion Prevention Engine Version: 2.0.0.50707.
Intrusion Prevention Signature File Version: 4/10/2006 Rev. 80. Intrusion Prevention Engine Version: 2.0.0.50707.
Intrusion Prevention has been enabled.
Intrusion Prevention is monitoring 568 signatures.
Intrusion Prevention Signature File Version: 3/22/2006 Rev. 78. Intrusion Prevention Engine Version: 2.0.0.50707.
Intrusion Prevention has been enabled.
Intrusion Prevention is monitoring 578 signatures.
Intrusion Prevention Signature File Version: 3/22/2006 Rev. 78. Intrusion Prevention Engine Version: 2.0.0.50707.
Intrusion Prevention has been enabled.
Intrusion Prevention is monitoring 578 signatures.
Intrusion Prevention Signature File Version: 3/22/2006 Rev. 78. Intrusion Prevention Engine Version: 2.0.0.50707.
Intrusion Prevention has been enabled.
Intrusion Prevention is monitoring 578 signatures.
Intrusion Prevention Signature File Version: 3/22/2006 Rev. 78. Intrusion Prevention Engine Version: 2.0.0.50707.
Intrusion Prevention is monitoring 578 signatures.
Intrusion Prevention has been enabled.
Intrusion Prevention is monitoring 578 signatures.
Intrusion Prevention has been enabled.
Intrusion Prevention Signature File Version: 3/22/2006 Rev. 78. Intrusion Prevention Engine Version: 2.0.0.50707.
Intrusion: Invalid UDP Destination Port.
Intruder: CAYNE-23A42D352(192.168.1.100).
Risk Level: Medium.
Source IP address: CAYNE-23A42D352(192.168.1.100).
Destination IP address: 83.129.22.209.
UDP Source Port: 61069.
UDP Destination Port: 0. Invalid.
Intrusion: Invalid UDP Destination Port.
Intruder: CAYNE-23A42D352(192.168.1.100).
Risk Level: Medium.
Source IP address: CAYNE-23A42D352(192.168.1.100).
Destination IP address: 85.140.156.190.
UDP Source Port: 61069.
UDP Destination Port: 0. Invalid.
Intrusion: Invalid UDP Destination Port.
Intruder: 172.16.1.10.
Risk Level: Medium.
Source IP address: 172.16.1.10.
Destination IP address: 83.129.22.209.
UDP Source Port: 61069.
UDP Destination Port: 0. Invalid.
Intrusion: Invalid UDP Destination Port.
Intruder: 172.16.1.10.
Risk Level: Medium.
Source IP address: 172.16.1.10.
Destination IP address: 83.129.22.209.
UDP Source Port: 61069.
UDP Destination Port: 0. Invalid.
Intrusion: Invalid UDP Destination Port.
Intruder: 172.16.1.10.
Risk Level: Medium.
Source IP address: 172.16.1.10.
Destination IP address: 84.24.81.179.
UDP Source Port: 61069.
UDP Destination Port: 0. Invalid.
Intrusion: Invalid UDP Destination Port.
Intruder: 172.16.1.10.
Risk Level: Medium.
Source IP address: 172.16.1.10.
Destination IP address: 83.129.22.209.
UDP Source Port: 61069.
UDP Destination Port: 0. Invalid.
Intrusion: Invalid UDP Destination Port.
Intruder: 172.16.1.10.
Risk Level: Medium.
Source IP address: 172.16.1.10.
Destination IP address: 83.129.22.209.
UDP Source Port: 61069.
UDP Destination Port: 0. Invalid.
Intrusion Prevention has been enabled.
Intrusion Prevention Signature File Version: 3/22/2006 Rev. 78. Intrusion Prevention Engine Version: 2.0.0.50707.
Intrusion Prevention is monitoring 578 signatures.
Intrusion: Invalid UDP Destination Port.
Intruder: 172.16.1.10.
Risk Level: Medium.
Source IP address: 172.16.1.10.
Destination IP address: 84.30.194.140.
UDP Source Port: 61069.
UDP Destination Port: 0. Invalid.
Intrusion: Invalid UDP Destination Port.
Intruder: 172.16.1.10.
Risk Level: Medium.
Source IP address: 172.16.1.10.
Destination IP address: 80.100.34.178.
UDP Source Port: 61069.
UDP Destination Port: 0. Invalid.
Intrusion Prevention Signature File Version: 3/22/2006 Rev. 78. Intrusion Prevention Engine Version: 2.0.0.50707.
Intrusion Prevention is monitoring 578 signatures.
Intrusion Prevention has been enabled.
Intrusion Prevention Signature File Version: 3/22/2006 Rev. 78. Intrusion Prevention Engine Version: 2.0.0.50707.
Intrusion Prevention has been enabled.
Intrusion Prevention is monitoring 578 signatures.
Intrusion Prevention Signature File Version: 3/22/2006 Rev. 78. Intrusion Prevention Engine Version: 2.0.0.50707.
Intrusion Prevention has been enabled.
Intrusion Prevention is monitoring 578 signatures.
Intrusion Prevention Signature File Version: 3/17/2006 Rev. 75. Intrusion Prevention Engine Version: 2.0.0.50707.
Intrusion Prevention has been enabled.
Intrusion Prevention is monitoring 581 signatures.
Intrusion: Invalid UDP Destination Port.
Intruder: 172.16.1.10.
Risk Level: Medium.
Source IP address: 172.16.1.10.
Destination IP address: 84.30.194.140.
UDP Source Port: 61069.
UDP Destination Port: 0. Invalid.
Intrusion: Invalid UDP Destination Port.
Intruder: CAYNE-23A42D352(192.168.1.100).
Risk Level: Medium.
Source IP address: CAYNE-23A42D352(192.168.1.100).
Destination IP address: 84.104.126.72.
UDP Source Port: 61069.
UDP Destination Port: 0. Invalid.
Intrusion: Invalid UDP Destination Port.
Intruder: 172.16.1.10.
Risk Level: Medium.
Source IP address: 172.16.1.10.
Destination IP address: 67.127.100.67.
UDP Source Port: 61069.
UDP Destination Port: 0. Invalid.
Intrusion: Invalid UDP Destination Port.
Intruder: 172.16.1.10.
Risk Level: Medium.
Source IP address: 172.16.1.10.
Destination IP address: 67.127.100.67.
UDP Source Port: 61069.
UDP Destination Port: 0. Invalid.
Intrusion: Invalid UDP Destination Port.
Intruder: 172.16.1.10.
Risk Level: Medium.
Source IP address: 172.16.1.10.
Destination IP address: 67.127.100.67.
UDP Source Port: 61069.
UDP Destination Port: 0. Invalid.
Intrusion: Invalid UDP Destination Port.
Intruder: 172.16.1.10.
Risk Level: Medium.
Source IP address: 172.16.1.10.
Destination IP address: 67.127.100.67.
UDP Source Port: 61069.
UDP Destination Port: 0. Invalid.
Intrusion: Invalid UDP Destination Port.
Intruder: 172.16.1.10.
Risk Level: Medium.
Source IP address: 172.16.1.10.
Destination IP address: 67.127.100.67.
UDP Source Port: 61069.
UDP Destination Port: 0. Invalid.
Intrusion: Invalid UDP Destination Port.
Intruder: 172.16.1.10.
Risk Level: Medium.
Source IP address: 172.16.1.10.
Destination IP address: 83.129.3.91.
UDP Source Port: 61069.
UDP Destination Port: 0. Invalid.
Intrusion Prevention Signature File Version: 3/17/2006 Rev. 75. Intrusion Prevention Engine Version: 2.0.0.50707.
Intrusion Prevention has been enabled.
Intrusion Prevention is monitoring 581 signatures.
Intrusion Prevention Signature File Version: 3/17/2006 Rev. 75. Intrusion Prevention Engine Version: 2.0.0.50707.
Intrusion Prevention has been enabled.
Intrusion Prevention is monitoring 581 signatures.
Intrusion Prevention has been enabled.
Intrusion Prevention Signature File Version: 3/17/2006 Rev. 75. Intrusion Prevention Engine Version: 2.0.0.50707.
Intrusion Prevention is monitoring 581 signatures.
Intrusion Prevention Signature File Version: 9/1/2005 Rev. 36. Intrusion Prevention Engine Version: 2.0.0.50707.
Intrusion Prevention has been enabled.
Intrusion Prevention is monitoring 496 signatures.
Intrusion Prevention is monitoring 496 signatures.
Intrusion Prevention has been enabled.
Intrusion Prevention is monitoring 496 signatures.
Intrusion Prevention Signature File Version: 9/1/2005 Rev. 36. Intrusion Prevention Engine Version: 2.0.0.50707.


interperate as you wish, but I am not dropping my last line of defense against intruders. :)




KAT-Lyrkiller
Semi-retired
Captain of the MSC Maus
MEMBER OF KLAW
SILENCE.....I keel you!!!

Offline Bonk

  • Commodore
  • *
  • Posts: 13298
  • You don't have to live like a refugee.
Re: Dizzy, here is my log file for all the attemped attacks
« Reply #1 on: April 23, 2006, 11:54:04 am »
Allow me some time to go through this list and explain to you how none of those entries represent any real threat. In fact it is possible that blocking some of these may hamper your network functionality.

I assume you have made exceptions for your ISP's gateway, DHCP and DNS servers?

Offline Dizzy

  • Captain
  • *
  • Posts: 6179
Re: Dizzy, here is my log file for all the attemped attacks
« Reply #2 on: April 23, 2006, 12:00:26 pm »
That was me testing your system to see if you actually had a FW... j/k.  ;D

Let's see what Bonk comes up with 1st. Personally, I've not had an issue with port security while playing with my pants down on OP since 2001. You ought to try going naked for once. It's so liberating...

Offline Bonk

  • Commodore
  • *
  • Posts: 13298
  • You don't have to live like a refugee.
Re: Dizzy, here is my log file for all the attemped attacks
« Reply #3 on: April 23, 2006, 12:08:47 pm »
I think people are misunderstanding what we are asking for. We are not asking you to go without a firewall at all times, only while playing on the dynaverse.

Also before commenting further please read this post in full if you have not already:
http://www.dynaverse.net/forum/index.php/topic,163366481.msg1122703163.html#msg1122703163

Further, some of my comments posted elsewhere:

Quote
It occurs to me that most who run a firewall also have a system tray clogged up with tons of unnecessary crap that is probably auto-updating left and right. If your system tray does not look like the attached image - before disabling the windows XP firewall (see below), then think real hard about why it doesn't and what the implications are. (hint: start...run...taskmgr...processes [Show processes from all users]...view...select columns - CPU Usage, CPU Time, Memory Usage, Peak Memory Usage, User Name, Virtual Memory Size, Handle Count, Thread Count)

If you want to see what is happening on your network connecions try a "netstat /?" at the command prompt, then use it with the explained parameters, no firewall needed, and you can inspect all connections for legitimacy...)

I have an alternate solution to the firewall issue that might ba a more positive approach:

What if we kept a "safelist" where players can sign up saying they are willing to disable all firewalls and background crap while playing, and if using NAT they know how to.

edit: addendum to the proposed "safe drafting list" - if you are drafted by a player who has not signed up on the safelist you are free to alt out and proceed on your merry way unpenalised. And let me be clear that this is a suggestion, not an absolute decree.

You have to understand that we are not asking people to do their porn and warez browsing unprotected (pure insanity), but if your OS (and router firmware) are up-to date and you have not enabled filesharing over the internet you are perfectly safe to play SFC with no firewall running. Perfectly safe. Just be sure to turn it back on before you go porn browsing.

Most if not all of the hits that you see on a software firwall would stll have no effect if the firewall was not running and you are running a secure configuration on an up-to-date OS.

Want to secure your machine? Get rid of: MSN, ICQ, Kazaa, any bitorrent client that is not the original, Morpheus, Limewire, DC++, Quicktime, Flash, Norton AV... you will find all of a sudden that your PC is more secure than ever (insert obligatory MacOS fanboy comment here  Roll Eyes)

The main point is that playing SFC does not draw negative attention like so many other activities on the web, if your OS is up to date and configured securely, you have nothing to worry about.


Quote
A little off topic perhaps... but if people insist on browsing malicious porn sites, they should at least use a spider set to download only image files from the desired url n links deep...

http://www.tenmax.com/teleport/pro/home.htm

More porn than any normal person should want, without exposing yourself (no pun intended) to a single line of malicious html, javascript, java or activex code.

Requires some caution though, as such spidering ventures can easily land in illegal or thoroughly disgusting territory quickly and deeply.


I have been running without a firewall for the last six years on the dynaverse, I have not been hacked once...

OK, my next posts will address your log entries Lyrkiller...

Offline Bonk

  • Commodore
  • *
  • Posts: 13298
  • You don't have to live like a refugee.

Offline Bonk

  • Commodore
  • *
  • Posts: 13298
  • You don't have to live like a refugee.
Re: Dizzy, here is my log file for all the attemped attacks
« Reply #5 on: April 23, 2006, 12:23:04 pm »
For the purposes of this analysis I will assume you are running a completely up-to-date Windows XP install.

First entry in Lyrkiller's firewall log:

Quote
Intrusion: Invalid UDP Destination Port.
Intruder: CAYNE-23A42D352(192.168.1.100).
Risk Level: Medium.
Source IP address: CAYNE-23A42D352(192.168.1.100).
Destination IP address: 83.129.22.209.
UDP Source Port: 61069.
UDP Destination Port: 0. Invalid.

First thing to notice is that the source is YOU!
Second thing to notice is that UDP port 0 is reserved and no known services use it.

RIPE whois results:
Quote
inetnum:         83.129.0.0 - 83.129.127.255
netname:         TISCALI-ADSL
descr:           Tiscali  - Online Services
country:         DE
admin-c:         TRR1-RIPE
tech-c:          TRR1-RIPE
remarks:         Concerning abuse and spam mailto: team@abuse.tiscali.de
status:          ASSIGNED PA "status:" definitions
mnt-by:          TISCALI-NET
source:          RIPE # Filtered

role:            TISCALI RIPE REGISTRY
address:         Tiscali Business GmbH
address:         Robert-Bosch-Str. 32
address:         D-63303 Dreieich
address:         Germany

OK the destination is somewhat suspicious, since the source is YOU, what kind of spyware or P2P apps are you running on your machine? What does your processlist look like?

Though perhaps this is one of your games being denied a ping to a game server in germany, give me a bit to identify the source and destination ports.

I notice your firewall log is missing the critical information of what time and date the item was blocked... What firewall is this that you are running?

More to come... stay with me...

Offline Bonk

  • Commodore
  • *
  • Posts: 13298
  • You don't have to live like a refugee.
Re: Dizzy, here is my log file for all the attemped attacks
« Reply #6 on: April 23, 2006, 12:42:55 pm »
Observation: you are on a dynamic IP addres provided by earthlink which appears to change frequently, which is a measure of security in itself. (the forums only have one post on record from your last IP address...)

Some information on UDP port 0:

Quote
Port 0 is officially a reserved port in TCP/IP networking, meaning that it should not be used for any TCP or UDP network communications.

However, port 0 sometimes takes on a special meaning in network programming, particularly Unix socket programming. In this environment, port 0 is a programming technique for specifying system-allocated (dynamic) ports.

Instead of "hard-coding" a particular port number, or writing code that searches for an open port, Unix programmers simply specify port 0 as a connection parameter. That triggers the operating system to automatically search for and return the next available port in the dynamic port number range.

This programming technique does not work the same way in Microsoft Windows as it does in Unix.

http://compnetworking.about.com/od/tcpip/l/blports_0.htm

Quote
Test ID:   10074
Category:   Denial of Service
Title:   Firewall/1 UDP port 0 DoS
Summary:   Crashes the remote host by sending a UDP packet going to port 0
Description:   It was possible to
crash either the remote host or the firewall
in between us and the remote host by sending
an UDP packet going to port 0.

This flaw may allow an attacker to shut down
your network.

Solution : contact your firewall vendor if
it was the firewall which crashed, or filter
incoming UDP traffic if the remote host crashed.

Risk factor : High
Cross-Ref:   BugTraq ID: 576
Common Vulnerability Exposure (CVE) ID: CVE-1999-0675
Bugtraq: 19990809 FW1 UDP Port 0 DoS (Google Search)
XForce ISS Database: checkpoint-port
Copyright   This script is Copyright (C) 1999 Renaud Deraison

http://www.securityspace.com/smysecure/catid.html?id=10074


Were you actively trying something funny on this german machine? It is possible there is a worm on your machine... though I still suspect a game looking for the next open port on a *nix game server...

Offline Bonk

  • Commodore
  • *
  • Posts: 13298
  • You don't have to live like a refugee.
Re: Dizzy, here is my log file for all the attemped attacks
« Reply #7 on: April 23, 2006, 12:47:17 pm »
It looks like all your entries are from UDP port 61069 to UDP port 0... Interesting... Wonder what the heck that is.

What does a "netstat -a" tell you when these items are being blocked.... (oh wait, probably not much, as the connections are blocked, but it will still tell us what applications are listening, connected and sending...which might give us the necessary clue...)

Offline Strat

  • Retired
  • EAW Update Crew
  • Lt. Commander
  • *
  • Posts: 1368
Re: Dizzy, here is my log file for all the attemped attacks
« Reply #8 on: April 23, 2006, 12:59:37 pm »
It should be also worth mentioning that the firewall does protect you from attacks on unknown weaknesses of the OS.  This is what SPI accomplishes.

Prime example was the MS Blaster virus.  I did contract work for part of a School Distrcts network just before it came out.  Part of what I did was properly set up and configure the XP firewall on a few hundred machines.

Good for the name of my business, ALL the school computers were infected **EXCEPT** for the machines I configured for thier upgrade.  The school's systems Dept had the FW disabled.  :o  Mine were crystal clean and operating properly.

It does help, but for certain programs not written with the FW in mind, it may have adverse affects.  This is becuase mainly by the way it works, the prinicple of least privledge, and by how it scans the data sent and recieved by the interface.

I used to use Norton Internet Security too, it actually helped me to locate and inform my ISP of several client's computers on thier network infected by virus's attempting to spread locally by IP.  Apparently (not a big ISP mind you), they had no idea, and contacted the people that were infected.

Its bacially a nessesary evil.

I should also mention that an upgraded OS and by not visiting certain web-sites, you can GREALTY reduce the likely hood of being hacked.  Only by random scan or a person specifically looking for you, or if you already have a virus are you likely to have a problem.

Offline Bonk

  • Commodore
  • *
  • Posts: 13298
  • You don't have to live like a refugee.
Re: Dizzy, here is my log file for all the attemped attacks
« Reply #9 on: April 23, 2006, 01:10:47 pm »
How come I have never gotten a worm or virus in the last six years I have been playing on the dynaverse without a firewall? (no its not luck...)

It is extremely unlikely that in the course of playing a session on the Dynaverse form an up-to-date copy of windows that a new security exploit for Windows will be discovered and your machine will be directly targetted.

Did you play SFC before software firewalls were commonplace?

Offline Strat

  • Retired
  • EAW Update Crew
  • Lt. Commander
  • *
  • Posts: 1368
Re: Dizzy, here is my log file for all the attemped attacks
« Reply #10 on: April 23, 2006, 01:16:35 pm »
I've never had one either, and %90 of the time my FW are disabled. (Except for now as I'm beta testing a new product)

I've never had a virus either.  But not everyone is as tech savvy as we are.

I know a lot of poeple get viruses in thier email (again, from work exprience), and don't it for months or even years!

Many people have no idea what 'Windows updates' are, or virus definitions, or that email can carry them, or even that an email attachment could be an virus.

Its not a matter of being technilogically prepaired, its a matter of ID10T error profing a PC.

Offline IAF Lyrkiller

  • Semi retired, but I am still around
  • D.Net Beta Tester
  • Lt. Commander
  • *
  • Posts: 1321
  • Gender: Male
  • JAG & Tech Support
Re: Dizzy, here is my log file for all the attemped attacks
« Reply #11 on: April 23, 2006, 03:45:48 pm »
Ok Bonk, right now I am at work. I am going to run my syst w/o the router for several days and see what attacks I come across.





KAT-Lyrkiller
Semi-retired
Captain of the MSC Maus
MEMBER OF KLAW
SILENCE.....I keel you!!!

Offline Bonk

  • Commodore
  • *
  • Posts: 13298
  • You don't have to live like a refugee.
Re: Dizzy, here is my log file for all the attemped attacks
« Reply #12 on: April 23, 2006, 05:56:36 pm »
Ok Bonk, right now I am at work. I am going to run my syst w/o the router for several days and see what attacks I come across.

A router is fine as long as it and your lan are configured properly.

Also, I am not suggesting running with no firewall all the time, only while playing on the dynaverse.

But go ahead and try it for a few days if you want though, I think you'll be suprised at the lack of sucessful attacks. (though, please do not hold me resposible if there is a successful attack, I do not know what you are running on your machine)

edit: before doing so, try and figure out what you're running that is hitting udp port 0 on remote machines from your udp port 61069... use a "netstat -a" at the command prompt and examine all connections carefully. (and use "netstat -a -b" to list the applications involved... use a "netstat /?" to see all the parameters that can be used with netstat and their explanation...)

If you have no P2P or instant messaging apps, do not browse for warez, porn or mp3s, and keep your OS updated and configured securely, and do not use IE, I can virtually guarantee there will be very few attacks and no successful ones.
« Last Edit: April 23, 2006, 06:19:12 pm by Bonk »

Offline Bonk

  • Commodore
  • *
  • Posts: 13298
  • You don't have to live like a refugee.
Re: Dizzy, here is my log file for all the attemped attacks
« Reply #13 on: April 23, 2006, 11:30:53 pm »
In related news - Firewall Blocks EAW Install!  :o

http://www.dynaverse.net/forum/index.php/topic,163366261.msg1122703730.html#msg1122703730

WTF?  :huh: These firewall authors really need to chill and take a good hard look at their code. Methinks they are a little super-horny. (or really have no clue what they are doing...)   :thumbsdown:

Offline IAF Lyrkiller

  • Semi retired, but I am still around
  • D.Net Beta Tester
  • Lt. Commander
  • *
  • Posts: 1321
  • Gender: Male
  • JAG & Tech Support
Re: Dizzy, here is my log file for all the attemped attacks
« Reply #14 on: April 29, 2006, 05:18:13 pm »
Ok Bonk, you win. ;D

So far I have not had a port attack over the weekend or the times that I did leave my pc on. (bypassed router).

But it does not mean that it can happen when playing on one of our servers.

and yes I have been attacked. I am going to load OP and try the Forge and see what happens. ;D







KAT-Lyrkiller
Semi-retired
Captain of the MSC Maus
MEMBER OF KLAW
SILENCE.....I keel you!!!

Offline Bonk

  • Commodore
  • *
  • Posts: 13298
  • You don't have to live like a refugee.
Re: Dizzy, here is my log file for all the attemped attacks
« Reply #15 on: April 29, 2006, 06:36:21 pm »
Glad to hear it, common sense is the best defense.

For me, one of the most important things is to be able discern genuine mission bugs from connection/firewall issues. I don't want scripters forever chasing red herrings based on unreliable feedback.

Worms and simple hackers will forever be knocking on your door, but an up to date OS and secure configuration will keep them all out. The average SFC player is a pretty unlikely target for a DoS attack on a secure box.

Offline IAF Lyrkiller

  • Semi retired, but I am still around
  • D.Net Beta Tester
  • Lt. Commander
  • *
  • Posts: 1321
  • Gender: Male
  • JAG & Tech Support
Re: Dizzy, here is my log file for all the attemped attacks
« Reply #16 on: May 04, 2006, 02:02:52 am »
Well, Bonk it happened, while playing on The Forge, I was port attacked.

Here is the log:

Intrusion: MS ASN1 Integer Overflow TCP.
Intruder: 66.18.200.221(2359).
Risk Level: High.
Protocol: TCP.
Attacked IP: CAYNE-23A42D352(172.16.1.10).
Attacked Port: microsoft-ds(445).
Intrusion detected and blocked. All communication with 66.18.200.221 will be blocked for 30 minutes.
Intrusion detected and blocked. All communication with 66.244.71.212 will be blocked for 30 minutes.
Intrusion: MS RPCSS Attack (2).
Intruder: 66.244.71.212(1194).
Risk Level: High.
Protocol: TCP.
Attacked IP: CAYNE-23A42D352(172.16.1.10).
Attacked Port: epmap(135).

Whoever they were, they did not succeed very far. the port attack sw is for SP1

I have SP2 ;D
« Last Edit: May 04, 2006, 02:18:04 am by CayneG »




KAT-Lyrkiller
Semi-retired
Captain of the MSC Maus
MEMBER OF KLAW
SILENCE.....I keel you!!!

Offline Bonk

  • Commodore
  • *
  • Posts: 13298
  • You don't have to live like a refugee.
Re: Dizzy, here is my log file for all the attemped attacks
« Reply #17 on: May 04, 2006, 06:51:46 am »
Well, Bonk it happened, while playing on The Forge, I was port attacked.

Here is the log:

Intrusion: MS ASN1 Integer Overflow TCP.
Intruder: 66.18.200.221(2359).
Risk Level: High.
Protocol: TCP.
Attacked IP: CAYNE-23A42D352(172.16.1.10).
Attacked Port: microsoft-ds(445).
Intrusion detected and blocked. All communication with 66.18.200.221 will be blocked for 30 minutes.
Intrusion detected and blocked. All communication with 66.244.71.212 will be blocked for 30 minutes.
Intrusion: MS RPCSS Attack (2).
Intruder: 66.244.71.212(1194).
Risk Level: High.
Protocol: TCP.
Attacked IP: CAYNE-23A42D352(172.16.1.10).
Attacked Port: epmap(135).

Whoever they were, they did not succeed very far. the port attack sw is for SP1

I have SP2 ;D

Give me a break man, if the firewall was off absolutely nothing would have happened if the OS is up to date and properly configured. As you have indicated yourself, the attack was targetted at an out of date OS. If the firewall were left off nothing would have happened and your firewall wouldn't be unneccessarily filtering tcp/ip packets in God only knows how horrible and botched a fashion...

Thank you for helping me to make my case that these software firewalls are completely redundant and do more harm than good.

Out of curiosity, what are your DNS, DHCP and gateway servers on the WAN? Also, do you have UPnP enabled on the router/DSL modem/gateway? I find DSL to be a pain because it takes a lot of these factors out of your control. What model DSL modem do you have? Is this firewall part of the modem firmware?
« Last Edit: May 04, 2006, 07:08:47 am by Bonk »

Offline Soreyes

  • Commander
  • *
  • Posts: 3903
  • Gender: Male
  • It's Not News. It's CNN
Re: Dizzy, here is my log file for all the attemped attacks
« Reply #18 on: May 04, 2006, 07:16:29 am »
Quote
Out of curiosity, what are your DNS, DHCP and gateway servers on the WAN? Also, do you have UPnP enabled on the router/DSL modem/gateway? I find DSL to be a pain because it takes a lot of these factors out of your control. What model DSL modem do you have? Is this firewall part of the modem firmware?

There he goes speaking Greek again ;D


[img width=600 height=150]

Offline Soreyes

  • Commander
  • *
  • Posts: 3903
  • Gender: Male
  • It's Not News. It's CNN
Re: Dizzy, here is my log file for all the attemped attacks
« Reply #19 on: May 04, 2006, 07:35:55 am »
On a serious note. While playing on the Forge the other morning. I was teaming up with Deadman and Thrain. We started doing some Planet Assalts. I was doing the Drafting, and a whole bunch of problems started to happen. Players dropping, Host Left messages, or the mission just would not load. It was then with my Kitty brain that I figured out that I was the problem. I had turned off my MS firewall, but had forgotten to turn off my Norten Security,witch has it's own Firewall.  Turned that off and the problem was solved ;D


[img width=600 height=150]