| Forum Home | ||||
| Press F1 | ||||
| Thread ID: 48482 | 2004-08-24 09:02:00 | SPF Pro 5.5 security log "port scan" | dibbly (5461) | Press F1 |
| Post ID | Timestamp | Content | User | ||
| 264919 | 2004-08-24 09:02:00 | hi everyone just a couple of questions concerning logs in Sygate. Had 4 or 5 alerts of "someone is scanning your computer" different IP's and also ports. Do I need to worry bout this or am I naive to think my firewall has everything under control??? the other one is this intrusion detected with the following details. "Inbound DCE BIND to potentially vulnerable RPC DCOM interface attempt detected" now what the heck does that mean??? and when it tells me it detected it , did it do anything about it??? In the process of Googling this now, but thought I'd see if there were any PF1ers out there that could help. cheers people |
dibbly (5461) | ||
| 264920 | 2004-08-24 09:08:00 | Could be other virus infected computers scanning IP addresses looking for new hosts. | Davesdad (923) | ||
| 264921 | 2004-08-24 09:12:00 | so my firewalls doing its job then??? I'm fully patched (cept sp2) and all AV and Spyware etc upto date. Showing all ports stealth at GRC | dibbly (5461) | ||
| 264922 | 2004-08-24 09:25:00 | > so my firewalls doing its job then??? I'm fully > patched (cept sp2) and all AV and Spyware etc upto > date. Showing all ports stealth at GRC Yea, 4-5 alerts is not much. When you start getting hammered and the severity is extreme its time to start worrying. |
Davesdad (923) | ||
| 264923 | 2004-08-24 09:27:00 | Excellent!! thanks for that DD | dibbly (5461) | ||
| 264924 | 2004-08-24 09:36:00 | Hi Dibbly It would appear that it is purely Sygate doing it's job. There are a couple of good sites to bookmark if you are interested in additional info about what your firewall is telling you. These are dshield (www.dshield.com) and secunia (http:). Dshield gives details about the current ports that are being "attacked" and Secunia gives details about the latest virii and exploits for the different operating systems. Just click here (www.dshield.com) to find out what Dshield has to say about DCOM. As far as port scans are concerned generally these involve one IP address scanning a number of ports on your computer. Occasionally this will mean that the firewall will log about 10 to 20 hits on different ports from a single IP but most often you will only be scanned on about three to five of the easiest ports. :) HTH |
Gorela (901) | ||
| 264925 | 2004-08-24 10:02:00 | thanks Gorela for those links reading thru them now......I promised myself I wouldn't check out the logs....paranoia starts setting in!!!!! But there you have it....I have and now I am, dammit. one more question, why would my DNS server hit my machine 15 times in the space of 30 secs or less, there was a major spike of like 9136 bytes at the time.....its blocked of course but heck...please someone tell me to leave the damn thing alone before I send myself up the wall........any further....... |
dibbly (5461) | ||
| 264926 | 2004-08-24 10:26:00 | >one more question, why would my DNS server hit my machine 15 times in the > space of 30 secs or less, there was a major spike of like 9136 bytes at the >time.....its blocked of course but heck...please someone tell me to leave the >damn thing alone before I send myself up the wall........any further....... What applications have you set to 'allowed'? I t may be a normal communication with a network service that is being blocked hence the appearance of a port scan from your DNS |
Davesdad (923) | ||
| 264927 | 2004-08-24 10:32:00 | As you say the easiest bet is "Don't look" :) For DNS requests to be blocked by the firewall normally means that the request didn't originate from your computer. It depends on the functionality of the firewall. ;) If it is a stateful firewall it will remember that it sent a single packet or packets to the DNS server and will expect a reply from that computer. If it didn't send a packet then it will block any access. Perhaps you should think about changing your operating system to OpenBSD (http://www.openbsd.org) as they do say that it is the operating system of choice for the practical paranoid :D |
Gorela (901) | ||
| 264928 | 2004-08-24 11:42:00 | DD > What applications have you set to 'allowed'? just my browser and email client, everything else is set to 'ask' > I t maybe a normal communication with a network service that > is being blocked hence the appearance of a port scan > from your DNS mmmmkay...shall take your word on that one!!!! Gorela > If it is a stateful firewall... aha always wondered what that meant...ta! as far as bsd goes, took a look at the FAQ's but I need a faq to understand the FAQ's..shall save that for later.......much later!!! thanks you two for your help, much 'preciated.....but prob is solved... i aint gonna LOOK!!!..... well, maybe just a peek:) cheers dib |
dibbly (5461) | ||
| 1 | |||||