PDA

View Full Version : SPF Pro 5.5 security log "port scan"



dibbly
24-08-2004, 09:02 PM
hi everyone just a couple of questions concerning logs in Sygate. Had 4 or 5 alerts of "someone is scanning your computer" different IP's and also ports.
Do I need to worry bout this or am I naive to think my firewall has everything
under control???

the other one is this intrusion detected with the following details.
"Inbound DCE BIND to potentially vulnerable RPC DCOM interface attempt detected" now what the heck does that mean??? and when it tells me it detected it , did it do anything about it???

In the process of Googling this now, but thought I'd see if there were any
PF1ers out there that could help.

cheers people

Davesdad
24-08-2004, 09:08 PM
Could be other virus infected computers scanning IP addresses looking for new hosts.

dibbly
24-08-2004, 09:12 PM
so my firewalls doing its job then??? I'm fully patched (cept sp2) and all AV and Spyware etc upto date. Showing all ports stealth at GRC

Davesdad
24-08-2004, 09:25 PM
> so my firewalls doing its job then??? I'm fully
> patched (cept sp2) and all AV and Spyware etc upto
> date. Showing all ports stealth at GRC
Yea, 4-5 alerts is not much. When you start getting hammered and the severity is extreme its time to start worrying.

dibbly
24-08-2004, 09:27 PM
Excellent!! thanks for that DD

Gorela
24-08-2004, 09:36 PM
Hi Dibbly

It would appear that it is purely Sygate doing it's job. There are a couple of good sites to bookmark if you are interested in additional info about what your firewall is telling you. These are dshield (http://www.dshield.com) and secunia (http://secunia.com).

Dshield gives details about the current ports that are being "attacked" and Secunia gives details about the latest virii and exploits for the different operating systems.

Just click here (http://www.dshield.com/port_report.php?port=445) to find out what Dshield has to say about DCOM.

As far as port scans are concerned generally these involve one IP address scanning a number of ports on your computer. Occasionally this will mean that the firewall will log about 10 to 20 hits on different ports from a single IP but most often you will only be scanned on about three to five of the easiest ports. :)

HTH

dibbly
24-08-2004, 10:02 PM
thanks Gorela for those links reading thru them now......I promised myself I wouldn't check out the logs....paranoia starts setting in!!!!! But there you have it....I have and now I am, dammit.

one more question, why would my DNS server hit my machine 15 times in the space of 30 secs or less, there was a major spike of like 9136 bytes at the time.....its blocked of course but heck...please someone tell me to leave the damn thing alone before I send myself up the wall........any further.......

Davesdad
24-08-2004, 10:26 PM
>one more question, why would my DNS server hit my machine 15 times in the
> space of 30 secs or less, there was a major spike of like 9136 bytes at the
>time.....its blocked of course but heck...please someone tell me to leave the
>damn thing alone before I send myself up the wall........any further.......

What applications have you set to 'allowed'? I t may be a normal communication with a network service that is being blocked hence the appearance of a port scan from your DNS

Gorela
24-08-2004, 10:32 PM
As you say the easiest bet is "Don't look" :)

For DNS requests to be blocked by the firewall normally means that the request didn't originate from your computer. It depends on the functionality of the firewall. ;)

If it is a stateful firewall it will remember that it sent a single packet or packets to the DNS server and will expect a reply from that computer. If it didn't send a packet then it will block any access.

Perhaps you should think about changing your operating system to OpenBSD (http://www.openbsd.org) as they do say that it is the operating system of choice for the practical paranoid :D

dibbly
24-08-2004, 11:42 PM
DD
> What applications have you set to 'allowed'?
just my browser and email client, everything else is set to 'ask'

> I t maybe a normal communication with a network service that
> is being blocked hence the appearance of a port scan
> from your DNS
mmmmkay...shall take your word on that one!!!!

Gorela
>If it is a stateful firewall...
aha always wondered what that meant...ta!

as far as bsd goes, took a look at the FAQ's but I need a faq to understand
the FAQ's..shall save that for later.......much later!!!

thanks you two for your help, much 'preciated.....but prob is solved... i aint gonna LOOK!!!.....
well, maybe just a peek:)

cheers
dib