port attacks!!

[Karel_01]

I Have a little proxy program installed to allow my wife to play eq over the weekends and I have found some interesting ip's getting past my firewall to my proxy till I blocked them ...

Maybe iBurst should look at this

I will need to manualy enter the info as the logs are bit confusing if I just try to copy and past!.

User IP Port Attempts
mm.nedcor.com 196.36.217.137 SMTP OUT 31
wbs-196-46-69-12.wbs.co.za 196.46.69.12 135 1
wbs-196-46-64.169.wbs.co.za 196.46.64.169 445 1
wbs-196-46-66-146.wbs.co.za 196.46.66.146 445,44445 5
213.167.138.91 213.167.138.91 7520,23735 1
cuttlefish.mweb.co.za 196.2.50.76 SMTP OUT 1
www.freezeframe.co.za 196.34.55.29 1433 1

And the list goes on may of them on ports used by viruses
this is only about 5% of what went through my connection
until I picked it up. I understand nothing can be done except
for us to tighten up on security but just goes to show what is happening
While we are not watching and would explian the relaying denied
messages trying to send mail!

When my linux finally downloads I will be running a tight shift on it
and see if I can get some logging going and if anybody at iBurst is interested
will forward the logs to them it may help to stop some of the cr@p running
around on the network.

 

[slimothy]

the ones on port 445 are just your usual exploit bots looking at IPs around it for people with vuln machines running LLS and DCOM so thats nothing unusual, but the ones looking for an open SMTP port are very very very interesting. Maybe the spammer guy who keeps getting IPs blocked is really someone using other peoples local SMTP servers to send the mail. Very interesting.

 

[Karel_01]

Thought you would like the smtp ones that is why I put them up here if you want mac address I could supply that too

 

[Karel_01]

Here is another juicy one I found although name could be spoofed

mail.interprise.co.za IP 196.3.167.50 Mac A65220000100

 

[speedfreak]

I run MS ISA 2004 server. (Used to run stuff like Zone Alarm etc).

Since I started using ISA I've hade no problems (touch wood).

Another brillian little firewall is TINY firewall. Not complicated at all.

The only problem with ISA server (Although being a level 7 firewall comapring to the likes of Firewall1 and Gauntlet) is that R8500 is still very stiff for that average user.

I get the occational port scan or port attacks. But ISA takes 'nice' care of there possible intrusions.

As long as you have ALL the current MS service packs and have the MS XP/SP2 Firewall running your PC "Should" be fairly safe from attacks.

Norton also has a very neat Firewall/Switch combination that is configured via HTTP. A good and cost effective hardware based firewall.

I also make use of Basilisk Firewall (from www.secureworx.com). An South African based company with a very, very good hardware firewall. (It uses the Linux kernel and is configured via HTTP/Java). My personal best next to ISA

 

[Karel_01]

thanks for all the info but just going to setup linux at the moment and monitor ... not going to spend a fortune on security for home pc....

 

[TheRoDent]

Isn't it great to know that all those portscan and connection attempts count towards your CAP?

 

[slimothy]

yup, I guess thats the problem with capped connections, they never know what to count so they just count everything

 

[Next Thing]

Isn't it great to know that all those portscan and connection attempts count towards your CAP?

LOL True , at least just drop the packets , so you dont send ack packets back again. We need to go for a beer sometime Rodent

 

[patrick123]

Here is a clip from my SMTP Server. It's obvious, some spammer is trying to relay his ****.

Apr 17 18:04:45 onyxsrv - SMTP Client Access reject: RCPT from unknown[222.120.40.9]: 554 <[email protected]>: Recipient address rejected: Relay access denied; from=<[email protected]> to=<[email protected]>

My system used have it's own IP address on the internet. I've actually overlooked this as I now use fetchmail so I can block my server from outside access.

 

[slimothy]

well not to be a stickler but you shouldn't have a SMTP server on your PC open to anyone to use, or anyone will use it. This spammer guy/girl/ass is really puching his/her/its luck.

Which brings up something we dont know about WBS as a ISP, what are thier policies when it comes to 'abuse' like this. I know the big ISPs like MWEB or whatever ussually cut off the account till the owner gets a warning and if it happens again they're off the network for good, but I'm sure WBS have bigger problems.

 

[patrick123]

I'm running an SMTP server on a Linux box both for internal & external email & squid proxy server for about 4 people, don't need it anymore for external email since my domain hosting now done by 3rd party. I've just been lazy(i like to use the words too busy) to redo the box completely.

I agree, I think the 'abuse' issue is currently last on WBS' list.