Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Computer Support > Firewall query

Reply
Thread Tools

Firewall query

 
 
Andy Kelly
Guest
Posts: n/a
 
      09-07-2004
I've just checked my firewall log for the first time.

There are loads of entries like this:
07 September 2004 18:20:12 Unrecognized access from 61.150.xx.y:zzzzz to TCP
port 21
07 September 2004 18:21:17 Unrecognized access from 82.120.xxx.yyy:zzzz to
UDP port 1680
07 September 2004 18:43:55 Unrecognized access from 222.138.xxx.yyy:zzzz to
TCP port 9898
07 September 2004 18:51:19 Unrecognized access from 12.188.xxx.yyy:zzzzz to
UDP port 1028

Are these hackers trying to look at my LAN? And if so, are they getting
through?

The firewall is part of my D-Link DI-604 broadband router.

Andy


 
Reply With Quote
 
 
 
 
why?
Guest
Posts: n/a
 
      09-07-2004

On Tue, 07 Sep 2004 20:18:09 GMT, Andy Kelly wrote:

>I've just checked my firewall log for the first time.
>
>There are loads of entries like this:
>07 September 2004 18:20:12 Unrecognized access from 61.150.xx.y:zzzzz to TCP
>port 21


Port 21 - FTP, can't tell about the source as you blanked the 3rd and
4th octets.

>07 September 2004 18:21:17 Unrecognized access from 82.120.xxx.yyy:zzzz to
>UDP port 1680


The other port numbers are generally for any purpose, from the
registered port range.
http://www.iana.org/assignments/port-numbers

>07 September 2004 18:43:55 Unrecognized access from 222.138.xxx.yyy:zzzz to
>TCP port 9898
>07 September 2004 18:51:19 Unrecognized access from 12.188.xxx.yyy:zzzzz to
>UDP port 1028


With so few examples different IPs, no pattern of IPs' / ports it's hard
to tell.


>Are these hackers trying to look at my LAN? And if so, are they getting
>through?


Doesn't your router manual tell you what it does with unrecognised
access connections?

>The firewall is part of my D-Link DI-604 broadband router.


You could try a whois / samspade (search 24HSHD past posts, Google
Groups) search on the full IP addresses and report the connections to
the appropriate carrier / service provider.

I use filtering on the router and Outpost on the PC works quite well.

Me
 
Reply With Quote
 
 
 
 
Andy Kelly
Guest
Posts: n/a
 
      09-07-2004
> Port 21 - FTP, can't tell about the source as you blanked the 3rd and
> 4th octets.


I thought it would be a good idea to blank out anything to identify someone.
How about this (just rebooted the router so not too many at the moment):

07 September 2004 22:12:53 Unrecognized access from 221.143.42.254:41755 to
UDP port 1026 07 September 2004 22:12:53 Unrecognized access from
221.143.42.254:41755 to UDP port 1027 07 September 2004 22:12:53
Unrecognized access from 221.143.42.254:41755 to UDP port 1028 07 September
2004 22:20:44 Unrecognized access from 82.82.72.91:3108 to TCP port 2745
07 September 2004 22:20:44 Unrecognized access from 82.82.72.91:3111 to TCP
port 1025
07 September 2004 22:20:44 Unrecognized access from 82.82.72.91:3114 to TCP
port 3127
07 September 2004 22:20:44 Unrecognized access from 82.82.72.91:3115 to TCP
port 6129
07 September 2004 22:20:44 Unrecognized access from 82.82.72.91:3117 to TCP
port 80
07 September 2004 22:23:49 Unrecognized access from 12.115.161.85:21960 to
UDP port 1028

> >Are these hackers trying to look at my LAN? And if so, are they getting
> >through?

>
> Doesn't your router manual tell you what it does with unrecognised
> access connections?
>


The manual is appalling. It tells you how to set the options but not what
they actually do.


 
Reply With Quote
 
why?
Guest
Posts: n/a
 
      09-07-2004

On Tue, 07 Sep 2004 21:27:52 GMT, Andy Kelly wrote:

>> Port 21 - FTP, can't tell about the source as you blanked the 3rd and
>> 4th octets.

>
>I thought it would be a good idea to blank out anything to identify someone.


Expected that, it's sometimes a grey area.

>How about this (just rebooted the router so not too many at the moment):
>


The line wraps make it difficult to read....

>07 September 2004 22:12:53 Unrecognized access from 221.143.42.254:41755 to

UDP port 1026

07 September 2004 22:12:53 Unrecognized access from
221.143.42.254:41755 to UDP port 1027

07 September 2004 22:12:53 Unrecognized access from 221.143.42.254:41755
to UDP port 1028

The above at the same time look like a scan with consecutive ports , the
IP (using Visual Route) is

inetnum: 221.138.0.0 - 221.143.255.255
netname: HANANET
descr: Hanaro Telecom, Inc.
descr: 726, JangHang-2dong, ILSAN-Gu, Goyang-Si, Kyonggi-Do
country: KR
admin-c: IS37-AP
tech-c: SH243-AP
descr: ************************************************
descr: Allocated to KRNIC Member.
descr: If you would like to find assignment
descr: information in detail please refer to
descr: the KRNIC Whois Database at:
descr: "http://whois.nic.or.kr/english/index.html"
descr: ************************************************
status: ALLOCATED PORTABLE
mnt-by: MNT-KRNIC-AP




07 September 2004 22:20:44 Unrecognized access from 82.82.72.91:3108 to
TCP port 2745

>07 September 2004 22:20:44 Unrecognized access from 82.82.72.91:3111 to TCP
>port 1025


>07 September 2004 22:20:44 Unrecognized access from 82.82.72.91:3114 to TCP
>port 3127


>07 September 2004 22:20:44 Unrecognized access from 82.82.72.91:3115 to TCP
>port 6129


>07 September 2004 22:20:44 Unrecognized access from 82.82.72.91:3117 to TCP
>port 80


Above , again timing and ports look like a scan.

inetnum: 145.254.15.0 - 145.254.15.255
netname: ARCOR-BACKBONE-KAR-NET1
descr: Arcor AG & Co
descr: Alfred-Herrhausen-Allee 1
descr: D-65760 Eschborn
descr: Germany
country: DE


>07 September 2004 22:23:49 Unrecognized access from 12.115.161.85:21960 to
>UDP port 1028


CustName: AT&T Worldnet Services
Address: 412 Mount Kemble Ave.
Address: P.O. Box 1995
City: Morristown
StateProv: NJ
PostalCode: 07962
Country: US
RegDate: 2003-11-26
Updated: 2003-11-26

NetRange: 12.112.0.0 - 12.119.255.255
CIDR: 12.112.0.0/13
NetName: ATTSVI-12-112-0-0
NetHandle: NET-12-112-0-0-1
Parent: NET-12-0-0-0-1
NetType: Reassigned



>> >Are these hackers trying to look at my LAN? And if so, are they getting


The Korea ones usually are.

>> >through?


They shouldn't be. One way to tell is running a software firewall / IDS
(Intrusion Detection System) like BlackIce http://www.iss.net/ on the
PC. It's shouldn't see anything the router FW blocks.

>> Doesn't your router manual tell you what it does with unrecognised
>> access connections?
>>

>
>The manual is appalling. It tells you how to set the options but not what
>they actually do.
>


Generally if the router / firewall warns it should also be dropping the
attempts.

Me
 
Reply With Quote
 
Andy Kelly
Guest
Posts: n/a
 
      09-08-2004
Thanks for that. Very informative.

Andy


 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Is Cisco PIX Application level firewall or Packet level firewall? Learning Cisco Cisco 3 10-15-2005 12:55 AM
Increasing data transfer on a firewall to firewall vpn connection providencebuddy@yahoo.com Cisco 1 06-14-2005 10:20 PM
Connecting to a PIX firewall using cisco VPM client though a Linksys WAG54G with eth firewall enabled Phil Cisco 1 12-11-2004 12:30 PM
RMI client behind a firewall, server behind a firewall too Robert Dodier Java 6 09-14-2004 09:23 PM
Firewall and Norton Firewall Mark Wilson Computer Support 0 11-05-2003 06:35 AM



Advertisments