Overclock.net › Forums › Software, Programming and Coding › Networking & Security › Please give your input on this firewall activity.
New Posts  All Forums:Forum Nav:

Please give your input on this firewall activity.

post #1 of 5
Thread Starter 
SecureNetworks SG565 as my WAP/Firewall. The activity below is the first type of activity of this type that I've seen (as reported by SG565 system log).

I'd like any help or recommendations (or information) that you may offer.

Thanks,
Paul


---begin snip---
Jul 25 17:04:44 snort: [1:1365:5] WEB-ATTACKS rm command attempt [Classification: Web Application Attack] [Priority: 1]: {TCP} 71.58.76.180:3363 -> 64.154.80.254:80

Jul 25 17:04:44 last message repeated 1 time(s)

Jul 25 17:04:44 snort: [1:1365:5] WEB-ATTACKS rm command attempt [Classification: Web Application Attack] [Priority: 1]: {TCP} 71.58.76.180:3366 -> 64.154.80.254:80

Jul 25 17:04:53 last message repeated 1 time(s)

Jul 25 19:05:07 snort: [1:1333:6] WEB-ATTACKS id command attempt [Classification: Web Application Attack] [Priority: 1]: {TCP} 71.58.76.180:4277 -> 66.11.60.164:80

Jul 25 19:05:57 snort: [1:2515:9] WEB-MISC PCT Client_Hello overflow attempt [Classification: Attempted Administrator Privilege Gain] [Priority: 1]: {TCP} 71.58.76.180:3492 -> 128.118.5.249:443

Jul 25 19:09:56 last message repeated 7 time(s)

Jul 25 19:09:56 snort: [1:2515:9] WEB-MISC PCT Client_Hello overflow attempt [Classification: Attempted Administrator Privilege Gain] [Priority: 1]: {TCP} 71.58.76.180:3491 -> 128.118.5.249:443

Jul 25 19:11:43 last message repeated 1 time(s)

Jul 25 19:14:27 snort: [1:2515:9] WEB-MISC PCT Client_Hello overflow attempt [Classification: Attempted Administrator Privilege Gain] [Priority: 1]: {TCP} 71.58.76.180:3492 -> 128.118.5.249:443

Jul 25 19:14:57 last message repeated 1 time(s)

Jul 25 19:14:57 snort: [1:2515:9] WEB-MISC PCT Client_Hello overflow attempt [Classification: Attempted Administrator Privilege Gain ] [Priority: 1]: {TCP} 71.58.76.180:3491 -> 128.118.5.249:443

Jul 25 19:24:50 dhcpd[290]: DHCPINFORM from 192.168.0.101

Jul 25 19:32:46 last message repeated 1 time(s)

Jul 25 19:32:46 snort: [1:2182:8] BACKDOOR typot trojan traffic [Classification: A Network Trojan was detected ] [Priority: 1]: {TCP} 207.6.153.229:26221 -> 71.58.76.180:5900

Jul 25 19:33:01 snort: [1:1365:5] WEB-ATTACKS rm command attempt [Classification: Web Application Attack] [Priority: 1]: {TCP} 71.58.76.180:4477 -> 64.154.82.6:80

Jul 25 19:33:02 last message repeated 1 time(s)

Jul 25 19:33:02 snort: [1:1365:5] WEB-ATTACKS rm command attempt [Classification: Web Application Attack] [Priority: 1]: {TCP} 71.58.76.180:4485 -> 64.154.83.66:80

Jul 25 19:33:02 last message repeated 1 time(s)

Jul 25 19:33:02 snort: [119:2:1] (http_inspect) DOUBLE DECODING ATTACK {TCP} 71.58.76.180:4486 -> 216.83.187.76:80

Jul 25 19:33:02 snort: [1:1365:5] WEB-ATTACKS rm command attempt [Classification: Web Application Attack] [Priority: 1]: {TCP} 71.58.76.180:4487 -> 64.154.83.66:80

Jul 25 19:33:02 last message repeated 1 time(s)

Jul 25 19:33:02 snort: [119:2:1] (http_inspect) DOUBLE DECODING ATTACK {TCP} 71.58.76.180:4488 -> 216.83.187.76:80

Jul 25 19:33:21 snort: [1:1365:5] WEB-ATTACKS rm command attempt [Classification: Web Application Attack] [Priority: 1]: {TCP} 71.58.76.180:4506 -> 64.154.83.66:80

Jul 25 19:33:37 last message repeated 1 time(s)

Jul 25 19:33:37 snort: [1:1365:5] WEB-ATTACKS rm command attempt [Classification: Web Application Attack] [Priority: 1]: {TCP} 71.58.76.180:4529 -> 64.154.83.66:80

Jul 25 19:46:27 last message repeated 1 time(s)

Jul 25 20:12:31 snort: [1:1365:5] WEB-ATTACKS rm command attempt [Classification: Web Application Attack] [Priority: 1]: {TCP} 71.58.76.180:1434 -> 64.154.83.66:80

Jul 25 20:12:42 last message repeated 1 time(s)

Jul 25 20:12:42 snort: [1:1365:5] WEB-ATTACKS rm command attempt [Classification: Web Application Attack] [Priority: 1]: {TCP} 71.58.76.180:1467 -> 64.154.83.66:80

Jul 25 20:19:21 snort: [1:2515:9] WEB-MISC PCT Client_Hello overflow attempt [Classification: Attempted Administrator Privilege Gain] [Priority: 1]: {TCP} 71.58.76.180:4760 -> 66.37.213.18:443

Jul 25 20:22:04 snort: [1:2515:9] WEB-MISC PCT Client_Hello overflow attempt [Classification: Attempted Administrator Privilege Gain] [Priority: 1]: {TCP} 71.58.76.180:4793 -> 66.37.213.18:443

Jul 25 20:22:28 snort: [1:895:7] WEB-CGI redirect access [Classification: Attempted Information Leak] [Priority: 2]: {TCP} 71.58.76.180:1775 -> 207.46.225.221:80

Jul 25 20:22:29 snort: [1:895:7] WEB-CGI redirect access [Classification: Attempted Information Leak] [Priority: 2]: {TCP} 71.58.76.180:1776 -> 207.46.225.221:80

Jul 25 20:22:30 snort: [1:895:7] WEB-CGI redirect access [Classification: Attempted Information Leak] [Priority: 2]: {TCP} 71.58.76.180:1777 -> 207.46.225.221:80

Jul 25 20:22:31 snort: [1:895:7] WEB-CGI redirect access [Classification: Attempted Information Leak] [Priority: 2]: {TCP} 71.58.76.180:1784 -> 65.55.184.253:80

Jul 25 20:22:31 snort: [1:895:7] WEB-CGI redirect access [Classification: Attempted Information Leak] [Priority: 2]: {TCP} 71.58.76.180:1785 -> 65.55.184.253:80

Jul 25 20:22:31 snort: [1:895:7] WEB-CGI redirect access [Classification: Attempted Information Leak] [Priority: 2]: {TCP} 71.58.76.180:1786 -> 65.55.184.253:80

Jul 25 20:22:31 snort: [1:895:7] WEB-CGI redirect access [Classification: Attempted Information Leak] [Priority: 2]: {TCP} 71.58.76.180:1792 -> 65.55.184.253:80

Jul 25 20:22:32 snort: [1:895:7] WEB-CGI redirect access [Classification: Attempted Information Leak] [Priority: 2]: {TCP} 71.58.76.180:1793 -> 65.55.184.253:80

Jul 25 20:22:32 snort: [1:895:7] WEB-CGI redirect access [Classification: Attempted Information Leak] [Priority: 2]: {TCP} 71.58.76.180:1794 -> 65.55.184.253:80

Jul 25 20:26:20 snort: [1:2515:9] WEB-MISC PCT Client_Hello overflow attempt [Classification: Attempted Administrator Privilege Gain] [Priority: 1]: {TCP} 71.58.76.180:4781 -> 143.84.62.4:443

Jul 25 20:32:21 snort: [1:2182:8] BACKDOOR typot trojan traffic [Classification: A Network Trojan was detected] [Priority: 1]: {TCP} 121.159.190.225:60499 -> 71.58.76.180:5900

Jul 25 20:33:53 snort: [116:46:1] (snort_decoder) WARNING: TCP Data Offset is less than 5! {TCP} 70.84.23.146:0 -> 71.58.76.180:0

Jul 25 20:43:16 snort: [1:2515:9] WEB-MISC PCT Client_Hello overflow attempt [Classification: Attempted Administrator Privilege Gain] [Priority: 1]: {TCP} 71.58.76.180:4995 -> 66.37.213.18:443
---end snip---
System#4
(13 items)
 
  
CPUMotherboardGraphicsRAM
Core2Duo E6750 @ 3.2 GHz Gigabyte GA-EP35-DS3P EVGA GeForce GTS 450 FPB OCZ Reaper HPC Edition 4GB 
Hard DriveOptical DriveOSMonitor
Maxtor SATA SAMSUNG 20X DVD±R SH-S203B Win7 64-bit Asus 22" WS 
PowerCase
550W something Antec P182 
  hide details  
Reply
System#4
(13 items)
 
  
CPUMotherboardGraphicsRAM
Core2Duo E6750 @ 3.2 GHz Gigabyte GA-EP35-DS3P EVGA GeForce GTS 450 FPB OCZ Reaper HPC Edition 4GB 
Hard DriveOptical DriveOSMonitor
Maxtor SATA SAMSUNG 20X DVD±R SH-S203B Win7 64-bit Asus 22" WS 
PowerCase
550W something Antec P182 
  hide details  
Reply
post #2 of 5
Find a good securtiy forum.

We see those sorts of alerts in our hardware firewall at work all the time.

Some of them are genuine logged/prevented attacks ... some are daily and normal activity within our LAN that the firewall sees as a possible attack.

You have to do a *lot* of reading online in various network security forums to get a grip on everything you might read in your log.

Most of it will not be worth losing any sleep over.

Some good starting forums:

Snort.org: http://www.snort.org/reg-bin/forums.cgi
Network Security Forum: http://www.networksecuritytech.com/
PacketDefense: http://www.packetdefense.com/

...

Search on your various log file line data and the just start reading mang!

    
CPUMotherboardGraphicsRAM
6700K @ 4.7ghz Asus Sabertooth Z170 Mark 1 Seahawk X 1080 ti 16gb Corsair Dominator Platinum @ 3200mhz 
Hard DriveOptical DriveCoolingOS
2TB Samsung Evo 950 LG Blu Ray / DVD  H115i Win 7 
MonitorKeyboardPowerCase
Acer XB270HU Logitech G710 EVGA 1000w Corsair 780T 
MouseMouse PadAudio
Logitech G502 My girlfriends butt. Asus z170 onboard 
  hide details  
Reply
    
CPUMotherboardGraphicsRAM
6700K @ 4.7ghz Asus Sabertooth Z170 Mark 1 Seahawk X 1080 ti 16gb Corsair Dominator Platinum @ 3200mhz 
Hard DriveOptical DriveCoolingOS
2TB Samsung Evo 950 LG Blu Ray / DVD  H115i Win 7 
MonitorKeyboardPowerCase
Acer XB270HU Logitech G710 EVGA 1000w Corsair 780T 
MouseMouse PadAudio
Logitech G502 My girlfriends butt. Asus z170 onboard 
  hide details  
Reply
post #3 of 5
yeah seriously a lot of the overflows will be users in the network... sometimes its easy as printing a 12page document...
SR2 PWNS J00
(22 items)
 
SL4V3
(16 items)
 
 
CPUMotherboardGraphicsRAM
2x intel Xeon X5650 @ 4Ghz Evga SR-2 SLi Evga GTX480s 18GB G.SKill Pi 1600 DDR3 
Hard DriveHard DriveHard DriveOptical Drive
60GB Vertex 3 2TB Western Digital Black 2TB External HDD (USB 2) 22x Sata Bluray/DVD Multi Drive 
CoolingCoolingCoolingCooling
Hardware Labs GTX 360 Radiator EK Supreme HF Copper Danger Den GTX480 Waterblock All Copper Natemandoo SR-2 Solid Copper Waterblock 
CoolingCoolingOSMonitor
Iwaki RD-30 D5 with DCThermo Top Windows 7 Ultimate 3x 24" LG LCDs (16:9) 
KeyboardPowerCaseMouse
Ducky Shine MX-Cherry Black Mechanical Keyboard... 1500W Silver stone Strider Mountain Mods Extended Ascension Horizon Razer Mamba 2012 (wired) 
Mouse PadAudio
Razer XactMat Asus Xonar SXT 
CPUMotherboardGraphicsRAM
intel Q6600 ASUS P5K-E Wifi AMD HD Radeon 6990 4GBs G.skill HZs 
Hard DriveOptical DriveCoolingOS
OCZ vertex 2 LG 22x combo drive Cooler Master hyper 212+ Windows 7 Ultimate x64 
MonitorMonitorKeyboardPower
LG FLATRON L1933TR LG FLATRON L1933TR Logitech G15 rev. 1 Silverstone Decathlon 750W modular PSU 
CaseMouseMouse PadAudio
Thermaltake Armor with 250mm side fan Logitech 2000dpi USB mouse Steel series QcK+ Auzentech X-Fi prelude 
  hide details  
Reply
SR2 PWNS J00
(22 items)
 
SL4V3
(16 items)
 
 
CPUMotherboardGraphicsRAM
2x intel Xeon X5650 @ 4Ghz Evga SR-2 SLi Evga GTX480s 18GB G.SKill Pi 1600 DDR3 
Hard DriveHard DriveHard DriveOptical Drive
60GB Vertex 3 2TB Western Digital Black 2TB External HDD (USB 2) 22x Sata Bluray/DVD Multi Drive 
CoolingCoolingCoolingCooling
Hardware Labs GTX 360 Radiator EK Supreme HF Copper Danger Den GTX480 Waterblock All Copper Natemandoo SR-2 Solid Copper Waterblock 
CoolingCoolingOSMonitor
Iwaki RD-30 D5 with DCThermo Top Windows 7 Ultimate 3x 24" LG LCDs (16:9) 
KeyboardPowerCaseMouse
Ducky Shine MX-Cherry Black Mechanical Keyboard... 1500W Silver stone Strider Mountain Mods Extended Ascension Horizon Razer Mamba 2012 (wired) 
Mouse PadAudio
Razer XactMat Asus Xonar SXT 
CPUMotherboardGraphicsRAM
intel Q6600 ASUS P5K-E Wifi AMD HD Radeon 6990 4GBs G.skill HZs 
Hard DriveOptical DriveCoolingOS
OCZ vertex 2 LG 22x combo drive Cooler Master hyper 212+ Windows 7 Ultimate x64 
MonitorMonitorKeyboardPower
LG FLATRON L1933TR LG FLATRON L1933TR Logitech G15 rev. 1 Silverstone Decathlon 750W modular PSU 
CaseMouseMouse PadAudio
Thermaltake Armor with 250mm side fan Logitech 2000dpi USB mouse Steel series QcK+ Auzentech X-Fi prelude 
  hide details  
Reply
post #4 of 5
Thread Starter 
Thanks to both of you. Rep+ for the quick and informed repsponses.


Now, if I can only sleep tonight....hopefully the Russian studies don't keep me up longer than worrying about someone trying to hack my industrial-strength firewall......

-p
System#4
(13 items)
 
  
CPUMotherboardGraphicsRAM
Core2Duo E6750 @ 3.2 GHz Gigabyte GA-EP35-DS3P EVGA GeForce GTS 450 FPB OCZ Reaper HPC Edition 4GB 
Hard DriveOptical DriveOSMonitor
Maxtor SATA SAMSUNG 20X DVD±R SH-S203B Win7 64-bit Asus 22" WS 
PowerCase
550W something Antec P182 
  hide details  
Reply
System#4
(13 items)
 
  
CPUMotherboardGraphicsRAM
Core2Duo E6750 @ 3.2 GHz Gigabyte GA-EP35-DS3P EVGA GeForce GTS 450 FPB OCZ Reaper HPC Edition 4GB 
Hard DriveOptical DriveOSMonitor
Maxtor SATA SAMSUNG 20X DVD±R SH-S203B Win7 64-bit Asus 22" WS 
PowerCase
550W something Antec P182 
  hide details  
Reply
post #5 of 5
Quote:
Originally Posted by P.Johnston View Post
Thanks to both of you. Rep+ for the quick and informed repsponses.


Now, if I can only sleep tonight....hopefully the Russian studies don't keep me up longer than worrying about someone trying to hack my industrial-strength firewall......

-p
Just to keep you on your toes, a parting comment:

Someone may well *be* trying to hack your industrial-strength firewall.

No side is ever the winner. Hacks take a step forward, Defense takes a step back, Defense takes a step forward, Hacks take a step back, Hacks take a step forward ...

You get the idea, I'm sure.

Just stay on top of your game, read a lot and realize that if your firewall is listing it, then it's (99% of the time) stopping it.

(and keep your firmware updated!)

    
CPUMotherboardGraphicsRAM
6700K @ 4.7ghz Asus Sabertooth Z170 Mark 1 Seahawk X 1080 ti 16gb Corsair Dominator Platinum @ 3200mhz 
Hard DriveOptical DriveCoolingOS
2TB Samsung Evo 950 LG Blu Ray / DVD  H115i Win 7 
MonitorKeyboardPowerCase
Acer XB270HU Logitech G710 EVGA 1000w Corsair 780T 
MouseMouse PadAudio
Logitech G502 My girlfriends butt. Asus z170 onboard 
  hide details  
Reply
    
CPUMotherboardGraphicsRAM
6700K @ 4.7ghz Asus Sabertooth Z170 Mark 1 Seahawk X 1080 ti 16gb Corsair Dominator Platinum @ 3200mhz 
Hard DriveOptical DriveCoolingOS
2TB Samsung Evo 950 LG Blu Ray / DVD  H115i Win 7 
MonitorKeyboardPowerCase
Acer XB270HU Logitech G710 EVGA 1000w Corsair 780T 
MouseMouse PadAudio
Logitech G502 My girlfriends butt. Asus z170 onboard 
  hide details  
Reply
New Posts  All Forums:Forum Nav:
  Return Home
  Back to Forum: Networking & Security
Overclock.net › Forums › Software, Programming and Coding › Networking & Security › Please give your input on this firewall activity.