In my kerio intrusion log it tells me that there is constant trojan activity from the same I.P. and it gives me http://www.whitehats.com/info/IDS105 as the url. Should I be concerned about this? Obviously I am, so is there anything I can do to make this person stop hounding me. I'm fairly open to fighting fire with fire. Any suggestions?

P.S. I'm pretty new to the security scene (if that wasn't already obvious).

Hi Carl, welcome to the forum!

When looking at events in your firewall log, the first thing to know is that there will be a lot of incoming traffic blocked there, which is perfectly normal and that is not harmful to your computer. Really, that's why you have a firewall running - to block undesirable traffic coming in towards you from the Internet.

Now, whenever asking questions about specific firewall events, it's a good idea to post several samples of it from the log so that they can be analyzed. All parts of the data from the log except for your own IP address are needed in order to determine exactly what's going on. If you do post a log sample, then just block out your own IP address.

From the URL reference it gave you, it is simply telling you the traffic it blocked follows the pattern described at that site... most likely an incoming scan on a specific port that has been associated with that pattern.

The most important thing of course is that it blocked the traffic, which is why it is logged there. So, researching it further is mostly for informational purposes and to learn more about just what types of things you'll see in a firewall while you are connected to the Internet.

Thank you for your quick response Water. Do you have any idea what they are trying to do? Here is a small example from my log:

[26/Jun/2005 10:57:39] "Ids" action = 'denied', raddr = '220.253.6.132', msg = 'BACKDOOR trojan active deltasource', url = 'http://www.whitehats.com/info/IDS105', direc = 'in', class = 'successful-user', priority = high

[26/Jun/2005 10:57:44] "Ids" action = 'denied', raddr = '142.179.238.30', msg = 'BACKDOOR trojan active deltasource', url = 'http://www.whitehats.com/info/IDS105', direc = 'in', class = 'successful-user', priority = high

[26/Jun/2005 10:58:05] "Ids" action = 'denied', raddr = '220.253.6.132', msg = 'BACKDOOR trojan active deltasource', url = 'http://www.whitehats.com/info/IDS105', direc = 'in', class = 'successful-user', priority = high

[26/Jun/2005 10:58:52] "Ids" action = 'denied', raddr = '220.253.6.132', msg = 'BACKDOOR trojan active deltasource', url = 'http://www.whitehats.com/info/IDS105', direc = 'in', class = 'successful-user', priority = high

What is whitehats.com anyway? Thanks again for your help.

Hi Carl

-{ Quote: "Do you have any idea what they are trying to do? Here is a small example from my log:

[26/Jun/2005 10:57:39] "Ids" action = 'denied', raddr = '220.253.6.132', msg = 'BACKDOOR trojan active deltasource', url = 'http://www.whitehats.com/info/IDS105', direc = 'in', class = 'successful-user', priority = high" }-
That is an unsolicited inbound packet that has been dropped by your IDS as it matches a known signature.

-{ Quote: "What is whitehats.com anyway?" }-
whitehats.com has nothing to do with the unsolicited packet(s), but was a reference site where you could get more details on that particular signature. Not sure if they are actually still up and running. The inclusion of their url in the logs caused a lot of confusion with some users and resulted in numerous invalid complaints suggesting they were the source of the scans.

Which version of Kerio are you running?

Regards,

CrazyM

Whitehats is no longer running, and later versions of Kerio were changed to prevent this confusion.

I think to some degree you have to accept that there are many infected machines on the internet, and to some degree there is little you can do about them.

I tend to view these hits as background noise when using the internet, par for the course of using the internet.

It's only if you get 100s of hits in a very short space of time, and your not running any P2P software, that you might want to consider contacting your ISP.

-{ Quote: "In my kerio intrusion log it tells me that there is constant trojan activity from the same I.P. and it gives me http://www.whitehats.com/info/IDS105 as the url. Should I be concerned about this? Obviously I am, so is there anything I can do to make this person stop hounding me. I'm fairly open to fighting fire with fire. Any suggestions?

P.S. I'm pretty new to the security scene (if that wasn't already obvious)." }-
Why even worry about it? If you have a firewall installed, and it's blocking the activity, then there is no problem, and it will eventually stop when they tire of hitting your machine for no reason. If they get nothing out of it, then they are unlikely to continue for long. If it does continue, then who cares anyway? It's not hurting anything. That's what your firewall is for... :)

-{ Quote: "In my kerio intrusion log it tells me that there is constant trojan activity from the same I.P. and it gives me http://www.whitehats.com/info/IDS105 as the url. Should I be concerned about this? Obviously I am, so is there anything I can do to make this person stop hounding me. I'm fairly open to fighting fire with fire. Any suggestions?

P.S. I'm pretty new to the security scene (if that wasn't already obvious)." }-
Run Shields Up test to make sure your not visable to hackers on the internet. Symantec also has a test. http://grc.com/default.htm http://security.symantec.com/sscv6/default.asp?productid=symhome&langid=ie&venid=sym

If you're really bothered by this, you could always send a mail to abuse @ provider.extension. You have to figure out who that is, but by checking the origin of the offending ip address online, i.e. samspade.org, you should be able to find out who to inform.

Thank you all very much for your input, I feel quite reassured. I guess I need to get the new version of kerio (I'm now running 4.1.3.). Is my log saying that I have a trojan that this user is trying to access, but is getting denied? Or is the user attempting to send a trojan? Shields up is very cool Hammer :) How do I close an open port?

CarlWinter,

You log is indicating that kerio has blocked a packet which has the hallmarks of a trojan attempting to infect your machine.

It was blocked because Kerio felt the packet contained matching features to it's reference version of this trojan attack.

However the packet was blocked by the IDS (Intrusion Defence System) element of the firewall, and as such this can be prone to false alarms.

If you wish to continue using Kerio, it's probably a good idea to keep it upto date, since they update the IDS rules as part of these updates.