firewall question

[Rita]

hey everyone
last night i noticed my firewall icon blinking so i click up the security log and it said someone scanning ports so i do a backtrace and it gave this message:% objects are in RPSL format.what does this mean?
thanks
Rita

[nadirah]

Rita, try www.dnsstuff.com, it's website can trace the IP address of the person who scanned you.
I also have been getting several port scans these days, anyway all my ports are stealthed out 100%.
Eg:
Somebody is scanning your computer.
Your computer's TCP ports:
2745, 5000, 6129, 3140 and 80 have been scanned from **********

[Dazed_and_Confused]

Not an expert on this stuff, but here is what I believe is happening. When you did a trace, the IP if the intruder is looked up in a Internet Registry. The data displayed is in a format known as RPSL, or Routing Policy Specification Language. See here and here.

[Rita]

Quote:

Originally Posted by nadirah

Rita, try www.dnsstuff.com, it's website can trace the IP address of the person who scanned you.
I also have been getting several port scans these days, anyway all my ports are stealthed out 100%.
Eg:
Somebody is scanning your computer.
Your computer's TCP ports:
2745, 5000, 6129, 3140 and 80 have been scanned from **********

hi Nadirah
i traced the ip address for both that were scanning ports and they were earthlink network and enjoy world from Seoul Korea--thanks for the link.what does this mean?is it important?excuse my ignorance but if firewall is flashing have these scans been blocked?
thanks
Rita
Rita

[Rita]

Quote:

Originally Posted by Dazed_and_Confused

Not an expert on this stuff, but here is what I believe is happening. When you did a trace, the IP if the intruder is looked up in a Internet Registry. The data displayed is in a format known as RPSL, or Routing Policy Specification Language. See here and here.

hi Daisey
thanks for link i went and read it but im afraid i didnt really understand any of it.i have so much to learn sometimes its overwhelming.thank you for trying to help someday i will understand i promise
thanks
Rita

[CrazyM]

Hi Rita

If you are ever curious about the IP's showing up in your firewall logs, it is better to use one of the online lookup sites like nadirah linked to. If you do these querries via options in your firewall and on your own system, some of these lookups and traceroutes will result in your system contacting the system being querried and you could end up showing up in their logs (so much for stealth if you are concerned about that).

Quote:

i traced the ip address for both that were scanning ports and they were earthlink network and enjoy world from Seoul Korea--thanks for the link.what does this mean?is it important?

It is normal to see scans and worm activity coming from all over the globe.

Quote:

excuse my ignorance but if firewall is flashing have these scans been blocked?

Yes your firewall has blocked these unsolicited inbound packets.

Regards,

CrazyM

[nadirah]

Quote:

Originally Posted by ritaann

hi Nadirah
i traced the ip address for both that were scanning ports and they were earthlink network and enjoy world from Seoul Korea--thanks for the link.what does this mean?is it important?excuse my ignorance but if firewall is flashing have these scans been blocked?
thanks
Rita
Rita

Yes, any firewall will block these scans. More importantly, make sure all your ports are either blocked/stealthed.

[JRosenfeld]

A good site for look up is
http://centralops.net/co/DomainDossier.aspx
It gives options of databases; often if one doesn't have it the other does.

[Rita]

Quote:

Originally Posted by CrazyM

Hi Rita

If you are ever curious about the IP's showing up in your firewall logs, it is better to use one of the online lookup sites like nadirah linked to. If you do these querries via options in your firewall and on your own system, some of these lookups and traceroutes will result in your system contacting the system being querried and you could end up showing up in their logs (so much for stealth if you are concerned about that).


It is normal to see scans and worm activity coming from all over the globe.


Yes your firewall has blocked these unsolicited inbound packets.

Regards,

CrazyM

Hi CrazyM
thank you for your reply and if i do any more traces i'll use an online lookup site that Nadirah linked me to as you said.--is there really any benefit to doing a backtrace if the firewall has blocked them other than just curiosity?I have never used a firewall till about 2 weeks ago so i dont know much about them
thanks
rita

[Rita]

Quote:

Originally Posted by JRosenfeld

A good site for look up is
http://centralops.net/co/DomainDossier.aspx
It gives options of databases; often if one doesn't have it the other does.

hi
thank you for the link--i'll check it out

Rita

[Arin]

dear ritaann, portscans are very common and most of the time harmless when you're using a good firewall. so no need to lose sleep over this matter unless you have a regular visitor. most people select a random block for portscan and if for some reason someone is hellbent on your IP then you should report this attack to his/her ISP. try to hide your IP as much as you can specially if you're using a static one. most ISPs doesn't tolerate portscanning so i'm sure there will be some action.

[Rita]

Quote:

Originally Posted by CrazyM

Hi Rita

If you are ever curious about the IP's showing up in your firewall logs, it is better to use one of the online lookup sites like nadirah linked to. If you do these querries via options in your firewall and on your own system, some of these lookups and traceroutes will result in your system contacting the system being querried and you could end up showing up in their logs (so much for stealth if you are concerned about that).


It is normal to see scans and worm activity coming from all over the globe.


Yes your firewall has blocked these unsolicited inbound packets.

Regards,

CrazyM

hi crazym
could you tell me about executable files?firewall was flashing and i looked at the security log and it was an executable file outgoing from a spyware scanner i have(a squared two)that was blocked.what does this mean?anything?
thanks
rita

[CrazyM]

Quote:

Originally Posted by ritaann

--is there really any benefit to doing a backtrace if the firewall has blocked them other than just curiosity?

Curiosity mostly, as users sometimes like to see where all those scans showing up in their logs are coming from. Some may like to monitor logs for trends which would include things like source IP's (and where they are) and ports being scanned. If you were ever to experience a real attack, then information provided by some of these utilities would be helpful in determining who to contact if you were to follow up on it. (Don't worry, most home users never experience a real attack.)

Quote:

could you tell me about executable files?firewall was flashing and i looked at the security log and it was an executable file outgoing from a spyware scanner i have(a squared two)that was blocked.what does this mean?anything?

Does this program that was blocked have an update feature that may have been trying to access the Internet? You will need to confirm that it is a trusted program, and if so, do you want to create a rule to allow it access to the Internet. I take it your current settings are blocking anything not allowed out, the alternative being to have the firewall prompt?

Regards,

CrazyM

[Rita]

Quote:

Originally Posted by CrazyM

Curiosity mostly, as users sometimes like to see where all those scans showing up in their logs are coming from. Some may like to monitor logs for trends which would include things like source IP's (and where they are) and ports being scanned. If you were ever to experience a real attack, then information provided by some of these utilities would be helpful in determining who to contact if you were to follow up on it. (Don't worry, most home users never experience a real attack.)


Does this program that was blocked have an update feature that may have been trying to access the Internet? You will need to confirm that it is a trusted program, and if so, do you want to create a rule to allow it access to the Internet. I take it your current settings are blocking anything not allowed out, the alternative being to have the firewall prompt?

Regards,

CrazyM

Hi CrazyM
yes,this program does have an update feature and i have already checked yes to allow it to access internet when the firewall prompted me one day and i clicked yes not to ask me again.but i bet its what it is anyway.thanks so much for your reply
Rita

[mismis29]

Hey all

I've been reading all the posts and must say that you guys are full of great advice! I was just wondering where to go to test my firewall?

Thanx a bunch!

[Devinco]

Hi mismis29,

Try the Shields Up at GRC.com.
Click on the Shields up picture, then scroll down near the bottom of the page for the Shields up link.
There are other good ones too, but GRC is pretty fast.

[mismis29]

Thanx for the suggestion! I'll give it a try.

[Tassie_Devils]

Hi mismis29.... yes that GRC site listed by Devinco is very good, it was probably one of the first out there.

There are 3 main tests you can take there. File Sharing, Common Ports and All Service Ports. Also check to see if you can be Messenger Spammed, and Browser Headers info.

Also, you may like to try this lot out in THIS Thread.

I've listed a lot of sites for various tests, etc. including AV's, Browsers, Firewalls.

Have fun.

Cheers, TAS