Probed a whole bunch, why?????

Discussion in 'other firewalls' started by Phoenix22, Feb 14, 2002.

Thread Status:
Not open for further replies.
  1. Phoenix22

    Phoenix22 Registered Member

    Joined:
    Feb 10, 2002
    Posts:
    45
    Location:
    R&R Finally!
    14 times in a few minutes........but whyo_O
    I am new to this probing stuff.........so I'll post the info from Whois........can you tell me why and why??

    IANA (IANA-CBLK-RESERVED)
    Internet Assigned Numbers Authority

    4676 Admiralty Way, Suite 330

    Marina del Rey, CA 90292-6695

    US

    Netname: IANA-CBLK1
    Netblock: 192.168.0.0 - 192.168.255.255

    Coordinator:
    Internet Corporation for Assigned Names and Numbers (IANA-ARIN) res-ip@iana.org
    (310) 823-9358

    Domain System inverse mapping provided by:

    BLACKHOLE-1.IANA.ORG 192.0.32.18
    BLACKHOLE-2.IANA.ORG 192.0.32.19

    These blocks are reserved for special purposes.
    Please see RFC 1918 for additional information.

    Record last updated on 12-Oct-2001.
    Database last updated on 13-Feb-2002 19:56:13 EDT.

    The ARIN Registration Services Host contains ONLY Internet
    Network Information: Networks, ASN's, and related POC's.
    Please use the whois server at rs.internic.net for DOMAIN related
    Information and whois.nic.mil for NIPRNET Information.
    *******************************************
    this is from the za log file.........
    ZoneAlarm Logging Client v2.6.362
    Windows 98-4.10.2222- A -SP
    type,date,time,source,destination,transport


    FWIN,2002/02/14,16:30:53 -5:00 GMT,192.168.202.49:53,12.245.6.xxx:1388,UDP
    FWIN,2002/02/14,16:30:57 -5:00 GMT,192.168.202.42:53,12.245.6.xxx:1390,UDP
    FWIN,2002/02/14,16:30:57 -5:00 GMT,192.168.202.52:53,12.245.6.xxx:1391,UDP
    FWIN,2002/02/14,16:31:00 -5:00 GMT,192.168.202.43:53,12.245.6.xxx:1395,UDP
    FWIN,2002/02/14,16:31:00 -5:00 GMT,192.168.202.42:53,12.245.6.xxx:1396,UDP
    FWIN,2002/02/14,16:31:03 -5:00 GMT,192.168.202.43:53,12.245.6.xxx:1399,UDP
    FWIN,2002/02/14,16:31:04 -5:00 GMT,192.168.202.46:53,12.245.6.xxx:1400,UDP
    FWIN,2002/02/14,16:31:04 -5:00 GMT,192.168.202.46:53,12.245.6.xxx:1407,UDP
    FWIN,2002/02/14,16:31:07 -5:00 GMT,192.168.202.44:53,12.245.6.xxx:1411,UDP
    FWIN,2002/02/14,16:31:09 -5:00 GMT,192.168.202.43:53,12.245.6.xxx:1414,UDP
    FWIN,2002/02/14,16:31:13 -5:00 GMT,192.168.202.50:53,12.245.6.xxx:1416,UDP
    FWIN,2002/02/14,16:31:16 -5:00 GMT,192.168.202.45:53,12.245.6.xxx:1423,UDP
    FWIN,2002/02/14,16:31:23 -5:00 GMT,192.168.202.48:53,12.245.6.xxx:1426,UDP


    I may be old .......but I ain't dead..............yet.....
    t-you for you help, gang
    & let me know what else you need..............
    jd-phoenix22
     
  2. Zhen-Xjell

    Zhen-Xjell Security Expert

    Joined:
    Feb 8, 2002
    Posts:
    1,397
    Location:
    Ohio
    [Its been brought to my attention that 12.x.x.x is your IP?  If this is correct, you may want to edit your IP out, and I'll edit it out of my post.  I'm leaving soon, very tired and can't think.  So let me just remove the IP just in case from my post.]
     
  3. Phoenix22

    Phoenix22 Registered Member

    Joined:
    Feb 10, 2002
    Posts:
    45
    Location:
    R&R Finally!
    sure that was my ip.........but they don't last long w/attbi
     
  4. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Meaning you don't have a static IP number. Conclusion is as well, it's not your system in particular that has been targetted, but at least one IP Range - probably the one from your ISP.

    Probes like these occur fairly often, and can have different sources. CodeRed and Nimda are examples from this.

    Since your Firewall is taken care of the probes, I wouldn't worry about these incoming alerts. Time to worry when you encounter (blocked) outgoing firewall alerts, unknown to you.

    regards.

    paul
     
  5. Phoenix22

    Phoenix22 Registered Member

    Joined:
    Feb 10, 2002
    Posts:
    45
    Location:
    R&R Finally!
    Paul: Thanks for clarifying that.......................i didn't think it was an issue but,  what got my attention was the multiple probes.....i began to think ......oh, so you really want in my system......
     
  6. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    My pleasure, Phoenix22.

    regards.

    paul
     
  7. Ron_P

    Ron_P Registered Member

    Joined:
    Feb 14, 2002
    Posts:
    15
    The IP is in the private range and UDP 53 is DNS. Are you on a network that runs a DNS server? If not it's probably spoofed but your FW is working :)
     
  8. Phoenix22

    Phoenix22 Registered Member

    Joined:
    Feb 10, 2002
    Posts:
    45
    Location:
    R&R Finally!
    Guess I was a little extra paranoid about this and have since run a test on the f/w........determined it may have been looking at my group, however, i could not be seen.........case closed......and we are stealthy.......t-you one and all....
     
Thread Status:
Not open for further replies.