I am running a NAT router and Outpost Pro. Last night I was constantly pinged by a Russian web site on TCP 2027. Outpost stopped the packets (I had it set to block every five minutes, so every five minutes a connection request was logged). The packets arrived constantly for several hours. Just wondering how they bypassed my router?
Make sure your router firewall is actually enabled and that you have block annonymous connection requests checked (or something along those lines).
Do you use a honey pot or participate in shadowserver? TCP 2027 is only used to report to shadowserver. If not did you recently upgrade the routers firmware?
Normally only three ways for inbound traffic bypassing the router: If you did a request or using a server By your configuration of the router A malfunction of the router (use the latest firmware) If you dont mind telling, which router model do you use? Regards, C.
Do you have any software running on your machine that requires to have any ports open ? Due to the way NAT works, as soon as you open a port ANY request is piped through, even pings/ICMP traffic, because the software you have listening on the port(s) could well need ping functionality and the router will not know...
When interpreting logs it helps to have some samples. If you could post some entries from your logs it would help in trying to determine what may have occurred. Regards, CrazyM
Not that I know of, checked Netstat (in TrojanHunter) a few are listed as listening but not that one.
These are just three of numerous Outpost Attack Detection Plugin (suspicious packets) 1/15/2006 11:15:02 PM 193.232.5.10 TCP (2027) 1/15/2006 11:10:17 PM 193.232.5.10 TCP (2027) 1/15/2006 11:05:32 PM 193.232.5.10 TCP (2027) I am not sure what the log entry is for this (error, scanner, monitor and pack?) Listed to (Whois): % Information related to '193.232.5.0 - 193.232.5.255' inetnum: 193.232.5.0 - 193.232.5.255 netname: IKI-LAN5 descr: Russian Space Science Internet descr: Space Research Institute (Dep. 86) descr: 84/32 Profsoyuznaya st. descr: 117997, Moscow descr: Russia country: RU admin-c: OAS19-RIPE admin-c: MNB1-RIPE tech-c: OAS19-RIPE tech-c: MNB1-RIPE notify: ***@rssi.ru rev-srv: mx.iki.rssi.ru rev-srv: adm.rssi.ru status: ASSIGNED PI mnt-by: RSSI-NOC mnt-lower: RSSI-NOC changed: ****@rssi.ru 19981014 changed: ****@rssi.ru 19990402 changed: **@rssi.ru 20020904 source: RIPE person: Michael N Boyarsky address: Space Research Institute address: 84/32 Profsoyuznaya address: 117810 Moscow address: Russia phone: +7 095 333 1488 fax-no: +7 095 913 3040 e-mail: ********@iki.rssi.ru nic-hdl: MNB1-RIPE changed: ********@iki.rssi.ru 19980115 source: RIPE person: Olga A Starostina address: Space Research Institute address: 84/32 Profsoyuznaya address: 117810 Moscow address: Russia remarks: phone: +7 095 333 3523 phone: +7 495 333 3523 remarks: fax-no: +7 095 913 3040 fax-no: +7 495 913 3040 e-mail: ***@space.ru nic-hdl: OAS19-RIPE changed: ****@rssi.ru 19990402 source: RIPE remarks: modified for Russian phone area changes changed: ********@ripe.net 20051216 % Information related to '193.232.0.0/19AS3218' route: 193.232.0.0/19 descr: Russian Space Science Internet origin: AS3218 mnt-by: RSSI-NOC changed: ****@rssi.ru 19990402 source: RIPE
A more complete firewall log would be helpful, that you are getting probed from this IP isn't the question, the question is why, do your logs show any outbound traffic near the time of these,like just before them perhaps? That router allows UP&P configuration of itself for some internet capable applications, did you disable up&p configuration settings in the router's settings? Maybe something changed your settings. Also how many computers are using the router? Do you have a network set up? The problem may be on another workstation in the network. Although that is unlikely since it is this machine getting hit. But something else inside the network perimeter maybe what was compromised, it's a possibility anyway.
GRC Port Authority Report created on UTC: 2006-01-18 at 02:42:35 Results from probe of port: 2027 0 Ports Open 0 Ports Closed 1 Ports Stealth --------------------- 1 Ports Tested THE PORT tested was found to be: STEALTH. TruStealth: PASSED - ALL tested ports were STEALTH, - NO unsolicited packets were received, - NO Ping reply (ICMP Echo) was received.
I'll recheck the settings. It is a single machine and a VOIP phone. Thanks for the suggestions. I will see if it happens again. Did several scans for rootkits and trojans. I will see if I can tie event to a Ourpost log.
I would also take a look at your router logs, if you have logging enabled, as well as your Windows event logs for anything out of the ordinary. If you don't have router logging enabled, you should enable it for now. Nick
Don't see anywhere for router logging on mine. Did check Windows and it showed a few "anonymous logon/off". I set Harden-it to level 2 now for restricting anonymous. Anyhow no other indications of anything wrong. It was just curious that Outpost was blocking packets. I had seen a few from time to time that outpost blocked inbound but this was continuous. Glad I have it.
Unfortunately it appears the Outpost Attack Detection Plugin is incomplete in it's logging. I take it those entries are Source IP, Protocol, Destination Port? Missing is the Source Port and Destination IP. The source port would help in determining what kind of traffic this may have been associated to: HTTP (80), NNTP (119), SMTP (25), etc. Does Outpost log all outbound connections? If so, you may want to check those logs to determine if you have any connections out to that IP. It could be these are just late packets from a valid connection that are being blocked. It is unlikely that anything has bypassed your router in the way of unsolicited inbound traffic. Then it would be a matter of determining who/what made the connection. Regards, CrazyM
Thnaks CrazyM - I have been away from my computer. I had the logs to clear after 3 days so the Sunday events probably are no longer there. I keep an eye on things and noticed there was no outbound activity on the GUI.
