Constantly under attack by same I.P.

Discussion in 'other firewalls' started by CarlWinter, Jun 26, 2005.

Thread Status:
Not open for further replies.
  1. CarlWinter

    CarlWinter Registered Member

    Joined:
    Jun 26, 2005
    Posts:
    3
    In my kerio intrusion log it tells me that there is constant trojan activity from the same I.P. and it gives me http://www.whitehats.com/info/IDS105 as the url. Should I be concerned about this? Obviously I am, so is there anything I can do to make this person stop hounding me. I'm fairly open to fighting fire with fire. Any suggestions?

    P.S. I'm pretty new to the security scene (if that wasn't already obvious).
     
  2. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,875
    Location:
    New England
    Hi Carl, welcome to the forum!

    When looking at events in your firewall log, the first thing to know is that there will be a lot of incoming traffic blocked there, which is perfectly normal and that is not harmful to your computer. Really, that's why you have a firewall running - to block undesirable traffic coming in towards you from the Internet.

    Now, whenever asking questions about specific firewall events, it's a good idea to post several samples of it from the log so that they can be analyzed. All parts of the data from the log except for your own IP address are needed in order to determine exactly what's going on. If you do post a log sample, then just block out your own IP address.

    From the URL reference it gave you, it is simply telling you the traffic it blocked follows the pattern described at that site... most likely an incoming scan on a specific port that has been associated with that pattern.

    The most important thing of course is that it blocked the traffic, which is why it is logged there. So, researching it further is mostly for informational purposes and to learn more about just what types of things you'll see in a firewall while you are connected to the Internet.
     
  3. CarlWinter

    CarlWinter Registered Member

    Joined:
    Jun 26, 2005
    Posts:
    3
    Thank you for your quick response Water. Do you have any idea what they are trying to do? Here is a small example from my log:

    [26/Jun/2005 10:57:39] "Ids" action = 'denied', raddr = '220.253.6.132', msg = 'BACKDOOR trojan active deltasource', url = 'http://www.whitehats.com/info/IDS105', direc = 'in', class = 'successful-user', priority = high

    [26/Jun/2005 10:57:44] "Ids" action = 'denied', raddr = '142.179.238.30', msg = 'BACKDOOR trojan active deltasource', url = 'http://www.whitehats.com/info/IDS105', direc = 'in', class = 'successful-user', priority = high

    [26/Jun/2005 10:58:05] "Ids" action = 'denied', raddr = '220.253.6.132', msg = 'BACKDOOR trojan active deltasource', url = 'http://www.whitehats.com/info/IDS105', direc = 'in', class = 'successful-user', priority = high

    [26/Jun/2005 10:58:52] "Ids" action = 'denied', raddr = '220.253.6.132', msg = 'BACKDOOR trojan active deltasource', url = 'http://www.whitehats.com/info/IDS105', direc = 'in', class = 'successful-user', priority = high

    What is whitehats.com anyway? Thanks again for your help.
     
  4. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi Carl

    That is an unsolicited inbound packet that has been dropped by your IDS as it matches a known signature.

    whitehats.com has nothing to do with the unsolicited packet(s), but was a reference site where you could get more details on that particular signature. Not sure if they are actually still up and running. The inclusion of their url in the logs caused a lot of confusion with some users and resulted in numerous invalid complaints suggesting they were the source of the scans.

    Which version of Kerio are you running?

    Regards,

    CrazyM
     
  5. Syncman9

    Syncman9 Registered Member

    Joined:
    Jul 28, 2004
    Posts:
    113
    Location:
    UK
    Whitehats is no longer running, and later versions of Kerio were changed to prevent this confusion.

    I think to some degree you have to accept that there are many infected machines on the internet, and to some degree there is little you can do about them.

    I tend to view these hits as background noise when using the internet, par for the course of using the internet.

    It's only if you get 100s of hits in a very short space of time, and your not running any P2P software, that you might want to consider contacting your ISP.
     
  6. Kerodo

    Kerodo Registered Member

    Joined:
    Oct 5, 2004
    Posts:
    7,779
    Why even worry about it? If you have a firewall installed, and it's blocking the activity, then there is no problem, and it will eventually stop when they tire of hitting your machine for no reason. If they get nothing out of it, then they are unlikely to continue for long. If it does continue, then who cares anyway? It's not hurting anything. That's what your firewall is for... :)
     
  7. The Hammer

    The Hammer Registered Member

    Joined:
    May 12, 2005
    Posts:
    5,619
    Location:
    Toronto Canada
    Run Shields Up test to make sure your not visable to hackers on the internet. Symantec also has a test. http://grc.com/default.htm http://security.symantec.com/sscv6/default.asp?productid=symhome&langid=ie&venid=sym
     
  8. meneer

    meneer Registered Member

    Joined:
    Nov 27, 2002
    Posts:
    1,132
    Location:
    The Netherlands
    If you're really bothered by this, you could always send a mail to abuse @ provider.extension. You have to figure out who that is, but by checking the origin of the offending ip address online, i.e. samspade.org, you should be able to find out who to inform.
     
  9. CarlWinter

    CarlWinter Registered Member

    Joined:
    Jun 26, 2005
    Posts:
    3
    Thank you all very much for your input, I feel quite reassured. I guess I need to get the new version of kerio (I'm now running 4.1.3.). Is my log saying that I have a trojan that this user is trying to access, but is getting denied? Or is the user attempting to send a trojan? Shields up is very cool Hammer :) How do I close an open port?
     
  10. Syncman9

    Syncman9 Registered Member

    Joined:
    Jul 28, 2004
    Posts:
    113
    Location:
    UK
    CarlWinter,

    You log is indicating that kerio has blocked a packet which has the hallmarks of a trojan attempting to infect your machine.

    It was blocked because Kerio felt the packet contained matching features to it's reference version of this trojan attack.

    However the packet was blocked by the IDS (Intrusion Defence System) element of the firewall, and as such this can be prone to false alarms.

    If you wish to continue using Kerio, it's probably a good idea to keep it upto date, since they update the IDS rules as part of these updates.
     
Thread Status:
Not open for further replies.