Firewall Log - hacker

Discussion in 'other firewalls' started by Barney83, Mar 13, 2013.

Thread Status:
Not open for further replies.
  1. Barney83

    Barney83 Registered Member

    Joined:
    Mar 13, 2013
    Posts:
    5
    Location:
    USA
    Last edited: Mar 14, 2013
  2. alexandrud

    alexandrud Developer

    Joined:
    Apr 14, 2011
    Posts:
    1,231
    Location:
    Romania
    To me, it says that your system clock is 10 years behind. Other than that, what should we see ? Use http://networktools.nl/whois to find who is registered at that address and send them an email with your concerns. See what they have to say. :)
     
  3. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    1,734
    if RTC (cmos clock) is behind, renew your cmos battery. with this date you can not check digital certificates, they were all outdates and thats a big security issue.

    IP http://img1.imagebanana.com/img/dq2md5e2/Gold.png http://whois.domaintools.com/66.70.78.30

    next problem - that firewall seems to be crap
    hello? either it turned stupid or someone has allowed that action

    i assume you are using a modem only, no router. with router you wont have that incoming traffic.
     
  4. Seer

    Seer Registered Member

    Joined:
    Feb 12, 2007
    Posts:
    1,596
    Location:
    Singidunum
    This is a packet log, not a log of blocked connections.

    Hello Barney, welcome.

    As it happens, there is a post a couple of years old posing the same question as yours, here. The IP in question is identical, except... there is no mention of that IP in logs from that post.
    Now, if we wish to continue this thread we would need to know all of the specifics related to these log entries (software used to collect logs, OSes in question, more log entries, etc...). Otherwise, blindliy deciphering (or guessing better yet) what is happening behind log entries will get us nowhere. To me, from these 3 you posted here it looks like all is normal.
     
  5. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,274
    I'll stick my neck out "blindly deciphering" (great phrase, Seer) and GUESSING.
    NetScreen is or was a Juniper Networks enterprise level router-and-more, used often for VPN and tons of other things. The log looks like a router log of all packets. Possibly accepting inbound packets to one of many servers, perhaps a VPN server, hooked to the router where the local DNS service runs for looking up local servers, and quite possibly remote servers. Inbound to 443 might be https login via some RSA key or other security device.

    What's really baffling is how can today's log have virtually identical date entries to the one Seer referenced?
     
  6. Barney83

    Barney83 Registered Member

    Joined:
    Mar 13, 2013
    Posts:
    5
    Location:
    USA
    I want to tell this to everybody that this is assignment in one of the security classes - forensic data. Prof told us to observe the same. That's why i thought I might get some answer as I have done quite a search and couldn't found anything.
     
  7. Barney83

    Barney83 Registered Member

    Joined:
    Mar 13, 2013
    Posts:
    5
    Location:
    USA
    I don't think this its normal because as I mentioned this is assignment and Prof has told us that - Assume the IP address of 66.70.78.30 is the "bad guy"- what is he trying to do here. Also, for more log entries the link you provided is provided by prof. Thats the same data, if you can found out something, it would be great.

    What I think is 'bad guy' is trying to contact different webservers and hacks into the system.
     
  8. Barney83

    Barney83 Registered Member

    Joined:
    Mar 13, 2013
    Posts:
    5
    Location:
    USA
    Probably Prof is giving same assignment since these many years.. What baffling to me is in this age of Internet, I cant get answer. Now on this forum, we can give help to all those students who are wondering for the answers. :)
     
  9. act8192

    act8192 Registered Member

    Joined:
    Nov 9, 2006
    Posts:
    1,274
    You never mentioned until post#6 today it's not your log but some class assignment so don't try to offend people who try to help, so your reply in post#7 is impolite.

    Still not sure what you want. Lets' assume, we are talking about what I suggested and that assumption maybe totally wrong of course since you gave no other details and I have no idea what your prof wants.
    Read these:
    http://en.wikipedia.org/wiki/Virtual_private_network
    http://www.cisco.com/en/US/docs/sec...r/security_manager/3.3/user/guide/vpchap.html
    http://www.isaserver.org/img/upl/vpnkitbeta2/dnsvpn.htm
    Why those? because I see packets to port 53 on 10.100.0.110 which implies a DNS server, and packets to 10.100.0.109, different box and port 443, normally used for https activity one of which might be login to get permissions to login to the company resources.
    Device-id and Policy-id means nothing to someone not familiar with this router. It's some rule somebody setup.
     
  10. Barney83

    Barney83 Registered Member

    Joined:
    Mar 13, 2013
    Posts:
    5
    Location:
    USA
    I just want to inform that I am not asking just because its 'homework' thing. This is stuff which could help analyze stuff as well. Still, I am sorry to anybody if I have offended. I thought that people discuss issues than I might can as well. Really sorry. And thanks to all who take out time to respond on my post.
     
  11. whitedragon551

    whitedragon551 Registered Member

    Joined:
    Sep 30, 2008
    Posts:
    3,189
    Location:
    USA
    Go do your own homework. Read your book like a good student. :rolleyes:
     
  12. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,877
    Location:
    New England
    I have to agree. Let's close this thread here. I can't imagine that a Professor wanted students to simply go on to a website and ask other people for the answers. There must have been more direction given, and the means through which you could get the answers for yourself.

    Barney83, you are welcome to be here, but, just don't post homework assignments in the future.
     
Loading...
Thread Status:
Not open for further replies.