Hacking Myself ???

Discussion in 'other firewalls' started by nervous noob, Jan 19, 2004.

Thread Status:
Not open for further replies.
  1. nervous noob

    nervous noob Guest

    My firewall detects connection requests from 127.0.0.1.
    Also something called My Address Attack.
    I can't seem to find usefull info on this.
    Can someone explain this anomaly please?
     
  2. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,878
    Location:
    New England
    Can you post a part of the firewall log so we can see some details on the events? Also, what firewall is it?

    I'm going to move this to the "other firewalls" section in a little while because that'll be a better place to get help.
     
  3. nervous noob

    nervous noob Guest

    Thanks for responding.
    Firewall is Outpost free I have used 1 yr. This anomaly I have noted only recently.
    Is this the log info as you request? It is pasted from attack detection (plug-in) page.
    If you need the entire session log I can give it but I have to close first. I'll have it ready if you need it.

    01/19/2004 19:43:28   Port scanned   127.0.0.1 TCP(1455) TCP(1695)

    01/19/2004 19:43:28   Connection request   127.0.0.1   TCP(1455)

    01/19/2004 19:42:54   My address   127.0.0.1   

    01/19/2004 19:42:54   Connection request   127.0.0.1   TCP(1695)
     
  4. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,878
    Location:
    New England
    Actually a full log would be helpful. You can of course blank out your ISP provided public IP address, though make sure it's clear from the changes you make that it is just your address that has been removed. Also, leave any 127.0.0.1 or 0.0.0.0 references in place, and let us see all protocols, flags and even time stamps, so we can get a good idea about what is going on.
     
  5. nervous noob

    nervous noob Guest

    Here is partial copy of Attack Detection Log. I hope this is what you need to help me.
    Stupid program will not allow copy paste of logs, only line by line.
    There are other logs like Allowed, Blocked, DNS Cache, etc... all equally cryptic.
    Please let me know if you need more info.
    Thank you.

    Date/Time Attack Type Ip Address Scan Port Details

    01/20/2004 11:03:27   Port scanned   127.0.0.1   TCP(110:cool: TCP(1852)
    01/20/2004 11:02:37   My address   127.0.0.1   
    01/20/2004 11:02:37   Connection request   127.0.0.1   TCP(1852)
    01/20/2004 10:58:36   Port scanned   216.15.105.129   TCP(135)
    01/20/2004 11:15:31   Connection request   62.42.98.58   UDP(137)
    01/20/2004 11:14:56   Connection request   69.50.181.31   TCP(1182)
    01/20/2004 11:07:12   Port scanned   216.30.226.195   TCP(135)
    01/20/2004 11:07:12   Connection request   216.30.226.195   TCP(135)
    01/20/2004 11:03:27   Port scanned   127.0.0.1   TCP(110:cool: TCP(1852)
    01/20/2004 11:03:27   Connection request   127.0.0.1   TCP(110:cool:
    01/20/2004 11:02:37   My address   127.0.0.1   
    01/20/2004 11:02:37   Connection request   127.0.0.1   TCP(1852)
    01/20/2004 10:58:36   Connection request   216.15.105.129   TCP(135)
    01/20/2004 10:58:36   Connection request   216.15.105.129   TCP(135)
    01/20/2004 10:41:46   Port scanned   127.0.0.1   TCP(113:cool: TCP(1749)
    01/20/2004 10:41:46   Connection request   127.0.0.1   TCP(113:cool:
    01/20/2004 10:41:43   My address   127.0.0.1   
    01/20/2004 10:41:43   Connection request   127.0.0.1   TCP(1749)
    01/20/2004 10:30:56   Port scanned   127.0.0.1   TCP(1805) TCP(1541)
    01/20/2004 10:30:56   Connection request   127.0.0.1   TCP(1805)
    01/20/2004 10:30:39   Connection request   127.0.0.1   TCP(1541)
    01/20/2004 10:25:38   My address   127.0.0.1   
    01/20/2004 10:25:38   Connection request   127.0.0.1   TCP(1567)
    01/19/2004 20:58:45   Connection request   64.12.164.228   TCP(1523)
    01/19/2004 20:56:45   Connection request   64.12.164.228   TCP(1523)
    01/19/2004 20:56:41   Port scanned   68.93.194.20   TCP(135)
    01/19/2004 20:56:41   Connection request   68.93.194.20   TCP(135)
    01/19/2004 20:54:45   Connection request   64.12.164.228   TCP(1523)
    01/19/2004 20:54:28   Connection request   209.235.232.177   TCP(1415)
    01/19/2004 20:53:24   Connection request   209.235.232.177   TCP(1415)
    01/19/2004 20:52:45   Connection request   64.12.164.228   TCP(1523)
    01/19/2004 20:52:19   Connection request   209.235.232.177   TCP(1415)
    01/19/2004 20:52:01   Connection request   201.128.68.149   UDP(137)
    01/19/2004 20:51:16   Connection request   209.235.232.177   TCP(1415)
    01/19/2004 20:51:11   Connection request   64.12.164.228   TCP(1523)
    01/19/2004 20:50:31   Port scanned   127.0.0.1   TCP(1951) TCP(1455)
    01/19/2004 20:50:31   Connection request   127.0.0.1   TCP(1951)
    01/19/2004 20:50:16   My address   127.0.0.1   
    01/19/2004 20:50:16   Connection request   127.0.0.1   TCP(1455)
    01/19/2004 20:50:12   Connection request   209.235.232.177   TCP(1415)
    01/19/2004 20:48:33   Connection request   216.124.53.80   TCP(1433)
    01/19/2004 20:42:19   Port scanned   216.31.4.41   TCP(135)
    01/19/2004 20:42:19   Connection request   216.31.4.41   TCP(135)
    01/19/2004 20:42:19   Connection request   216.31.4.41   TCP(135)
    01/19/2004 20:40:51   Connection request   216.31.2.135   TCP(135)
    01/19/2004 20:34:33   Connection request   61.88.104.51   TCP(6129)
    01/19/2004 20:33:51   Port scanned   80.133.53.21   TCP(135)
    01/19/2004 20:33:51   Connection request   80.133.53.21   TCP(135)
    01/19/2004 20:32:30   My address   127.0.0.1   
    01/19/2004 20:32:30   Connection request   127.0.0.1   TCP(1067)

    BTW, all entries for 01/20 are from sitting right here at Wilders if that means anything.
     
  6. root

    root Registered Member

    Joined:
    Feb 19, 2002
    Posts:
    1,723
    Location:
    Missouri, USA
    I'm a long time user of Outpost and I have never seen anything named my address, but I still do not see anything to be alarmed about. It looks like Outpost is effectively blocking a lot of internet background scans and connection attempts, but that does not indicate any problem.
    You might try the Outpost Forum and see if anyone has any ideas about what you are experiencing. It's been a long time since I have used version 1 and you might find someone there that is still using it.
     
  7. Sumire

    Sumire Registered Member

    Joined:
    Sep 26, 2002
    Posts:
    43
    Location:
    Japan
    I'm not a Outpost user but looking at your Outpost log, (source ip address spoofed port scan) ,this must be ms blaster or nachi type worm's leftovers.

    Here is the good description about source ip address spoofed port scan issues.
    http://archives.neohapsis.com/archives/snort/2003-09/0034.html

    I've discussed many times about source ip address spoofed(127.0.0.1) port scan on another Outpost related forum. You don't need to worry about this type of port scan, Outpost just drop unnecessary packets.

    Best Regards
     
Thread Status:
Not open for further replies.