Intrusion attempt by netmike assessor administrator???

Discussion in 'other firewalls' started by ghodgson, Apr 3, 2004.

Thread Status:
Not open for further replies.
  1. ghodgson

    ghodgson Registered Member

    Joined:
    Dec 20, 2003
    Posts:
    784
    Location:
    UK
    Dear Wilders,
    I have NIS installed on my XP system which performs very well. Recently I have had alerts telling me I was under attack Using port 3150, which I see is described as being used by the ''Netmike assessor administrator''. What or who is this??
    I have also had attacks using port 52264, which is described as private?? Can any body enlighten me to these intrusion attempts.
    Thanks Gordon
     
  2. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi Gordon

    Was this in the firewall logs prefixed by something like "Default Trojan ..."? If so, it will just be a scan to one of the default trojan rules in NIS. These rules block scans/connection attempts to ports commonly used by or associated to known malware. While the names can sound a little ominous, the firewall is blocking these and it does not mean you are infected in any way.

    I have never been a fan of these defaut trojan rules which are now up to around 70 :eek: and just delete them, replacing them with 2 custom block rules instead.

    Do you have more details from the log: protocol, source port?

    Regards,

    CrazyM
     
  3. ghodgson

    ghodgson Registered Member

    Joined:
    Dec 20, 2003
    Posts:
    784
    Location:
    UK
    Dear Crazy M, These were intrusion alerts, quite a few in number and the alerts of course gave me their URL and the port, I did a WHOIS check to find out the source of the attack [as I put their URL address range into my Firewall restricted zone] to prevent further attempts. The attack was, I believe from Holland in the port 3150 instance. I then looked up what port 3150 is primarily used for on GRC.com and the info was that 3150 is used by the 'netmike assessor administrator''. Hence my query as to who is this?? A similar scenario for the other port which was described as for private use by GRC.com. I just wondered what these ports are used for.
    I suppose a hacker can use any port they choose, last night I was bombarded 19 times from a computer with a URL of 12.222.111.135 using 4 different ports 60407, 55930, 55228, and 53868, this was over a period of about 30 minutes .........and I only have a dial up! The WHOIS told me this URL was originating in New York [ I am in the UK]. So NIS is doing its job, thank God for firewalls.
    What 2 rules have you used to replace all the Trojan rules?
    My PC is clean, I have Adaware 6, Spybot s&D, Spyware baster, spyware guard, Norton AV and NIS so am not too worried about malware.
    Regards and thanks Gordon
     
  4. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Hi Gordon

    When posting about firewall alerts and log entries it is helpful if you post full details: direction, protocol, source IP/port, destination IP/port ( just xxx out your public IP).

    No real need to put them in the restricted zone. The firewall was already blocking them and will continue to do so.

    AtGuard/NIS Trojan Horse Settings/Final Block Rules

    Regards,

    CrazyM
     
Loading...
Thread Status:
Not open for further replies.