Is this firewall alert significant?

Discussion in 'other firewalls' started by pcalvert, Dec 10, 2005.

Thread Status:
Not open for further replies.
  1. pcalvert

    pcalvert Registered Member

    Joined:
    May 21, 2005
    Posts:
    203
    Got an interesting alert from Kerio PF 2.1.5 today. I have noticed some network activity being allowed lately that I don't recall seeing in the past. So I edited one of the firewall rules to alert me if it matches. Today, when checking for email, I got the first alert:

    I did a check with SpamCop and found that 203.144.236.79 belongs to a computer in Thailand:
    host 203.144.236.79 = 203-144-236-79.static.asianet.co.th

    Now, what that seems to tell me is that my computer attempted to connect to a computer in Thailand, and it responded: "Destination Unreachable." Is that conclusion correct, or is there another possible explanation?

    BTW, there's no legitimate reason why my computer should be attempting to connect to that IP address.


    Phil
     
  2. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    One of those things that make you go hmmmm, and hard to track down depending on what you are logging. Are you logging all activity in KPF or have anything else in place, ie. router, that may be logging all connections?

    Logs of all connections would help in this case as you would be able to see what connections were being made that may have resulted in the one in question.

    Regards,

    CrazyM
     
  3. pcalvert

    pcalvert Registered Member

    Joined:
    May 21, 2005
    Posts:
    203
    Unfortunately, no.

    What worries me is that the ISP the IP address belongs to is known to be a haven for criminals involved in phishing. Learned that thanks to Google. Makes me wonder if there might be a keylogger of some sort on my computer.

    As a precaution, I created a rule in Kerio that blocks all outgoing connection attempts to the entire Asia/Pacific region. :D

    Whatever it is, if it tries to connect again I'll hopefully know about it and what's responsible.

    I'm now seriously considering purchasing the full version of Security Task Manager. If there's some hidden malware on my system, I'd like to know more about it. I could always just format and reinstall, but I'd like to find the malware (if there is any) so I can submit it for analysis.

    Phil
     
  4. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    I've often wondered about Destination Unreachable - I log several each day, never from the same IP.

    I wonder if this might apply - from another forum:

    "In my experience most Dst URs are the result of DOS attacks by third parties who have use forged sources addresses (some being yours). The result is that someone blocks the traffic at a router somewhere and unless they think to disable URs they spray out all over the net."

    And this:

    "Several months ago I noticed ICMP Destination Unreachable and Port Unreachable appearing in my router log. I started keeping track of my computer usage, and confirmed that several ICMP packets arrived when all my computers were powered off with their ethernet cables physically unplugged. So it must be that someone occasionally spoofs my IP address, and I get the bounced messages. That's probably what's happening to you too."

    Since my IP changes everytime I dial up, I haven't worried about it.


    regards,

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
Loading...
Thread Status:
Not open for further replies.