Router bypassed

Discussion in 'other firewalls' started by G1111, Jan 16, 2006.

Thread Status:
Not open for further replies.
  1. G1111

    G1111 Registered Member

    Joined:
    May 11, 2005
    Posts:
    2,127
    Location:
    USA
    I am running a NAT router and Outpost Pro. Last night I was constantly pinged by a Russian web site on TCP 2027. Outpost stopped the packets (I had it set to block every five minutes, so every five minutes a connection request was logged). The packets arrived constantly for several hours. Just wondering how they bypassed my router?
     
  2. FatalChaos

    FatalChaos Registered Member

    Joined:
    Aug 6, 2005
    Posts:
    98
    Make sure your router firewall is actually enabled and that you have block annonymous connection requests checked (or something along those lines).
     
  3. G1111

    G1111 Registered Member

    Joined:
    May 11, 2005
    Posts:
    2,127
    Location:
    USA
    NAT and block annonymous requests are both enabled. Thanks.
     
  4. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    Do you use a honey pot or participate in shadowserver? TCP 2027 is only used to report to shadowserver. If not did you recently upgrade the routers firmware?
     
  5. Cerxes

    Cerxes Registered Member

    Joined:
    Sep 6, 2005
    Posts:
    581
    Location:
    Northern Europe
    Normally only three ways for inbound traffic bypassing the router:
    • If you did a request or using a server
    • By your configuration of the router
    • A malfunction of the router (use the latest firmware)

    If you dont mind telling, which router model do you use?

    Regards, C.
     
  6. NGRhodes

    NGRhodes Registered Member

    Joined:
    Jun 23, 2003
    Posts:
    2,331
    Location:
    West Yorkshire, UK
    Do you have any software running on your machine that requires to have any ports open ?

    Due to the way NAT works, as soon as you open a port ANY request is piped through, even pings/ICMP traffic, because the software you have listening on the port(s) could well need ping functionality and the router will not know...
     
  7. Infinity

    Infinity Registered Member

    Joined:
    May 31, 2004
    Posts:
    2,651
    In your router config settings (192.168.2.1) you should block ping..sorry if this is obvious.
    inf.
     
  8. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    When interpreting logs it helps to have some samples. If you could post some entries from your logs it would help in trying to determine what may have occurred.

    Regards,

    CrazyM
     
  9. G1111

    G1111 Registered Member

    Joined:
    May 11, 2005
    Posts:
    2,127
    Location:
    USA
    No - neither
     
  10. G1111

    G1111 Registered Member

    Joined:
    May 11, 2005
    Posts:
    2,127
    Location:
    USA
    Linksys RT31P2 (Broadband router for Vonage VOIP)
     
  11. G1111

    G1111 Registered Member

    Joined:
    May 11, 2005
    Posts:
    2,127
    Location:
    USA
    Not that I know of, checked Netstat (in TrojanHunter) a few are listed as listening but not that one.
     
  12. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    Hi G1111,

    Have you tried duplicating the event using the Custom Port Probe at ShieldsUP?

    Nick
     
  13. G1111

    G1111 Registered Member

    Joined:
    May 11, 2005
    Posts:
    2,127
    Location:
    USA
    These are just three of numerous

    Outpost Attack Detection Plugin (suspicious packets)
    1/15/2006 11:15:02 PM 193.232.5.10 TCP (2027)
    1/15/2006 11:10:17 PM 193.232.5.10 TCP (2027)
    1/15/2006 11:05:32 PM 193.232.5.10 TCP (2027)

    I am not sure what the log entry is for this (error, scanner, monitor and pack?)

    Listed to (Whois):

    % Information related to '193.232.5.0 - 193.232.5.255'

    inetnum: 193.232.5.0 - 193.232.5.255
    netname: IKI-LAN5
    descr: Russian Space Science Internet
    descr: Space Research Institute (Dep. 86)
    descr: 84/32 Profsoyuznaya st.
    descr: 117997, Moscow
    descr: Russia
    country: RU
    admin-c: OAS19-RIPE
    admin-c: MNB1-RIPE
    tech-c: OAS19-RIPE
    tech-c: MNB1-RIPE
    notify: ***@rssi.ru
    rev-srv: mx.iki.rssi.ru
    rev-srv: adm.rssi.ru
    status: ASSIGNED PI
    mnt-by: RSSI-NOC
    mnt-lower: RSSI-NOC
    changed: ****@rssi.ru 19981014
    changed: ****@rssi.ru 19990402
    changed: **@rssi.ru 20020904
    source: RIPE

    person: Michael N Boyarsky
    address: Space Research Institute
    address: 84/32 Profsoyuznaya
    address: 117810 Moscow
    address: Russia
    phone: +7 095 333 1488
    fax-no: +7 095 913 3040
    e-mail: ********@iki.rssi.ru
    nic-hdl: MNB1-RIPE
    changed: ********@iki.rssi.ru 19980115
    source: RIPE

    person: Olga A Starostina
    address: Space Research Institute
    address: 84/32 Profsoyuznaya
    address: 117810 Moscow
    address: Russia
    remarks: phone: +7 095 333 3523
    phone: +7 495 333 3523
    remarks: fax-no: +7 095 913 3040
    fax-no: +7 495 913 3040
    e-mail: ***@space.ru
    nic-hdl: OAS19-RIPE
    changed: ****@rssi.ru 19990402
    source: RIPE
    remarks: modified for Russian phone area changes
    changed: ********@ripe.net 20051216

    % Information related to '193.232.0.0/19AS3218'

    route: 193.232.0.0/19
    descr: Russian Space Science Internet
    origin: AS3218
    mnt-by: RSSI-NOC
    changed: ****@rssi.ru 19990402
    source: RIPE
     
  14. flyrfan111

    flyrfan111 Registered Member

    Joined:
    Jun 1, 2004
    Posts:
    1,224
    A more complete firewall log would be helpful, that you are getting probed from this IP isn't the question, the question is why, do your logs show any outbound traffic near the time of these,like just before them perhaps? That router allows UP&P configuration of itself for some internet capable applications, did you disable up&p configuration settings in the router's settings? Maybe something changed your settings. Also how many computers are using the router? Do you have a network set up? The problem may be on another workstation in the network. Although that is unlikely since it is this machine getting hit. But something else inside the network perimeter maybe what was compromised, it's a possibility anyway.
     
  15. G1111

    G1111 Registered Member

    Joined:
    May 11, 2005
    Posts:
    2,127
    Location:
    USA
    GRC Port Authority Report created on UTC: 2006-01-18 at 02:42:35

    Results from probe of port: 2027

    0 Ports Open
    0 Ports Closed
    1 Ports Stealth
    ---------------------
    1 Ports Tested

    THE PORT tested was found to be: STEALTH.

    TruStealth: PASSED - ALL tested ports were STEALTH,
    - NO unsolicited packets were received,
    - NO Ping reply (ICMP Echo) was received.
     
  16. G1111

    G1111 Registered Member

    Joined:
    May 11, 2005
    Posts:
    2,127
    Location:
    USA
    I'll recheck the settings. It is a single machine and a VOIP phone. Thanks for the suggestions. I will see if it happens again. Did several scans for rootkits and trojans. I will see if I can tie event to a Ourpost log.
     
  17. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    I would also take a look at your router logs, if you have logging enabled, as well as your Windows event logs for anything out of the ordinary. If you don't have router logging enabled, you should enable it for now.

    Nick
     
  18. G1111

    G1111 Registered Member

    Joined:
    May 11, 2005
    Posts:
    2,127
    Location:
    USA
    Don't see anywhere for router logging on mine. Did check Windows and it showed a few "anonymous logon/off". I set Harden-it to level 2 now for restricting anonymous. Anyhow no other indications of anything wrong. It was just curious that Outpost was blocking packets. I had seen a few from time to time that outpost blocked inbound but this was continuous. Glad I have it.
     
  19. CrazyM

    CrazyM Firewall Expert

    Joined:
    Feb 9, 2002
    Posts:
    2,428
    Location:
    BC, Canada
    Unfortunately it appears the Outpost Attack Detection Plugin is incomplete in it's logging. I take it those entries are Source IP, Protocol, Destination Port? Missing is the Source Port and Destination IP.

    The source port would help in determining what kind of traffic this may have been associated to: HTTP (80), NNTP (119), SMTP (25), etc.

    Does Outpost log all outbound connections? If so, you may want to check those logs to determine if you have any connections out to that IP. It could be these are just late packets from a valid connection that are being blocked. It is unlikely that anything has bypassed your router in the way of unsolicited inbound traffic. Then it would be a matter of determining who/what made the connection.

    Regards,

    CrazyM
     
  20. G1111

    G1111 Registered Member

    Joined:
    May 11, 2005
    Posts:
    2,127
    Location:
    USA
    Thnaks CrazyM - I have been away from my computer. I had the logs to clear after 3 days so the Sunday events probably are no longer there. I keep an eye on things and noticed there was no outbound activity on the GUI.
     
Thread Status:
Not open for further replies.