Outpost Attack log.. Interesting since I never get port scans or requests. 11/9/2002 1:43:08 PM Connection request 64.4.12.57 TCP(2266) 11/9/2002 1:41:10 PM Port scanned 216.52.46.143 TCP(1954) TCP(1956) TCP(1955) TCP(1287) TCP(1352) TCP(1307) 11/9/2002 1:41:10 PM Connection request 216.52.46.143 TCP(1954) 11/9/2002 1:41:10 PM Connection request 216.52.46.143 TCP(1956) 11/9/2002 1:41:10 PM Connection request 216.52.46.143 TCP(1955) 11/9/2002 1:40:29 PM Connection request 216.52.46.143 TCP(1287) 11/9/2002 1:40:23 PM Connection request 216.52.46.143 TCP(1352) 11/9/2002 1:40:13 PM Connection request 216.52.46.143 TCP(1307) 11/9/2002 1:40:06 PM Connection request 216.52.46.143 TCP(1295) 11/9/2002 1:38:29 PM Connection request 216.52.46.143 TCP(1287) 11/9/2002 1:38:24 PM Connection request 216.52.46.143 TCP(1352) 11/9/2002 1:38:14 PM Connection request 216.52.46.143 TCP(1307) 11/9/2002 1:38:06 PM Connection request 216.52.46.143 TCP(1295) 11/9/2002 1:36:29 PM Connection request 216.52.46.143 TCP(1287) 11/9/2002 1:36:24 PM Connection request 216.52.46.143 TCP(1352) 11/9/2002 1:36:14 PM Connection request 216.52.46.143 TCP(1307) 11/9/2002 1:36:07 PM Connection request 216.52.46.143 TCP(1295) 11/9/2002 1:34:30 PM Connection request 216.52.46.143 TCP(1287) 11/9/2002 1:34:25 PM Connection request 216.52.46.143 TCP(1352) 11/9/2002 1:34:15 PM Connection request 216.52.46.143 TCP(1307) 11/9/2002 1:34:07 PM Connection request 216.52.46.143 TCP(1295) 11/9/2002 1:32:31 PM Connection request 216.52.46.143 TCP(1287) 11/9/2002 1:32:26 PM Connection request 216.52.46.143 TCP(1352) 11/9/2002 1:32:16 PM Connection request 216.52.46.143 TCP(1307) 11/9/2002 1:32:08 PM Connection request 216.52.46.143 TCP(1295) 11/9/2002 1:30:59 PM Connection request 195.101.191.68 UDP(137) 11/9/2002 1:30:31 PM Connection request 216.52.46.143 TCP(1287) 11/9/2002 1:30:26 PM Connection request 216.52.46.143 TCP(1352) 11/9/2002 1:30:16 PM Connection request 216.52.46.143 TCP(1307) 11/9/2002 1:30:08 PM Connection request 216.52.46.143 TCP(1295) 11/9/2002 1:30:07 PM Connection request 211.252.3.207 UDP(137) 11/9/2002 1:28:32 PM Connection request 216.52.46.143 TCP(1287) 11/9/2002 1:28:27 PM Connection request 216.52.46.143 TCP(1352) 11/9/2002 1:28:16 PM Connection request 216.52.46.143 TCP(1307) 11/9/2002 1:28:09 PM Connection request 216.52.46.143 TCP(1295) 11/9/2002 1:11:19 PM Connection request 218.156.54.42 UDP(137) 11/9/2002 1:09:55 PM Connection request 217.65.231.179 TCP(1433) 11/9/2002 1:07:20 PM Connection request 63.25.190.16 UDP(137) 11/9/2002 1:05:31 PM Connection request 219.241.155.254 TCP(1433) 11/9/2002 12:32:41 PM Connection request 24.184.118.206 UDP(137) 11/9/2002 12:29:46 PM Connection request 211.227.86.27 UDP(137) 11/9/2002 12:18:08 PM Connection request 80.15.99.230 UDP(137) 11/9/2002 12:16:24 PM Connection request 80.24.12.200 UDP(137) 11/9/2002 12:08:09 PM Connection request 62.254.100.7 UDP(137) 11/9/2002 12:07:58 PM Connection request 24.232.38.167 UDP(137) 11/9/2002 11:51:15 AM Connection request 68.146.203.66 UDP(137) 11/9/2002 11:49:04 AM Connection request 65.198.225.82 UDP(137) 11/9/2002 11:45:52 AM Connection request 63.188.128.199 UDP(137)
Well, he´s not scanning for (known) trojans. Strange, how the same ports are being scanned over and over again. Regards, Pieter
YIKES!! I have the very same ports being hammered!! Plus..what looks like the same sub-range...... I've disable the ports you listed.........an have a very sneaky feeling what port scanner is being used. although my computer wont accept a connection to the sub-range...its blocked...nevertheless....it will have to bypass two blocking programs..then the firewall......so far so good...but hard on the ye ole computer...... so..looks like a planned attacked is taking place.? snowman
A lot of time what you see in Outpost in that port range is communications from a website you have visited and left. When you surf to a site and take a look or whatever, and then leave, there is usually communications going on between the webite and its affiliates and your computer. You leave, but all of the communications don't get properly terminated. So the website keeps trying to reply back to you until it gets a fin/ack or whatever. Well, Outpost IDS sees these as unsolicited communications requests and in some cases scans, and logs them. The way I can tell the difference, is when I get a bunch like you have, I look in the DNS Cache log or properties and see if that IP has been logged in as one of the sites I visit. Now I know you know at least most of what I said. I don't know if you know that Outpost has a tendency to log all of that. Sorry if all of this is old news, but there may be some that can use the info some day. I would not be surprised if other firewalls did not do the same thing at least on occassion. It is not unusual for some sites to keep comming at you with traffic for hours after you leave. I have seen it.
root, I understand what you are saying but I have never had that info listed in the attack logs before using Outpost. This is the very first time.
I am not sure it is inappropriate to post the IP's here since they log firewall IP scans at Internet storm anyway.
Decided to do a quick check on this ip <216.52.46.143 > is is the first in Cont's log post: Internap Newtwork Services AKA: Akami Technoligies snowman
Akamai owns so much of the web for all kinds of uses, some actually legit, that's not surprising. Controller, you have been getting plenty of entries in the log all along havent you? Lots of UDP 137, and background radiation type stuff.
root , yes this is my first hits with port 137. I was guessing they weren't picking on us Minnesotaians Outpost just started adding those requests to it's ATTACK LOG they weren't doing that before. Also been monitoring my RunOnceEXLog.Txt file
Another tell tale sign if it may be this type of late (legitimate) traffic being blocked is to look at the source port. If you see source ports for common services you would be using at that time like HTTP (80), DNS (53), etc. affiliated with those entries, they are likely just packets arriving late and being dropped. I did not notice source ports in the logs, does Outpost not provide this information in the log viewer?
Hey Crazy, no, this version does not log that information in the attack detection module. Perhaps the next version will. I think the initial design philosophy of Outpost was to do the job quietly and efficiently, without a lot of bells and whistles in certain key areas. The designers deliberately left out trace back/get even type logging. I'm not sure why remote port was left out of this log. The information is available in the debug module, which is an extended logging set of files. Controller, I wonder why you have not been getting some logging there all along. I assume you have run scans to insure protection. Let me know if you want to dig into this some more. I'm outa here for the time being though.
Hopefully it is something they do include in the next version. Having full details in the logs (including remote addr/port, local addr/port) goes a long way in determining what you may be seeing. I'm sure it is something you and other users here will follow-up on . As for leaving out things like back trace features, I agree. Not something most users should or need to be doing.
I for one would still like to see better logging in Outpost. root? I wasn't aware of the extra logging files. Where can I get those? I was trying out KAV's firewall on my new Install of Win ME on another desktop but I have haveing some conflicts with that. When all these new releases of firewalls and AV's come out I am not going to know what to do Has anyone heard if Outpost has released their 2.0 Beta yet? Thanks
No, version 2 beta has not been released yet. The extended logging is available in the debug module. It was built to aid in debugging obviously, but it shows more info that the regular logs so it can be handy. The link is on this page.