[Owasp-Mumbai] Interesting firewall hits

ॐ aditya mukadam ॐ securescorp at gmail.com
Wed Apr 15 00:36:50 EDT 2009


Yash,

[sorry for the delay in response, I was traveling over the week end ]

Checked the email thread and I could gather that:

Internet -------------- Firewall/Router------------- PC

* Firewall doesnt block this traffic while PC AV blocks it.
* Firewall/Router will perform PAT for outbound traffic.

Questions:
1) Which firewall are you using ?
2) Does it have Stateful Inspection ?
3) Which AV are you using ? and does the AV give you details of the
traffic been blocked (other than what you have provided)
4) Do you use any type of Remote PC software on you PC ? eg:
Tunneling: GoToMyPC Software

Thanks,
Aditya Govind Mukadam




On Fri, Apr 10, 2009 at 5:23 PM, Yash Kadakia <teccoder at gmail.com> wrote:
> Varun,
> Firewall is explicitly asking to allow incoming connection request. The ip
> range is 192.168.x.x
>
> --
> Yash Kadakia
> Sent from my handheld
>
> On Apr 10, 2009, at 5:20 PM, varun chaudhry <varunchaudhry at gmail.com> wrote:
>
> Hi Yash,
>
> Any chances that this might be outgoing traffic but is getting blocked as
> destination IP may be in the private range ?? (not sure if 192.x is 192.16)
>
> Of course this wouldn't be true if your firewall logs are explicitly showing
> you the interface (outside) at which traffic is being received.
>
> Regards,
> Varun
>
> On Fri, Apr 10, 2009 at 5:10 PM, TecCoder <teccoder at gmail.com> wrote:
>>
>> Hi Vaibhav,
>>
>> Believe me I am as stumped as anyone else about this.
>>
>> The firewall is not set to explicitly block all, but it has no DMZ or Port
>> Forwards. So no unauthorized incoming requests should reach this system.
>>
>> 1) The system is only connected to one network via ethernet.
>> 2) I have checked the device configuration several times, no mistakes
>> there.
>> 3) Router connects directly to the public ip, nothing in the middle.
>>
>> --
>> Yash
>>
>>
>> 2009/4/10 varun chaudhry <varunchaudhry at gmail.com>
>>>
>>> Hi Yash,
>>>
>>> Am just a lil bit confused here, let me know if I got this wrong
>>>
>>> 1. You have a router / firewall which is configured to block all incoming
>>> traffic.
>>> 2. The logs that you have shared are from the above network device
>>>
>>> Yet u mention that the traffic is reaching your host system.
>>>
>>> A few quick thoughts......
>>>
>>> 1. Do the systems that are connected in your network get connected to
>>> other networks as well (e.g office laptop) ?
>>> 2. You may want to reconfirm the device configuration
>>> 3. Are u running a wireless network before the router ?...Naah... I guess
>>> I'm being too imaginative here......
>>>
>>> Regards,
>>> Varun
>>>
>>> On Fri, Apr 10, 2009 at 11:27 AM, vaibhav aher <vaibhavaher at gmail.com>
>>> wrote:
>>>>
>>>> Hello Yash,
>>>> Is the target IP same? Means 192.x.x.x in all the attacks.
>>>> Regards
>>>> Vaibhav
>>>>
>>>> On Fri, Apr 10, 2009 at 12:37 AM, TecCoder <teccoder at gmail.com> wrote:
>>>>>
>>>>> I collected some additional incoming hits. I've attached the same in
>>>>> pdf format along with this e-mail.
>>>>>
>>>>> --
>>>>> Yash Kadakia
>>>>>
>>>>>
>>>>> 2009/4/10 TecCoder <teccoder at gmail.com>
>>>>>>
>>>>>> Bipin,
>>>>>>
>>>>>> I'm not sure what you mean in-terms of it being my router IP. My
>>>>>> routers internal or external IP do-not match this (or even in the same
>>>>>> block). This particular range is not even present in my traceroute so I
>>>>>> highly doubt this is legitimate traffic in my network route.
>>>>>>
>>>>>> Also, note these are incoming requests not outgoing. Also, this is
>>>>>> just one of several hundred instances, some are from MTNL ip-ranges, others
>>>>>> from BSNL, Tata, Hathway etc.
>>>>>>
>>>>>> --
>>>>>> Yash Kadakia
>>>>>>
>>>>>>
>>>>>> 2009/4/10 Bipin Upadhyay <muxical.geek at gmail.com>
>>>>>>>
>>>>>>> Okay, it might sound a bit weird and may unlikely, but could it be
>>>>>>> that 123.252.231.35 is your router's own ip?
>>>>>>>
>>>>>>> Tools like SpyBot, automatically modify hosts file to block requests
>>>>>>> to ad networks. This case seems a bit different, still.
>>>>>>>
>>>>>>>
>>>>>>> --Bipin Upadhyay
>>>>>>> I'd love to change the world,
>>>>>>> but they won't gimme the source code.
>>>>>>> http://projectbee.org/
>>>>>>>
>>>>>>>
>>>>>>> On Thu, Apr 9, 2009 at 8:46 PM, TecCoder <teccoder at gmail.com> wrote:
>>>>>>>>
>>>>>>>> Logs are as follows:
>>>>>>>>
>>>>>>>> Date Time: 4/9/2009 8:06:50 PM
>>>>>>>> Protocol Identified: MSN Messenger
>>>>>>>> Action: Blocked
>>>>>>>> Source IP: 123.252.231.35 (Belongs to TATA, probably a home user)
>>>>>>>> Source Port: 2938
>>>>>>>> Receiver IP: 192.x.x.x
>>>>>>>> Receiver Port: 3880
>>>>>>>> Protocol: TCP
>>>>>>>>
>>>>>>>> What is strange is, I have a firewall on 192.x.x.1 (router) that is
>>>>>>>> set to block all incoming requests and has no DMZ or port forwards. Yet this
>>>>>>>> request is able to make it to my local system where the personal firewall is
>>>>>>>> blocking it (Thank god for paranoia!).
>>>>>>>>
>>>>>>>> --
>>>>>>>> Yash Kadakia
>>>>>>>>
>>>>>>>> 2009/4/9 ॐ aditya mukadam ॐ <securescorp at gmail.com>
>>>>>>>>>
>>>>>>>>> Yash,
>>>>>>>>>
>>>>>>>>> Can you provide the some logs ( couple of them) . Will help to
>>>>>>>>> match
>>>>>>>>> it on my devices.
>>>>>>>>>
>>>>>>>>> Thanks,
>>>>>>>>> Aditya
>>>>>>>>>
>>>>>>>>> On Wed, Apr 8, 2009 at 6:16 PM, Yash Kadakia <teccoder at gmail.com>
>>>>>>>>> wrote:
>>>>>>>>> > Over the last couple weeks I've been noticing some very
>>>>>>>>> > interesting
>>>>>>>>> > trends in my firewall logs.
>>>>>>>>> >
>>>>>>>>> > Besides for some conficker hits and the standard netbios scans,
>>>>>>>>> > i've
>>>>>>>>> > been picking up atleast 100-200 incoming MSN messenger file
>>>>>>>>> > transfer
>>>>>>>>> > requests even though we don't have MSN messenger running in then
>>>>>>>>> > network.
>>>>>>>>> >
>>>>>>>>> > Possibly a worm taking advantage of a MSN messenger flaw? Anyone
>>>>>>>>> > else
>>>>>>>>> > seeing this in firewall logs?
>>>>>>>>> > --
>>>>>>>>> > Yash Kadakia
>>>>>>>>> >
>>>>>>>>> > Sent from my handheld
>>>>>>>>> > _______________________________________________
>>>>>>>>> > OWASP-Mumbai mailing list
>>>>>>>>> > OWASP-Mumbai at lists.owasp.org
>>>>>>>>> > https://lists.owasp.org/mailman/listinfo/owasp-mumbai
>>>>>>>>> >
>>>>>>>>
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> OWASP-Mumbai mailing list
>>>>>>>> OWASP-Mumbai at lists.owasp.org
>>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-mumbai
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> OWASP-Mumbai mailing list
>>>>> OWASP-Mumbai at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-mumbai
>>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> OWASP-Mumbai mailing list
>>>> OWASP-Mumbai at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-mumbai
>>>>
>>>
>>
>
>
> _______________________________________________
> OWASP-Mumbai mailing list
> OWASP-Mumbai at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-mumbai
>
>


More information about the OWASP-Mumbai mailing list