TCP portide skänn :: Hinnavaatluse Foorumid

Plondiin · HV kasutaja liitunud: 13.12.2001

Sygate tulemüür andis teada, et keegi skännib porte. Security log:

03/28/2004 10:52:54 Port Scan Minor Incoming TCP 213.35.174.149 02-00-20-00-02-00 213.35.174.139 00-00-02-00-00-00 PLONT COMPU Normal 1 03/28/2004 10:52:54 03/28/2004 10:52:54
03/28/2004 10:50:57 Port Scan Minor Incoming TCP 213.35.174.149 02-00-20-00-02-00 213.35.174.139 00-00-02-00-00-00 PLONT COMPU Normal 1 03/28/2004 10:50:57 03/28/2004 10:50:57
03/28/2004 10:50:54 Port Scan Minor Incoming TCP 213.35.174.149 02-00-20-00-02-00 213.35.174.139 00-00-02-00-00-00 PLONT COMPU Normal 1 03/28/2004 10:50:54 03/28/2004 10:50:54
03/28/2004 10:47:29 Port Scan Minor Incoming TCP 213.35.174.149 02-00-20-00-02-00 213.35.174.139 00-00-02-00-00-00 PLONT COMPU Normal 1 03/28/2004 10:47:29 03/28/2004 10:47:29
03/28/2004 10:47:29 Port Scan Minor Incoming TCP 213.35.174.149 02-00-20-00-02-00 213.35.174.139 00-00-02-00-00-00 PLONT COMPU Normal 1 03/28/2004 10:47:29 03/28/2004 10:47:29
03/28/2004 10:42:14 Port Scan Minor Incoming TCP 213.35.174.149 02-00-20-00-02-00 213.35.174.139 00-00-02-00-00-00 PLONT COMPU Normal 1 03/28/2004 10:42:14 03/28/2004 10:42:14
03/28/2004 10:42:14 Port Scan Minor Incoming TCP 213.35.174.149 02-00-20-00-02-00 213.35.174.139 00-00-02-00-00-00 PLONT COMPU Normal 1 03/28/2004 10:42:14 03/28/2004 10:42:14
03/28/2004 10:42:11 Port Scan Minor Incoming TCP 213.35.174.149 02-00-20-00-02-00 213.35.174.139 00-00-02-00-00-00 PLONT COMPU Normal 1 03/28/2004 10:42:11 03/28/2004 10:42:11
03/28/2004 10:42:11 Port Scan Minor Incoming TCP 213.35.174.149 02-00-20-00-02-00 213.35.174.139 00-00-02-00-00-00 PLONT COMPU Normal 1 03/28/2004 10:42:11 03/28/2004 10:42:11
03/28/2004 10:41:35 Port Scan Minor Incoming TCP 213.35.174.149 02-00-20-00-02-00 213.35.174.139 00-00-02-00-00-00 PLONT COMPU Normal 1 03/28/2004 10:41:35 03/28/2004 10:41:35
03/28/2004 10:41:35 Port Scan Minor Incoming TCP 213.35.174.149 02-00-20-00-02-00 213.35.174.139 00-00-02-00-00-00 PLONT COMPU Normal 1 03/28/2004 10:41:35 03/28/2004 10:41:35
03/28/2004 10:40:31 Port Scan Minor Incoming TCP 213.35.174.149 02-00-20-00-02-00 213.35.174.139 00-00-02-00-00-00 PLONT COMPU Normal 1 03/28/2004 10:40:31 03/28/2004 10:40:31

Somebody is scanning your computer.
Your computer's TCP ports:
1025, 445, 3127, 6129 and 2745 have been scanned from 213.35.174.149.
Somebody is scanning your computer.
Your computer's TCP ports:
3127, 6129, 2745, 135 and 1025 have been scanned from 213.35.174.149.
Somebody is scanning your computer.
Your computer's TCP ports:
135, 2745, 1025, 445 and 3127 have been scanned from 213.35.174.149.
Somebody is scanning your computer.
Your computer's TCP ports:
6129, 3127, 445, 1025 and 135 have been scanned from 213.35.174.149.
Somebody is scanning your computer.
Your computer's TCP ports:
2745, 135, 80, 139 and 6129 have been scanned from 213.35.174.149.
Somebody is scanning your computer.
Your computer's TCP ports:
135, 1025, 445, 3127 and 6129 have been scanned from 213.35.174.149.
Somebody is scanning your computer.
Your computer's TCP ports:
6129, 139, 80, 2745 and 135 have been scanned from 213.35.174.149.
Somebody is scanning your computer.
Your computer's TCP ports:
135, 1025, 445, 3127 and 6129 have been scanned from 213.35.174.149.
Somebody is scanning your computer.
Your computer's TCP ports:
6129, 139, 80, 2745 and 135 have been scanned from 213.35.174.149.
Somebody is scanning your computer.
Your computer's TCP ports:
135, 1025, 445, 3127 and 6129 have been scanned from 213.35.174.149.
Somebody is scanning your computer.
Your computer's TCP ports:
3127, 6129, 139, 2745 and 135 have been scanned from 213.35.174.149.
Somebody is scanning your computer.
Your computer's TCP ports:
2745, 135, 1025, 445 and 3127 have been scanned from 213.35.174.149.

Tegin Back Trace, detail information of [213.35.174.149]
Hop 1 IP 80.235.88.1 80-235-88-1-dsl.prn.estpak.ee
Hop 2 IP 213.35.174.149 213-35-174-149-dsl.prn.estpak.ee

% This is the RIPE Whois server.
% The objects are in RPSL format.
%
% Rights restricted by copyright.
% See http://www.ripe.net/ripencc/pub-services/db/copyright.html

inetnum: 213.35.174.0 - 213.35.175.255
netname: EE-ESTPAK
descr: ADSL Light address-pool
descr: PRN
descr: Sole 14
descr: Tallinn
descr: Estpak Data/Estonian Telephone Co
country: EE
admin-c: ET332-RIPE
tech-c: ET332-RIPE
rev-srv: dns.estpak.ee
rev-srv: dns2.estpak.ee
status: ASSIGNED PA
remarks: INFRA-AW
notify: ripe@estpak.ee
mnt-by: ESTPAK-MNT
changed: ripe@estpak.ee 20021119
source: RIPE

route: 213.35.128.0/17
descr: EE-ESTPAK-213-35-128-0-17
origin: AS3249
notify: klem@estpak.ee
mnt-by: ESTPAK-MNT
changed: klem@estpak.ee 20020305
source: RIPE

role: ESTPAK NOC
address: Elion Enterprises Ltd.
address: Hostmasters and NOC helpdesk
address: Sole str 14, Tallinn
address: Estonia
fax-no: +372 639 1180
e-mail: abuse@estpak.ee
e-mail: ripe@elion.ee
trouble: 24/7 phone +372 639 1082
trouble: abuse@estpak.ee
remarks: ----------------------------------------
remarks: Abuse notifications to: abuse@estpak.ee
remarks: Network problems to: noc@elion.ee
remarks: Peering requests to: peering@elion.ee
remarks: IPv6 peering requests to: ipv6@elion.ee
remarks: ----------------------------------------
admin-c: KK3254-RIPE
tech-c: RIX2-RIPE
tech-c: JT82-RIPE
tech-c: AK546-RIPE
tech-c: AI451-RIPE
nic-hdl: ET332-RIPE
notify: ripe@elion.ee
mnt-by: ESTPAK-MNT
changed: klem@estpak.ee 20010726
changed: klem@estpak.ee 20010904
changed: klem@estpak.ee 20020110
changed: klem@estpak.ee 20030210
changed: ripe@elion.ee 20031106
source: RIPE

Mina tahaks praegu teada mis toimub? Kes mind skännib ja miks?

HacaX · HV Guru liitunud: 22.01.2004

Asi lihtne - skännib keegi Elionilt ADSL ühendust ostev klient kes loodab, et su masinas on mõni backdoor installitud (pordi 3127 peal on mydoom, 125 peal NetSpy, 6127 peal Dameware Remote Admin, 445 peal Winblowsi kuulus DCOMi turvaauk,etc. etc). etc. Lühidalt öeldes - kui sa just *ise* mingit tulemüüri testi ei jooksuta (ehk siis kasuta mingit saiti mis su porte skännib) siis on/oli tegu rünnakuga mille käigus üritati sisse murda. Kõige parem lahendus probleemige - pane Sygate ründavatele IPdele bänn tegema (kui too müür seda üldse võimaldas).
Võid igaks juhuks ka masina üle skännida, et ega mõnda pahalast sees ei istu mis oleks võinud kutsetele ka vastata.

Plondiin · HV kasutaja liitunud: 13.12.2001

TzigaLind · HV veteran liitunud: 12.01.2002

Kui sellel scarewarel on kuskil optsioonides võimalik, siis keela igatsuguste lollide ja kasutute alarmide andmine.
See, mis toimus on tavaline nähe tänapäeva internetis ja erilist muret ei tasuks tunda selle pärast.

HacaX · HV Guru liitunud: 22.01.2004

Teada saada otseselt võimalik tõeste ei ole. Aga on's vahet, kas turvaauke otsiti konkreetselt sinu masinast või näiteks kõigilt sinu bloki IPdelt? Minu arust mitte. Nagu TzigaLind mainis on selline asi tegelikult suht igapäevae ning kuni masinas ühtegi proget ei istu mis kutsetele vastata võiksid ei ole vaja muretseda.
IP bännist... kui on (ei ole endal Sygate) siis kuskil Intrusion Detection Systemi al või nii võiks sellise asja tõenoliselt leida. Asja mõte on selles, et kui avastatakse pordiskänn siis ei vastata teostajale enam üleüldse.