Getting ZAP Alerts on ...

[THX1139]

Port 4938 from 217.86.28.113 occurred today.
Port 3727 from 210.241.27.194 occurred yesterday.

During each of the alerts I was able to resolve only the alert from today via NSLOOKUP.

EDIT:

Port 55096 from 213.82.34.146 just occurred.

 

[n0cmonkey]

So... What do you want?

 

[spidey07]

THX,

You'll have to forgive NocMonkey...he doesn't talk to real people much. He prefers the company of unix boxes.

About your alerts, don't worry about it. You'll get attempts to your IP address all the time. Nothing to worry about unless there's a big amount (1 packet per second). Just part of the internet background noise so to speak.

 

[n0cmonkey]

Originally posted by: spidey07
THX,

You'll have to forgive NocMonkey...he doesn't talk to real people much. He prefers the company of unix boxes.

About your alerts, don't worry about it. You'll get attempts to your IP address all the time. Nothing to worry about unless there's a big amount (1 packet per second). Just part of the internet background noise so to speak.

I uhh, might be getting a job that changes that a little bit... And atleast I didnt ask him if he wanted a frickin' cookie. mmmm... cookies...

 

[THX1139]

Ok, maybe a little more information is in order. I have two computers on a LAN behind a router with a firewall in place. Neither are in the DMZ, both are running the same environment, with ZApro, and only this one PC is getting alerts. The only difference is that I am using the Virtual Server feature on the router to redirect FTP and a small range of other ports (5,000 block) to this test PC.

This test PC never got a single alert until yesterday, and the only thing different was I installed MySQL. Of course, I then applied the SP1 to XPpro and got another, and then just before lunch a third. None of these ports seemed to be assigned, and only one of the three bound IPs produced a result from an nslookup.

On the router, I also have PING disabled so outsiders listen to dead air if they ping my static IP. Just wondered if anyone recognized anything. Certainly not looking for a cookie from a monkey--could be something quite different.

 

[n0cmonkey]

The ports dont stand out immediately. Are these TCP or UDP probes?

 

[THX1139]

Doh, I knew I was forgetting something. All three were TCP.

 

[n0cmonkey]

Originally posted by: THX1139
Doh, I knew I was forgetting something. All three were TCP.

Are you sure these were the destination ports and not the source ports? Did it look something like: > The firewall has blocked Internet access to your computer (TCP Port
> 1433) from 218.148.107.135 (TCP Port 3727) [TCP Flags: S]. ?

Like Spidey said, these probably arent anything to worry about. It could be fat fingering, mass scaning, or any number of other things at work here.

 

[THX1139]

Yes, that alert kinda looks similar in structure to the ones I received. When I look at the detail log in ZPpro, though, it showed the IPort under the column labeled as Source. BTW, I just noticed that the two newest alerts are not in those logs, but the oldest remains. How did that happen!?! The oldest alert was targeted from 210.241.27.194:3727 and to the FTP port (21) of this PC.

Now, I can understand that, although only to a limited ability. Doesn't MySQL operate on 3727? Now, as to why those other two (most recent) alerts disappeared from the ZApro log is bewildering. Keep in mind that I am not at home at the moment, and I am remoting into the PC from work.

 

[spidey07]

THX,

The source and destination IP address and the source/destination port number and protocol are absolutely important. Those truly describe the frame in question. If it is coming from your computer then maybe further investigation is required. That symptom alone is not cause for alarm as many programs yap all the time, but we need to understand what those programs are and if its alright for them to be yapping.

Little primer - a TCP conversation (also called socket) contains four values source IP address, source TCP port, destination IP address, destination TCP port.

with those four values you can uniquely identify any internet conversation occuring for the entire globe.

 

[THX1139]

Well, I do not think the first, or any, alert was truly from the mysql on my computer, because it is setup in ZApro to be allowed full permission, traffic-wise. But, I suspected the 3727 port being one that mysql used in which an outside entity was sniffing for mysql ports. Just a hunch, and not a very good one at that. Hold on ...

Well, dang. I just realized this forum doesn't support image loading. Ok, in ZApro Alerts & Logs the line entry reads from left to right as follows:

Rating, Date & Time, Type, Protocol, Program, Source-IP, Destination-IP, Direction, Action Taken
===================================================================
High, 2002/11/05 10:58:34-5:00, Firewall, TCP(flag:S), 210.241.27.194:3727, 192.168.xxx.yyy:21, Incoming, Blocked

 

[n0cmonkey]

Originally posted by: THX1139
Well, I do not think the first, or any, alert was truly from the mysql on my computer, because it is setup in ZApro to be allowed full permission, traffic-wise. But, I suspected the 3727 port being one that mysql used in which an outside entity was sniffing for mysql ports. Just a hunch, and not a very good one at that. Hold on ...

MySQL's default port is 3306.

Well, dang. I just realized this forum doesn't support image loading. Ok, in ZApro Alerts & Logs the line entry reads from left to right as follows:

Rating, Date & Time, Type, Protocol, Program, Source-IP, Destination-IP, Direction, Action Taken
===================================================================
High, 2002/11/05 10:58:34-5:00, Firewall, TCP(flag:S), 210.241.27.194:3727, 192.168.xxx.yyy:21, Incoming, Blocked

Ok, so the source port is 3727, so that means very little in this equation. The important port here is 21, your port. So, whoever was doing the scanning was looking for ftp servers. As long as you arent running an ftp server (or another server on port 21, you can check with netstat -an) you should be fine. Port 3727 is a typical source port for a non-rooot/admin user.

 

[spidey07]

Port 3727 is a typical source port for a non-rooot/admin user.

Alright smarty pants...just what OS uses this range for source ports?

 

[n0cmonkey]

Originally posted by: spidey07

Port 3727 is a typical source port for a non-rooot/admin user.

Alright smarty pants...just what OS uses this range for source ports?

Ok, I could be wrong. I thought just about anything over 1023 could be a source port for an unprivlidged user. I havent seen any studies or anything that show each OS with the range of ports it prefers, but if you know of one, Id love to see it.

 

[spidey07]

Noc,

I don't know that stuff off the top of my head. I see so many traces week to week that it all sort of blends together. But I do believe that certain OSs have certain source port ranges (one of the criteria that nmap uses to determine OS). I'm sure there are web links out there.

 

[n0cmonkey]

Originally posted by: spidey07
Noc,

I don't know that stuff off the top of my head. I see so many traces week to week that it all sort of blends together. But I do believe that certain OSs have certain source port ranges (one of the criteria that nmap uses to determine OS). I'm sure there are web links out there.

It makes sense. Different tcp/ip stacks written by different authors, each with their own little twist... nmap on the other hand looks at responses to packets. The nmap machine initiates connections and looks at the responses, so the source port is on the local machine and should not come into play during the fingerprinting...

It would be an interresting concept to look into though for portscan detectors...

 

[THX1139]

Ok, beavis & butthead back to the topic at hand. Late last night I got another alert, and this time from source-IP: 64.116.182.28:3917. Same deal, protocol=TCP, flag=S, and directed at ... you guessed it ... my FTP port. This certainly explains why this particular PC is getting alerts. Hold on ... one moment ...

I just had to get my morning cup of pre-coffee nervousness in order ... and go look at the logs on the other computer. God-dang! Talk about a more robust, don't inform me kinda of log! But, actually, only three log entries were TCP that were also blocked and coming from ports 119 (x2), and 65224. Now, 119 is NNTP and these two instances were incoming in nature (huh), but when my 'then' ISP's out-sourced NNTP server changed to an authentication basis--so that's explained. The 65224 is in the dynamic port range, and this one came from 129.69.2.131 that slapped me on the 12th of last month and tried to attach itself to my port 204. ZApro reports the application being used in this matter by the source was ftp.rus.uni-stuttgart.de and the only relation I know of, there, is that I sometimes use ftp.uni-stuttgart.de for getting ISO images. Maybe this was a mirror FTP site looking for verification or something but why come at me on port 65224 looking to attach itself on port 204?

Ok, I have some coffee in me now. Back to reality. Anyone know how to export a log file from ZApro?