[Dshield] RE: incoming traffic from 192.168.0.1 ???? (Boris Sverdlik)

Boris Sverdlik bsverdlik at nyc.rr.com
Fri Jul 27 04:03:23 GMT 2001


Guys,

	192.168.0.1 is a Microsoft default for ICS (Internet connection
sharing)... Is it possible that prior to purchasing the router you were
running ICS? Another words that might be where your problem lies... If I
recall I might be wrong but 192.168.0.0/16 is owned by MIT and it is
possible to route it via the internet if some moron some where is
running like ios 1 or something to that effect which was released prior
to the rfc... I don't think your problem is that complex... It probably
has something to do with your win98 machine.... And I use the linksys
too and if you have it set to obtain an IP automatically and haven't
messed with any of the default settings (With the exception of password
of course) the default LAN ip should be 192.168.1.1/24 

Regards,
Boris 

Boris Sverdlik
Technical Solutions Consultant
Information Security Practice
Sprint E-Solutions
Voice (917)687-5911

"Its not a matter of if America has an electronic Pearl Harbour -- its a
matter of when"
--Curtis Weldon, Pentagon
 


-----Original Message-----
From: dshield-admin at dshield.org [mailto:dshield-admin at dshield.org] On
Behalf Of dshield-request at dshield.org
Sent: Thursday, July 26, 2001 11:47 PM
To: dshield at dshield.org
Subject: Dshield digest, Vol 1 #161 - 9 msgs


Send Dshield mailing list submissions to
	dshield at dshield.org

To subscribe or unsubscribe via the World Wide Web, visit
	http://www1.dshield.org/mailman/listinfo/dshield
or, via email, send a message with subject or body 'help' to
	dshield-request at dshield.org

You can reach the person managing the list at
	dshield-admin at dshield.org

When replying, please edit your Subject line so it is more specific than
"Re: Contents of Dshield digest..."


Today's Topics:

   1. Re: incoming traffic from 192.168.0.1 ???? (BarkerJr)
   2. Re: eEye CodeRedScanner.exe (was: Code Red Reinfection After Patch
       Installed) (Patrick Mueller)
   3. RE: incoming traffic from 192.168.0.1 ???? (Coxe, John B.)
   4. RE: incoming traffic from 192.168.0.1 ???? (Tom Geairn)
   5. RE: incoming traffic from 192.168.0.1 ???? (patv at monmouth.com)
   6. RE: incoming traffic from 192.168.0.1 ???? (Stephan Odak)
   7. alarm (ladyblckraven)
   8. Re: alarm (Johannes B. Ullrich)

--__--__--

Message: 1
From: "BarkerJr" <barkjr at home.com>
To: <dshield at dshield.org>
Subject: Re: [Dshield] incoming traffic from 192.168.0.1 ????
Date: Thu, 26 Jul 2001 12:52:29 -0400
Reply-To: dshield at dshield.org

A traceroute (tracert) to 192.168.0.1 would be nice...

Linksys routers are on 192.168.1.1, by the way.

-BarkerJr

----- Original Message ----- 
From: "Eric Rosander" <erosander at matrixns.com>
To: <dshield at dshield.org>
Sent: Thursday, July 26, 2001 12:29 PM
Subject: RE: [Dshield] incoming traffic from 192.168.0.1 ????


> A spoofed address or nmap decoy was my first thought.
> 
> -----Original Message-----
> From: dshield-admin at dshield.org [mailto:dshield-admin at dshield.org]On
> Behalf Of Jay Wren
> Sent: Thursday, July 26, 2001 8:29 AM
> To: 'dshield at dshield.org'
> Subject: RE: [Dshield] incoming traffic from 192.168.0.1 ????
> 
> 
> It could very well be a spoofed ip?
> 
> -J
> 
> -----Original Message-----
> From: patv at monmouth.com [mailto:patv at monmouth.com]
> Sent: Thursday, July 26, 2001 11:30 AM
> To: dshield at dshield.org
> Subject: RE: [Dshield] incoming traffic from 192.168.0.1 ????
> 
> 
> Don't be so quick on dismissing this.  The original email specifcally 
> stated that it isn't the ip for his lan.  Additionally, I've gotten 
> scans from reserved ip addresses before.  I don't know how it was done

> (although I have some suspicions), but it is real.
> 
> Pat
> 
> > 192.168 is the range of reserved class C nets.  These are not 
> > routable
> and
> > are commonly used for private LANs that are generally masqueraded by

> > firewalls or proxy servers.  Check to see if this is not just the
> internal
> > interface address of your linksys.  I haven't used that product.  
> > But
> that
> > would not surprise me.  In any event, there is no point worrying 
> > about a threat from that address.  It is not routable on the 'net 
> > anyway. BTW,
> the
> > reserved nets are 10.0.0.0 (class A), 172.16-31.0.0 (class Bs) and 
> > 192.168.0-255.0 (class Cs).
> >
> > -----Original Message-----
> > From: dshield-admin at dshield.org [mailto:dshield-admin at dshield.org]On
> > Behalf Of airratt
> > Sent: Tuesday, July 24, 2001 3:01 PM
> > To: dshield at dshield.org
> > Subject: Re: [Dshield] incoming traffic from 192.168.0.1 ????
> >
> >
> > My dig of that IP 192.168.0.1 is :BLACKHOLE.ISI.EDU
> >
> >
> > ----- Original Message -----
> > From: "Marty Keane" <mkeane89 at pacbell.net>
> > To: <dshield at dshield.org>
> > Sent: Tuesday, July 24, 2001 3:49 PM
> > Subject: [Dshield] incoming traffic from 192.168.0.1 ????
> >
> >
> > > Hello all,
> > >
> > > I'm new to the list so I hope I'm on target with my question. I'm
> using
> > > the linksys
> > > router with the latest firmware with a windows 98 machine. I just 
> > > started logging my incoming traffic to the firewall and recently 
> > > found something very disturbing. Hopefully there's a simple 
> > > explanation. Here are the entries AM (PST)
> > >
> > > remote addr
> > > remote port                local port
> > >
> ----------------------------------------------------------------------
> ----
> > --------------
> > >
> > > 11:26:51  (first three entries)
> > >
> > > 169.254.61.126
> > > 137                            137
> > > 192.168.0.1
> > > 137                            137
> > > adsl-64-160-96-149.dsl.bkfd14.pacbell.net
> > > 137                            137
> > >
> > > 11:27:19 (remaining entries)
> > >
> > > 169.254.61.126
> > > 137                            137
> > > 192.168.0.1
> > > 137                            137
> > > adsl-64-160-96-149.dsl.bkfd14.pacbell.net
> > > 137                            137
> > > 192.168.0.1
> > > 137                            137
> > > 169.254.61.126
> > > 137                            137
> > >
> > > My apologies if there is some other formal way of raising this 
> > > issue, but the fact that it's an internal looking address has me 
> > > concerned. I'm aware of the
> net-bios
> > > issue with windows
> > > machines and I've cloaked my router. One last note is that 
> > > 192.168.0.1 is neither my router's ip nor an ip of a machine on my

> > > LAN.
> > >
> > > Any insight would be greatly appreciated! Right now I've got my 
> > > LAN
> down
> > > and I
> > > am afraid to bring it up until I know what's going on :-/
> > >
> > >
> > > Marty


--__--__--

Message: 2
Date: Thu, 26 Jul 2001 13:25:48 -0500 (CDT)
From: Patrick Mueller <pmueller at neohapsis.com>
To: <dshield at dshield.org>
Subject: [Dshield] Re: eEye CodeRedScanner.exe (was: Code Red
Reinfection After Patch
 Installed)
Reply-To: dshield at dshield.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Mon, 23 Jul 2001 security at admin.fulgan.com wrote:

> EEyes has a code red vulnerability scanning tool that you can 7use to 
> check wether your server really is patched.

Anybody else find it annoying that it is binary only? This flies in the
face of security concepts such as reviewing free code downloaded from
the Internet.

There is a legal component to this as well. If you're *buying*
binary-only code from a commercial organization, you do have some (not
much) of an implied warranty that could be potentially pursued in court.
With free software, AFAIK, this is not possible.

And yes, I suppose if I were pressed, I'd admit that I do trust any code
that eEye would push out.

I'm probably getting off-topic here, so I'll sign off now..

- -- 
	-- Patrick, getting annoyed at eEye lately

-
------------------------------------------------------------------------
-
Patrick Mueller    --   Security Analyst   --
<pmueller at neohapsis.com>
                  Neohapsis <www.neohapsis.com>


-----BEGIN PGP SIGNATURE-----
Comment: Key available at http://pgp.mit.edu

iD8DBQE7YGCuW5zvMHNPjVMRAnRLAJ4/54tyuaBJ6BC6M0e9xhhU1/pmywCeL0Ha
iBuftMkV5Lsw4fPoATYMCOA=
=x0kk
-----END PGP SIGNATURE-----


--__--__--

Message: 3
From: "Coxe, John B." <JOHN.B.COXE at saic.com>
To: "'dshield at dshield.org'" <dshield at dshield.org>
Subject: RE: [Dshield] incoming traffic from 192.168.0.1 ????
Date: Thu, 26 Jul 2001 12:40:51 -0700
Reply-To: dshield at dshield.org

[from ALEPH0 on another account:]
Yes it could.  But what is the expected exploit?  It doesn't look like a
big bandwidth or cpu hitter.  And as far as worms (like Bymer or Qaz)
are concerned, the unroutable nature of the address inhibits its ability
to process the information.

Could be a new exploit (or one I am not considering) or a newbie trying
out a toy or a new C program he wrote.  Targetting a linksys router (or
similar) would make sense with the spoofed address.  Any ideas on what
might be gained?  Depending on the netmask, maybe arp corruption?

Oh, saw the 192.168.1.1 address related from the manual.  Is that
universal for linksys?  What about other vendors' products?  The
originator doent necessarily know what his target is.


-----Original Message-----
From: Jay Wren [mailto:JRWren at advnetworks.com]
Sent: Thursday, July 26, 2001 8:29 AM
To: 'dshield at dshield.org'
Subject: RE: [Dshield] incoming traffic from 192.168.0.1 ????


It could very well be a spoofed ip?

-J

-----Original Message-----
From: patv at monmouth.com [mailto:patv at monmouth.com] 
Sent: Thursday, July 26, 2001 11:30 AM
To: dshield at dshield.org
Subject: RE: [Dshield] incoming traffic from 192.168.0.1 ????


Don't be so quick on dismissing this.  The original email specifcally
stated that it isn't the ip for his lan.  Additionally, I've gotten
scans from reserved ip addresses before.  I don't know how it was done
(although I have some suspicions), but it is real.

Pat

> 192.168 is the range of reserved class C nets.  These are not routable
and
> are commonly used for private LANs that are generally masqueraded by
> firewalls or proxy servers.  Check to see if this is not just the
internal
> interface address of your linksys.  I haven't used that product.  But
that
> would not surprise me.  In any event, there is no point worrying about
> a threat from that address.  It is not routable on the 'net anyway.  
> BTW,
the
> reserved nets are 10.0.0.0 (class A), 172.16-31.0.0 (class Bs) and
> 192.168.0-255.0 (class Cs).
> 
> -----Original Message-----
> From: dshield-admin at dshield.org [mailto:dshield-admin at dshield.org]On
> Behalf Of airratt
> Sent: Tuesday, July 24, 2001 3:01 PM
> To: dshield at dshield.org
> Subject: Re: [Dshield] incoming traffic from 192.168.0.1 ????
> 
> 
> My dig of that IP 192.168.0.1 is :BLACKHOLE.ISI.EDU
> 
> 
> ----- Original Message -----
> From: "Marty Keane" <mkeane89 at pacbell.net>
> To: <dshield at dshield.org>
> Sent: Tuesday, July 24, 2001 3:49 PM
> Subject: [Dshield] incoming traffic from 192.168.0.1 ????
> 
> 
> > Hello all,
> >
> > I'm new to the list so I hope I'm on target with my question. I'm
using
> > the linksys
> > router with the latest firmware with a windows 98 machine. I just
> > started logging my incoming traffic to the firewall and recently 
> > found something very disturbing. Hopefully there's a simple
> > explanation. Here are the entries AM (PST)
> >
> > remote addr
> > remote port                local port
> >
------------------------------------------------------------------------
--
> --------------
> >
> > 11:26:51  (first three entries)
> >
> > 169.254.61.126
> > 137                            137
> > 192.168.0.1
> > 137                            137
> > adsl-64-160-96-149.dsl.bkfd14.pacbell.net
> > 137                            137
> >
> > 11:27:19 (remaining entries)
> >
> > 169.254.61.126
> > 137                            137
> > 192.168.0.1
> > 137                            137
> > adsl-64-160-96-149.dsl.bkfd14.pacbell.net
> > 137                            137
> > 192.168.0.1
> > 137                            137
> > 169.254.61.126
> > 137                            137
> >
> > My apologies if there is some other formal way of raising this
> > issue, but the fact that it's an internal looking address has me 
> > concerned. I'm aware of the
net-bios
> > issue with windows
> > machines and I've cloaked my router. One last note is that
> > 192.168.0.1 is neither my router's ip nor an ip of a machine on my 
> > LAN.
> >
> > Any insight would be greatly appreciated! Right now I've got my LAN
down
> > and I
> > am afraid to bring it up until I know what's going on :-/
> >
> >
> > Marty
> >
> > _______________________________________________
> > Dshield mailing list
> > Dshield at dshield.org
> > To change your subscription options (or unsubscribe), see:
> http://www1.dshield.org/mailman/listinfo/dshield
> 
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see:
> http://www1.dshield.org/mailman/listinfo/dshield
> 
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see:
http://www1.dshield.org/mailman/listinfo/dshield
> 


---------------------------------------------
This message was sent using MI-Webmail.
No matter where you are, never lose touch.
Get your Email using MI-Webmail.
http://www.monmouth.com/


_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www1.dshield.org/mailman/listinfo/dshield

_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www1.dshield.org/mailman/listinfo/dshield


--__--__--

Message: 4
From: Tom Geairn <TGeairn at unxpres.com>
To: "'dshield at dshield.org'" <dshield at dshield.org>
Subject: RE: [Dshield] incoming traffic from 192.168.0.1 ????
Date: Thu, 26 Jul 2001 16:41:58 -0400
Reply-To: dshield at dshield.org

Using the 192.168.x.x (or other unroutable addresses) is a common
practice for DOS or DDOS attacks.  It makes backtracking a little more
difficult if the apparent reply to address isn't valid.  

Also, the packet itself is a (albeit simple) denial of service...  Your
box will spend some time trying to reply or ACK the packet and you can
end up with enough pending ACKs that your box will slow or crash.
Configuring your router to simply drop the packets is usually enough,
though.

As always, if you are seeing a large volume of this traffic, contact
your ISP and ask them to drop the packets on their end.  Be a good
neighbor and configure your router to explicitly drop any outbound
packets with unroutable source or destination addresses too.  If
everyone dumped these junk packets before they left their networks we
could free up some much needed bandwidth!

There is one other possibility here for a potential worm or attack that
you overlooked.  What if you did have a machine on your internal network
with an address of 192.168.0.1?  Your router would ACK to that machine
instead of the original sender, possibly (if source routing is enabled?)
sending the foreign packet into your network.  Now you have your
"supposedly" safe machine that has an internal use only address getting
hit by traffic caused by someone outside your net.  I haven't played
with this idea much, but I suppose that if your router were doing some
kinds of address translation it could think this packet was right at
home and translate it to something else with similar effects.

-Tom

-----Original Message-----
From: Coxe, John B. [mailto:JOHN.B.COXE at saic.com]
Sent: Thursday, July 26, 2001 3:41 PM
To: 'dshield at dshield.org'
Subject: RE: [Dshield] incoming traffic from 192.168.0.1 ????


[from ALEPH0 on another account:]
Yes it could.  But what is the expected exploit?  It doesn't look like a
big bandwidth or cpu hitter.  And as far as worms (like Bymer or Qaz)
are concerned, the unroutable nature of the address inhibits its ability
to process the information.

Could be a new exploit (or one I am not considering) or a newbie trying
out a toy or a new C program he wrote.  Targetting a linksys router (or
similar) would make sense with the spoofed address.  Any ideas on what
might be gained?  Depending on the netmask, maybe arp corruption?

Oh, saw the 192.168.1.1 address related from the manual.  Is that
universal for linksys?  What about other vendors' products?  The
originator doent necessarily know what his target is.


-----Original Message-----
From: Jay Wren [mailto:JRWren at advnetworks.com]
Sent: Thursday, July 26, 2001 8:29 AM
To: 'dshield at dshield.org'
Subject: RE: [Dshield] incoming traffic from 192.168.0.1 ????


It could very well be a spoofed ip?

-J

-----Original Message-----
From: patv at monmouth.com [mailto:patv at monmouth.com] 
Sent: Thursday, July 26, 2001 11:30 AM
To: dshield at dshield.org
Subject: RE: [Dshield] incoming traffic from 192.168.0.1 ????


Don't be so quick on dismissing this.  The original email specifcally
stated that it isn't the ip for his lan.  Additionally, I've gotten
scans from reserved ip addresses before.  I don't know how it was done
(although I have some suspicions), but it is real.

Pat

> 192.168 is the range of reserved class C nets.  These are not routable
and
> are commonly used for private LANs that are generally masqueraded by
> firewalls or proxy servers.  Check to see if this is not just the
internal
> interface address of your linksys.  I haven't used that product.  But
that
> would not surprise me.  In any event, there is no point worrying about
> a threat from that address.  It is not routable on the 'net anyway.  
> BTW,
the
> reserved nets are 10.0.0.0 (class A), 172.16-31.0.0 (class Bs) and
> 192.168.0-255.0 (class Cs).
> 
> -----Original Message-----
> From: dshield-admin at dshield.org [mailto:dshield-admin at dshield.org]On
> Behalf Of airratt
> Sent: Tuesday, July 24, 2001 3:01 PM
> To: dshield at dshield.org
> Subject: Re: [Dshield] incoming traffic from 192.168.0.1 ????
> 
> 
> My dig of that IP 192.168.0.1 is :BLACKHOLE.ISI.EDU
> 
> 
> ----- Original Message -----
> From: "Marty Keane" <mkeane89 at pacbell.net>
> To: <dshield at dshield.org>
> Sent: Tuesday, July 24, 2001 3:49 PM
> Subject: [Dshield] incoming traffic from 192.168.0.1 ????
> 
> 
> > Hello all,
> >
> > I'm new to the list so I hope I'm on target with my question. I'm
using
> > the linksys
> > router with the latest firmware with a windows 98 machine. I just
> > started logging my incoming traffic to the firewall and recently 
> > found something very disturbing. Hopefully there's a simple
> > explanation. Here are the entries AM (PST)
> >
> > remote addr
> > remote port                local port
> >
------------------------------------------------------------------------
--
> --------------
> >
> > 11:26:51  (first three entries)
> >
> > 169.254.61.126
> > 137                            137
> > 192.168.0.1
> > 137                            137
> > adsl-64-160-96-149.dsl.bkfd14.pacbell.net
> > 137                            137
> >
> > 11:27:19 (remaining entries)
> >
> > 169.254.61.126
> > 137                            137
> > 192.168.0.1
> > 137                            137
> > adsl-64-160-96-149.dsl.bkfd14.pacbell.net
> > 137                            137
> > 192.168.0.1
> > 137                            137
> > 169.254.61.126
> > 137                            137
> >
> > My apologies if there is some other formal way of raising this
> > issue, but the fact that it's an internal looking address has me 
> > concerned. I'm aware of the
net-bios
> > issue with windows
> > machines and I've cloaked my router. One last note is that
> > 192.168.0.1 is neither my router's ip nor an ip of a machine on my 
> > LAN.
> >
> > Any insight would be greatly appreciated! Right now I've got my LAN
down
> > and I
> > am afraid to bring it up until I know what's going on :-/
> >
> >
> > Marty
> >
> > _______________________________________________
> > Dshield mailing list
> > Dshield at dshield.org
> > To change your subscription options (or unsubscribe), see:
> http://www1.dshield.org/mailman/listinfo/dshield
> 
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see:
> http://www1.dshield.org/mailman/listinfo/dshield
> 
> _______________________________________________
> Dshield mailing list
> Dshield at dshield.org
> To change your subscription options (or unsubscribe), see:
http://www1.dshield.org/mailman/listinfo/dshield
> 


---------------------------------------------
This message was sent using MI-Webmail.
No matter where you are, never lose touch.
Get your Email using MI-Webmail.
http://www.monmouth.com/


_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www1.dshield.org/mailman/listinfo/dshield

_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www1.dshield.org/mailman/listinfo/dshield

_______________________________________________
Dshield mailing list
Dshield at dshield.org
To change your subscription options (or unsubscribe), see:
http://www1.dshield.org/mailman/listinfo/dshield


--__--__--

Message: 5
To: dshield at dshield.org
From: patv at monmouth.com
Subject: RE: [Dshield] incoming traffic from 192.168.0.1 ????
Date: Thu, 26 Jul 2001 17:43:04 est
Reply-To: dshield at dshield.org

No, all the hardware routers/firewalls use different IP addresses, but
usually one in the 192.168.XX.XX range.

My guess is somewhat more involved.  These may be spoofed address from
inside a network, for example, a local cable or DSL provider.  These
addresses are sent out to test for potential vulnerabilities of hardware
routers/firewalls.  If one just happens to respond, the hacker can then
sit on it and try to access different ports, try to see behind the
firewall, etc.

Pat

> [from ALEPH0 on another account:]
> Yes it could.  But what is the expected exploit?  It doesn't look like

> a
big
> bandwidth or cpu hitter.  And as far as worms (like Bymer or Qaz) are 
> concerned, the unroutable nature of the address inhibits its ability 
> to process the information.
> 
> Could be a new exploit (or one I am not considering) or a newbie 
> trying
out
> a toy or a new C program he wrote.  Targetting a linksys router (or
similar)
> would make sense with the spoofed address.  Any ideas on what might be

> gained?  Depending on the netmask, maybe arp corruption?
> 
> Oh, saw the 192.168.1.1 address related from the manual.  Is that
universal
> for linksys?  What about other vendors' products?  The originator 
> doent necessarily know what his target is.
>

---------------------------------------------
This message was sent using MI-Webmail.
No matter where you are, never lose touch.
Get your Email using MI-Webmail.
http://www.monmouth.com/



--__--__--

Message: 6
From: "Stephan Odak" <Win2k at home.com>
To: <dshield at dshield.org>
Subject: RE: [Dshield] incoming traffic from 192.168.0.1 ????
Date: Thu, 26 Jul 2001 18:40:19 -0400
Reply-To: dshield at dshield.org

My hunch is that the 192.168.0.1 machine is the same as the
169.254.61.126 machine. A machine with 2 or more IP addresses and more
than one route to the Internet. Windows will send packets to both routes
and accept the one that arrives first.

Stephan
GCIA#0241


 -----Original Message Excerpt-----
From: 	dshield-admin at dshield.org [mailto:dshield-admin at dshield.org]  On
Behalf Of Coxe, John B.
Sent:	Thursday, July 26, 2001 3:41 PM
To:	'dshield at dshield.org'
Subject:	RE: [Dshield] incoming traffic from 192.168.0.1 ????
> > 11:27:19 (remaining entries)
> >
> > 169.254.61.126
> > 137                            137
> > 192.168.0.1
> > 137                            137
> > adsl-64-160-96-149.dsl.bkfd14.pacbell.net
> > 137                            137
> > 192.168.0.1
> > 137                            137
> > 169.254.61.126
> > 137                            137
> >
> > My apologies if there is some other formal way of raising this 
> > issue, but the fact that it's an internal looking address has me 
> > concerned. I'm aware of the
net-bios
> > issue with windows
> > machines and I've cloaked my router. One last note is that 
> > 192.168.0.1 is neither my router's ip nor an ip of a machine on my 
> > LAN.
> >
> > Any insight would be greatly appreciated! Right now I've got my LAN
down
> > and I
> > am afraid to bring it up until I know what's going on :-/
> >
> >
> > Marty
> >
> > _______________________________________________



--__--__--

Message: 7
From: "ladyblckraven" <highchaparral at wi.rr.com>
To: <dshield at dshield.org>
Date: Thu, 26 Jul 2001 19:35:53 -0500
Organization: Im not organized
Subject: [Dshield] alarm
Reply-To: dshield at dshield.org

This is a multi-part message in MIME format.

------=_NextPart_000_0018_01C1160A.2F2AC260
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Can anyone tell me what this means, because I am constantly getting this
= message on my zone alarm.

The firewall has blocked Internet access to your computer (TCP Port =
27374) from 65.2.126.251 (TCP Port 4988) [TCP Flags: S].

------=_NextPart_000_0018_01C1160A.2F2AC260
Content-Type: text/html;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD> <META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1"> <META content=3D"MSHTML 5.50.4611.1300"
name=3DGENERATOR> <STYLE></STYLE> </HEAD> <BODY bgColor=3D#b8b8b8>
<DIV><FONT face=3DArial>Can anyone tell me what this means, because I am
=

constantly getting this message on my zone alarm.</FONT></DIV>
<DIV>&nbsp;</DIV> <DIV><FONT face=3DArial>The firewall has blocked
Internet access to your = computer=20 (TCP Port 27374) from 65.2.126.251
(TCP Port 4988) [TCP Flags:=20 S].</FONT></DIV></BODY></HTML>

------=_NextPart_000_0018_01C1160A.2F2AC260--


--__--__--

Message: 8
Date: Thu, 26 Jul 2001 21:32:58 -0400 (EDT)
From: "Johannes B. Ullrich" <jullrich at euclidian.com>
To: <dshield at dshield.org>
Subject: Re: [Dshield] alarm
Reply-To: dshield at dshield.org


This is a scan for a trojan called 'SubSeven'. Sub seven is all too
comon and people just scan random computers for it. There are even some
worms (e.g. the 'leaves' worm that caused headlines recently) that use
SubSeven to spread.

Many people run SubSeven and don't know it. It's one of these things
people get you to install it by advertising it as a way to increase your
modem speed or whatever.

Once installed, SubSeven give strangers full access to your PC. However,
a virus scanner will recognize and remove SubSeven (so make sure that
you got a current virus scanner).




On Thu, 26 Jul 2001, ladyblckraven wrote:

> Can anyone tell me what this means, because I am constantly getting 
> this message on my zone alarm.
>
> The firewall has blocked Internet access to your computer (TCP Port 
> 27374) from 65.2.126.251 (TCP Port 4988) [TCP Flags: S].
>

-- 
-------
jullrich at sans.org                    Join http://www.DShield.org
                                     Distributed Intrusion Detection
System




--__--__--

_______________________________________________
Dshield mailing list
Dshield at dshield.org http://www1.dshield.org/mailman/listinfo/dshield


End of Dshield Digest




More information about the list mailing list