Sign in with
Sign up | Sign in
Your question

Unusual log entries

Last response: in Networking
Share
Anonymous
June 14, 2004 2:49:18 PM

Archived from groups: comp.security.firewalls (More info?)

I found some weird entries for blocked requests in my ZoneAlarm logs
-- they were coming from IPs:

216.239.59.99
216.239.59.104
209.123.205.211

on their port #80.

The first two obviously belong to Google, while the last one belongs
to NAC.net. They were trying to access my computer on ports 110, 111,
112.

The weird part is that this computer is connected to a (hardware)
router+firewall, so my question is: how the hell did those requests
come from the "outside world" into my computer? Some Google search
that asks for more information from the user, or something?

More about : unusual log entries

Anonymous
June 14, 2004 3:06:37 PM

Archived from groups: comp.security.firewalls (More info?)

scorpius wrote:

> I found some weird entries for blocked requests in my ZoneAlarm logs
> -- they were coming from IPs:

> 216.239.59.99
> 216.239.59.104
> 209.123.205.211

> on their port #80.

Port 80 is http requests to a webserver, such as Apache or IIS.


> The first two obviously belong to Google, while the last one belongs
> to NAC.net. They were trying to access my computer on ports 110, 111,
> 112.

Port 110 is email pop3 server requests, such as you use
when you logon to read your email.

Port 111 is Sun RPC requests. (search google for information)

Port 112 is McIDAS Data Transmission Protocol (search google)

I would consider the combination of those three to
hack port scans, and would expect additional hits
on many other ports, from the same server.

I would be concerned about hits on port 110 and port 111 and
not worry too much about the others, unless persistent.

This link will provide casual descriptions of ports and
typical hacks, for those ports.

http://www.seifried.org/security/ports/0/


Purl Gurl
--
Roberta The Remarkable Robot
http://www.purlgurl.net/~callgirl/roberta/roberta.cgi
Roberta's Operator's Manual
http://www.purlgurl.net/~callgirl/roberta/help.html
Anonymous
June 15, 2004 7:56:42 AM

Archived from groups: comp.security.firewalls (More info?)

> I would consider the combination of those three to
> hack port scans, and would expect additional hits
> on many other ports, from the same server.
>
> I would be concerned about hits on port 110 and port 111 and
> not worry too much about the others, unless persistent.


Thank you for your reply and a very useful link. I mostly know stuff
about which ports belong to what; what puzzles me here is how the
apparent attacker came through my broadband router+firewall and only
got stopped on ZoneAlarm (on this specific machine). Actually, I did
perform a Google search at around the same time when the incident was
logged. Since the apparent attack is logged only in this very machine
(and not the other one, also with ZoneAlarm), it's also possible that
Google does some "research" when you're using their search engine.
What do you guys think about it?
There were no similar entries before or after the "incident".
Google then?
(No, no Google toolbar, I used plan Mozilla Firefox. ;)  )
!