Log del firewall

[ddmaster]

Visto che non mi era mai capitato... secondo voi cosa vuol dire questo log del firewall?

--------Incoming-------
DateTime From IP To Port
[2000-01-01 00:00:00] | From:[67.159.5.204] | Port:[1547] | [Blocked]
[2005-10-03 17:20:57] | From:[81.176.69.71] | Port:[1480] | [Blocked]
[2005-10-03 17:22:23] | From:[37.255.154.105] | Port:[80] | [Blocked]
[2005-10-03 17:22:39] | From:[151.1.209.97] | Port:[1312] | [Blocked]
[2005-10-03 17:22:58] | From:[37.255.144.127] | Port:[139] | [Blocked]
[2005-10-03 17:23:33] | From:[37.255.235.214] | Port:[139] | [Blocked]
[2005-10-03 00:25:14] | From:[37.255.92.65] | Port:[80] | [Blocked]
[2005-10-03 00:26:04] | From:[37.255.180.47] | Port:[139] | [Blocked]
[2005-10-03 00:27:22] | From:[37.255.154.105] | Port:[139] | [Blocked]
[2005-10-03 00:33:17] | From:[37.255.81.134] | Port:[139] | [Blocked]
[2005-10-03 00:34:23] | From:[37.255.89.94] | Port:[80] | [Blocked]
[2005-10-03 00:36:31] | From:[37.255.89.94] | Port:[139] | [Blocked]
[2005-10-03 00:37:27] | From:[37.255.251.113] | Port:[139] | [Blocked]
[2005-10-03 00:38:24] | From:[37.255.127.69] | Port:[80] | [Blocked]
[2005-10-03 00:42:59] | From:[37.255.183.46] | Port:[139] | [Blocked]
[2005-10-03 00:45:43] | From:[37.255.144.127] | Port:[80] | [Blocked]
[2005-10-03 00:52:55] | From:[37.255.59.37] | Port:[1433] | [Blocked]
[2005-10-03 00:58:08] | From:[37.255.43.14] | Port:[1433] | [Blocked]
[2005-10-03 01:02:58] | From:[37.255.64.34] | Port:[80] | [Blocked]
[2005-10-03 01:10:48] | From:[37.255.239.85] | Port:[80] | [Blocked]
[2005-10-03 01:12:29] | From:[37.255.59.37] | Port:[139] | [Blocked]
[2005-10-03 01:14:22] | From:[37.255.89.94] | Port:[445] | [Blocked]
[2005-10-03 01:19:14] | From:[37.255.66.63] | Port:[1433] | [Blocked]
[2005-10-03 01:22:04] | From:[37.255.218.227] | Port:[80] | [Blocked]
[2005-10-03 01:22:26] | From:[37.255.82.23] | Port:[80] | [Blocked]
[2005-10-03 01:30:18] | From:[37.255.246.49] | Port:[139] | [Blocked]
[2005-10-03 01:30:42] | From:[37.255.92.65] | Port:[445] | [Blocked]
[2005-10-03 01:33:06] | From:[37.255.82.23] | Port:[139] | [Blocked]
[2005-10-03 01:34:54] | From:[37.255.82.23] | Port:[445] | [Blocked]
[2005-10-03 01:36:05] | From:[37.255.217.157] | Port:[139] | [Blocked]
[2005-10-03 01:38:42] | From:[37.255.239.85] | Port:[139] | [Blocked]
[2005-10-03 01:44:25] | From:[37.255.235.214] | Port:[80] | [Blocked]
[2005-10-03 01:44:58] | From:[37.255.110.101] | Port:[139] | [Blocked]
[2005-10-03 01:46:12] | From:[37.255.110.101] | Port:[80] | [Blocked]
[2005-10-03 01:49:36] | From:[37.255.34.194] | Port:[139] | [Blocked]
[2005-10-03 01:56:35] | From:[37.255.198.218] | Port:[139] | [Blocked]
[2005-10-03 01:57:26] | From:[37.255.66.63] | Port:[139] | [Blocked]
[2005-10-03 01:58:34] | From:[37.255.218.227] | Port:[139] | [Blocked]
[2005-10-03 01:59:15] | From:[37.255.66.189] | Port:[139] | [Blocked]
[2005-10-03 02:00:09] | From:[37.255.43.17] | Port:[80] | [Blocked]
[2005-10-03 02:03:48] | From:[37.255.78.155] | Port:[80] | [Blocked]
[2005-10-03 02:05:14] | From:[37.255.34.194] | Port:[80] | [Blocked]
[2005-10-03 02:09:14] | From:[37.255.43.14] | Port:[139] | [Blocked]
[2005-10-03 02:15:16] | From:[37.255.25.173] | Port:[139] | [Blocked]
[2005-10-03 02:20:44] | From:[37.255.128.45] | Port:[80] | [Blocked]
[2005-10-03 02:22:53] | From:[37.255.129.169] | Port:[80] | [Blocked]
[2005-10-03 02:23:46] | From:[37.255.198.218] | Port:[80] | [Blocked]
[2005-10-03 02:35:42] | From:[37.255.129.169] | Port:[139] | [Blocked]
[2005-10-03 02:36:08] | From:[37.255.40.59] | Port:[80] | [Blocked]
[2005-10-03 02:37:23] | From:[37.255.127.69] | Port:[139] | [Blocked]
[2005-10-03 03:23:04] | From:[37.255.241.2] | Port:[139] | [Blocked]
[2005-10-03 03:24:44] | From:[37.255.43.10] | Port:[80] | [Blocked]
[2005-10-03 03:24:53] | From:[37.255.104.253] | Port:[139] | [Blocked]
[2005-10-03 03:28:24] | From:[37.255.67.243] | Port:[139] | [Blocked]
[2005-10-03 03:30:33] | From:[37.255.15.245] | Port:[139] | [Blocked]
[2005-10-03 03:32:48] | From:[37.255.182.69] | Port:[139] | [Blocked]
[2005-10-03 03:33:52] | From:[37.255.67.243] | Port:[80] | [Blocked]
[2005-10-03 03:33:59] | From:[37.255.182.69] | Port:[80] | [Blocked]
[2005-10-03 03:46:16] | From:[37.255.196.129] | Port:[139] | [Blocked]
[2005-10-03 04:00:25] | From:[37.255.45.3] | Port:[80] | [Blocked]
[2005-10-03 04:02:46] | From:[37.255.45.3] | Port:[139] | [Blocked]
[2005-10-03 04:04:11] | From:[37.255.217.85] | Port:[80] | [Blocked]
[2005-10-03 04:09:58] | From:[37.255.122.41] | Port:[139] | [Blocked]
[2005-10-03 04:10:11] | From:[37.255.188.195] | Port:[80] | [Blocked]
[2005-10-03 04:11:38] | From:[37.255.145.83] | Port:[139] | [Blocked]
[2005-10-03 04:16:19] | From:[37.255.83.34] | Port:[139] | [Blocked]
[2005-10-03 04:19:12] | From:[37.255.67.218] | Port:[80] | [Blocked]
[2005-10-03 04:36:22] | From:[37.255.33.225] | Port:[139] | [Blocked]
[2005-10-03 04:41:51] | From:[37.255.183.46] | Port:[80] | [Blocked]
[2005-10-03 04:43:31] | From:[37.255.183.82] | Port:[139] | [Blocked]
[2005-10-03 04:48:41] | From:[37.255.216.241] | Port:[80] | [Blocked]
[2005-10-03 04:50:46] | From:[37.255.75.30] | Port:[80] | [Blocked]
[2005-10-03 04:53:33] | From:[37.255.215.187] | Port:[80] | [Blocked]
[2005-10-03 04:58:24] | From:[37.255.180.170] | Port:[80] | [Blocked]
[2005-10-03 04:59:04] | From:[37.255.62.157] | Port:[139] | [Blocked]
[2005-10-03 04:59:38] | From:[37.255.169.54] | Port:[80] | [Blocked]
[2005-10-03 05:02:39] | From:[37.255.148.238] | Port:[139] | [Blocked]
[2005-10-03 05:02:48] | From:[37.255.33.225] | Port:[80] | [Blocked]
[2005-10-03 05:03:35] | From:[213.140.2.51] | Port:[4454] | [Blocked]
[2005-10-03 05:06:48] | From:[37.255.215.187] | Port:[139] | [Blocked]
[2005-10-03 05:12:58] | From:[37.255.42.93] | Port:[139] | [Blocked]
[2005-10-03 05:15:09] | From:[37.255.170.222] | Port:[80] | [Blocked]
[2005-10-03 05:16:43] | From:[37.255.220.13] | Port:[80] | [Blocked]
[2005-10-03 05:18:06] | From:[37.255.122.41] | Port:[80] | [Blocked]
[2005-10-03 05:24:36] | From:[213.140.2.58] | Port:[5357] | [Blocked]
[2005-10-03 05:30:30] | From:[37.255.217.85] | Port:[139] | [Blocked]
[2005-10-03 05:32:26] | From:[37.255.169.54] | Port:[139] | [Blocked]
[2005-10-03 05:33:01] | From:[37.255.65.51] | Port:[139] | [Blocked]
[2005-10-03 05:35:57] | From:[213.140.2.51] | Port:[11531] | [Blocked]
[2005-10-03 05:36:41] | From:[37.255.220.13] | Port:[139] | [Blocked]
[2005-10-03 05:41:35] | From:[37.255.67.218] | Port:[139] | [Blocked]
[2005-10-03 05:45:22] | From:[37.255.126.113] | Port:[139] | [Blocked]
[2005-10-03 05:53:50] | From:[37.255.104.253] | Port:[80] | [Blocked]
[2005-10-03 05:59:07] | From:[37.255.99.25] | Port:[139] | [Blocked]
[2005-10-03 06:03:58] | From:[37.255.251.113] | Port:[80] | [Blocked]
[2005-10-03 06:08:08] | From:[37.255.99.25] | Port:[80] | [Blocked]
[2005-10-03 06:08:12] | From:[37.255.198.67] | Port:[139] | [Blocked]
[2005-10-03 06:14:32] | From:[37.255.188.195] | Port:[139] | [Blocked]
[2005-10-03 06:23:09] | From:[213.140.2.58] | Port:[7529] | [Blocked]
[2005-10-03 06:24:27] | From:[37.255.232.227] | Port:[80] | [Blocked]

i range di indirizzi sono sicuramente di FW e mi ritrovo con il collegamento che va a singhiozzo... ovviamente sono collegato a 2 Mb con fw

mi date un parere?
Grazie

[ddmaster]

Ragazzi scusate se insisto ma ne sto uscendo pazzo, stamattina appena riaccesi i pc mi sono arrivati altri 3 logs praticamente uguali a quello sopracitato, oltre ad avere una lentezza spaventosa nella navigazione.

che diavolo sta succedendo secondo voi???

grazie

[thomas_anderson]

Sembrerebbe la scansione di porte vulnerabili da parte di un worm (mi pare Blaster), e quasi sempre dallo stesso IP. A questo si aggiunge quella sulla porta 80, forse un tentativo di sondare altre vulnerabilità.

[ddmaster]

sto andando a carbonella... nel senso che da quando sta capitando sta cosa la navigazione in rete funziona a singhiozzo e mi viene da supporre che ciò avvenga perchè il firewall bloccando sistematicamente questi tentativi blocca ovviamente anche la banda..

è così?? ho capito bene che ho qualche gatto attaccato ai m.... che sta cercando di trovare buchi nella mia rete???

se si come diavolo lo fermo che son già 3 giorni che va avanti così???

grazie a tutti

[thomas_anderson]

Un tentativo semplice sarebbe quello di bloccare l'IP che ti da fastidio più di frequente.

[ddmaster]

potrei farlo con i filtri del firewall... ma mi sembrano veramente troppi gli ip da bloccare... non posso bloccare interi range...

avvertire fastweb dici che è una tavanata?...
è un po come dirlo alla "mamma"...

ma mi confermi che è uno spudorato tentativo di scansione delle porte?

mi piacerebbe avere un parere anche da habanero...

grazie ancora

[thomas_anderson]

grazie per avermi dato dell'incapace.....

[ddmaster]

Originariamente inviato da thomas_anderson
grazie per avermi dato dell'incapace.....

ma no... scherzi ... non intendevo assolutamente....

haba lo conosco da parecchio sul forum... solo per questo...

l'incapace ed ignorante in questo caso sono solo io

davvero mica ti sarai offeso???

[thomas_anderson]

assolutamente no!
però su questo forum tutti mi considerano un incapace frega banda e fregaspazio al server, quindi un pò sono stupidamente prevenuto.......

[LUCASS]

80 TCP
711 trojan (Seven Eleven), AckCmd, Back End,
Back Orifice 2k Plug-Ins, Cafeini, CGI Backdoor,
Executor, God Message, God Message Creator,
Hooker, IISworm, MTX, NCX,
Reverse WWW Tunnel Backdoor, RingZero,
Seeker, WAN Remote, Web Server CT,
WebDownloader, Xeory, Zombam, W32.Yaha,
Ketch, Mydoom, W32.Welchia,
W32.HLLW.Doomjuice, W32.HLLW.Heycheck,
W32.Gaobot, W32.HLLW.Polybot, W32.Beagle,
W32.Spybot, Mindos, Hexem, Eaghouse, Tabela,
W32.Ifbo, W32.Pinkton, W32.Tdiserv, W32.Bobax,
W32.Theals
80 UDP
W32.Beagle, W32.Bobax

139 TCP
God Message worm, Msinit, Netlog,
Network, Qaz, W32.HLLW.Deborms,
W32.HLLW.Moega, W32.Yaha,W32.Cissi,
W32.Reidana, W32.Licum, W32.Spybot

1433 TCP/UDP
W32.Spybot

445 TCP
W32.HLLW.Gaobot, W32.HLLW.Lioten,
W32.HLLW.Deloder, W32.Slackor,
W32.HLLW.Nebiwo, W32.HLLW.Moega,
W32.HLLW.Deborms, W32.Yaha, Randex,
W32.Bolgi.Worm,W32.Cissi, W32.Welchia,
W32.HLLW.Polybot, W32.Sasser, W32.Cycle,
W32.Bobax, W32.Kibuv.Worm, W32.Korgo,
W32.Explet, Otinet, W32.Scane, W32.Aizu
Rtkit, W32.Spybot, W32.Janx, Netdepix,
W32.Wallz, W32.Mytob, W32.Ifbo, W32.Reatle,
W32.Zotob

Basta mettere su google la porta preceduta da tcp/udp e si trovano molte info