View previous topic :: View next topic |
Author |
Message |
vibidoo Guru
Joined: 27 Nov 2002 Posts: 409
|
Posted: Thu Jan 09, 2003 8:07 pm Post subject: Intrusion or not ? |
|
|
Hello and Happy new year to all
To test snort I activate in snort.conf the basic icmp.rules .
And this morning I found my windows machine crashed , the windows machine is behind a Linux firewall box ( Iptables , just masquerade )
So I opened my alert file on my linux box and I found this error :
Code: |
--------------------------------------------------------------------------------
ICMP PING NMAP [***][Classification: Attempted Information Leak] [Priority: 2]
81.48.36.69 -> my Firewall_Linux IP
ICMP TTL:121 TOS:0x0 ID: 30255 IpLen:20 DgmLen:28
Type:8 Code:0 ID:57346 Seq:49434 ECHO
[Xref => arachnids 162]
--------------------------------------------------------------------------------
|
After consulting the arachnids database , it should ,not be consider as an attack but may be just a active host testing .
But the result is that my Windows machine was crashed .
What should I do to investigate more ?
And how a guy can attack my machine behind my Linux Firewall box ?? |
|
Back to top |
|
|
puddpunk l33t
Joined: 20 Jul 2002 Posts: 681 Location: New Zealand
|
Posted: Thu Jan 09, 2003 11:03 pm Post subject: |
|
|
Windows crashes, to do with internet data or not
Seriously though, Since your Windows box is running behind a firewall, TCP/IP's design prevents anybody from sending anything to that box, unless the windows machine initiates the contact.
Windows had a bug in it when it was sent OOB (Out Of Band) Data which caused a BSOD. That was nuking and back in the days of win95, and I wouldn't be surprised if something else had triggered a crash by accident. |
|
Back to top |
|
|
vibidoo Guru
Joined: 27 Nov 2002 Posts: 409
|
Posted: Fri Jan 10, 2003 11:31 am Post subject: |
|
|
Could you tell me where I can find a port list subject to trojan ?
Because there are somebody who always initiate a connection on the port 4662 of my Firewall box |
|
Back to top |
|
|
puddpunk l33t
Joined: 20 Jul 2002 Posts: 681 Location: New Zealand
|
Posted: Fri Jan 10, 2003 11:40 pm Post subject: |
|
|
It's a port open for edonkey filesharing. See here |
|
Back to top |
|
|
|