Improve company productivity with a Business Account.Sign Up

x
?
Solved

Netgear FVS-318 log Dest IP 255.255.255.255 ???

Posted on 2004-09-22
4
Medium Priority
?
356 Views
Last Modified: 2010-04-17
My client is receiving several of the following lines of data in their Netgear FVS-318 log and also by a Kiwi Syslog program installed on a nearby workstation which reads all router/firewall syslog activity. It's the Dest IP that unusual. Is this a hack attempt or what?

Dest IP  255.255.255.255     TCP    Port  3128     Src IP 210.49.67.246
0
Comment
Question by:kvnsdr
  • 3
4 Comments
 
LVL 15

Expert Comment

by:scampgb
ID: 12127501
Hi kvnsdr,

It sounds like a virus is trying to elicit a response from your network through a directed broadcast.

Port 3128 is generally used by the Squid proxy, but it's also used by MyDoom.B
This sets itself up as a proxy server on your machine, for starting Denial of Service attacks.

The IP resolves to c210-49-67-246.rochd3.qld.optusnet.com.au - this sounds like a DSL or dial-in account to me.  The machine is probably infected by MyDoom.B

Does that help?
0
 
LVL 1

Author Comment

by:kvnsdr
ID: 12127679
I don't understand how the virus could install on one or more of their workstations if Port 3128 is certainly closed on the firewall???
0
 
LVL 15

Accepted Solution

by:
scampgb earned 375 total points
ID: 12131052
Sorry, probably a mistake in my phrasing.  When I said "their machine", I meant 210.49.67.246

I think the virus is probing your network to see if it can find any of it's little friends.  The firewall is doing its job perfectly by blocking it and reporting it in the log.  I wouldn't consider it to be a hack attempt as such, "just" a virus port scanning.

Still, it would be worthwhile making sure that the AV software on the PCs is up to date :-)

Does that make sense?

0
 
LVL 15

Expert Comment

by:scampgb
ID: 12135151
Glad I could help :-)


0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

New Server 172.16.200.2  was moved from behind Router R2 f0/1 to behind router R1 int f/01 and has now address 172.16.100.2. But we want users still to be able to connected to it by old IP. How to do it ? We can used destination NAT (DNAT).  In DNAT…
In the hope of saving someone else's sanity... About a year ago we bought a Cisco 1921 router with two ADSL/VDSL EHWIC cards to load balance local network traffic over the two broadband lines we have, but we couldn't get the routing to work consi…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

589 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question