Netgear FVS-318 log Dest IP 255.255.255.255 ???

My client is receiving several of the following lines of data in their Netgear FVS-318 log and also by a Kiwi Syslog program installed on a nearby workstation which reads all router/firewall syslog activity. It's the Dest IP that unusual. Is this a hack attempt or what?

Dest IP  255.255.255.255     TCP    Port  3128     Src IP 210.49.67.246
LVL 1
kvnsdrAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
scampgbConnect With a Mentor Commented:
Sorry, probably a mistake in my phrasing.  When I said "their machine", I meant 210.49.67.246

I think the virus is probing your network to see if it can find any of it's little friends.  The firewall is doing its job perfectly by blocking it and reporting it in the log.  I wouldn't consider it to be a hack attempt as such, "just" a virus port scanning.

Still, it would be worthwhile making sure that the AV software on the PCs is up to date :-)

Does that make sense?

0
 
scampgbCommented:
Hi kvnsdr,

It sounds like a virus is trying to elicit a response from your network through a directed broadcast.

Port 3128 is generally used by the Squid proxy, but it's also used by MyDoom.B
This sets itself up as a proxy server on your machine, for starting Denial of Service attacks.

The IP resolves to c210-49-67-246.rochd3.qld.optusnet.com.au - this sounds like a DSL or dial-in account to me.  The machine is probably infected by MyDoom.B

Does that help?
0
 
kvnsdrAuthor Commented:
I don't understand how the virus could install on one or more of their workstations if Port 3128 is certainly closed on the firewall???
0
 
scampgbCommented:
Glad I could help :-)


0
All Courses

From novice to tech pro — start learning today.