MisterMoleyMole
asked on
Have i been hacked ? Strange service entries being used on the firewall.
Hi All,
I have recently been getting a load of messages regarding port scans on my network and also now malformed ip packets being dropped protocol 17.
I have just l;ooked at my firewall and run a report based on "bandwidth usage by service" and have seen something i never usually see.
at the top there is internet email dns etc .. all teh usual stuff , but listed below all them are a load of tcp / and udp ports as folows :-
5 UDP Port 63570 (17,63570) 0.003
6 UDP Port 27545 (17,27545) 0.003
7 UDP Port 13661 (17,13661) 0.003
8 UDP Port 34103 (17,34103) 0.002
9 UDP Port 42183 (17,42183) 0.002
10 UDP Port 2632 (17,2632) 0.002
11 UDP Port 41829 (17,41829) 0.002
12 UDP Port 42188 (17,42188) 0.002
13 UDP Port 61130 (17,61130) 0.002
14 UDP Port 40384 (17,40384) 0.002
15 UDP Port 24668 (17,24668) 0.001
16 UDP Port 4484 (17,4484) 0.001
17 UDP Port 3853 (17,3853) 0.001
18 UDP Port 44023 (17,44023) 0.001
Have i been hacked ? What are all these ?
Please help
Thanks
Gavin
I have recently been getting a load of messages regarding port scans on my network and also now malformed ip packets being dropped protocol 17.
I have just l;ooked at my firewall and run a report based on "bandwidth usage by service" and have seen something i never usually see.
at the top there is internet email dns etc .. all teh usual stuff , but listed below all them are a load of tcp / and udp ports as folows :-
5 UDP Port 63570 (17,63570) 0.003
6 UDP Port 27545 (17,27545) 0.003
7 UDP Port 13661 (17,13661) 0.003
8 UDP Port 34103 (17,34103) 0.002
9 UDP Port 42183 (17,42183) 0.002
10 UDP Port 2632 (17,2632) 0.002
11 UDP Port 41829 (17,41829) 0.002
12 UDP Port 42188 (17,42188) 0.002
13 UDP Port 61130 (17,61130) 0.002
14 UDP Port 40384 (17,40384) 0.002
15 UDP Port 24668 (17,24668) 0.001
16 UDP Port 4484 (17,4484) 0.001
17 UDP Port 3853 (17,3853) 0.001
18 UDP Port 44023 (17,44023) 0.001
Have i been hacked ? What are all these ?
Please help
Thanks
Gavin
Port 17 could be also used as fraggle attack:
http://www.javvin.com/networksecurity/SmurfAttack.html
A similar attack to the "smurf" attack is called "fraggle" attack, which uses UDP echo packets in the same fashion as the ICMP echo packets; it was a simple re-write of "smurf". Fraggle uses User Datagram Protocol (UDP) echo packets directed at the Unix UDP services echo (port 7), chargen (port 19), daytime (port13) and qotd (port 17).
For both the SMURF attack and the Fraggle attack, there are three parties in these attacks: the attacker, the intermediary, and the victim (note that the intermediary can also be a victim). In other words, you can be affected in one of several ways:
* As a victim or target of the attack
* As a network which is abused to amplify the attack
* As a party harboring the instigator of the attack
http://www.javvin.com/networksecurity/SmurfAttack.html
A similar attack to the "smurf" attack is called "fraggle" attack, which uses UDP echo packets in the same fashion as the ICMP echo packets; it was a simple re-write of "smurf". Fraggle uses User Datagram Protocol (UDP) echo packets directed at the Unix UDP services echo (port 7), chargen (port 19), daytime (port13) and qotd (port 17).
For both the SMURF attack and the Fraggle attack, there are three parties in these attacks: the attacker, the intermediary, and the victim (note that the intermediary can also be a victim). In other words, you can be affected in one of several ways:
* As a victim or target of the attack
* As a network which is abused to amplify the attack
* As a party harboring the instigator of the attack
ASKER
Thanks for the reply.
I am using skype on our network so is this whats causing this? How can i double check and make sure i am not being hacked and attacked ? If i am beig hacked what should i do about this. This is my first attack so i am unaware pf procedures to stop this.
Many Thanks
Gavin
I am using skype on our network so is this whats causing this? How can i double check and make sure i am not being hacked and attacked ? If i am beig hacked what should i do about this. This is my first attack so i am unaware pf procedures to stop this.
Many Thanks
Gavin
5 UDP Port 63570 (17,63570) 0.003 judging from the "0.003" it does not seem to be a hacking attempt..what is the brand of your firewall ? apparently it seems you can stop this if you block all traffic that has the source port 17
ASKER
Its a sonicwall firewall - we are heavily using skype at the minute so is it not that ?
Gavin
Gavin
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Many Thanks shakoush2001
I will do that
Ta
Gav
I will do that
Ta
Gav
Are you using those ?