RE: Repeated intrusion detection
- From: "Johnson, Tony" <t.johnson@xxxxxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Mon, 25 Mar 2002 10:00:07 -0000
Hi,
The info below regarding the outbound connections are from an netstat -a
test on the external ISA. That's what's worrying me! There's no evidence
of anything actually being wrong internally... nobody is allowed
outbound FTP and we aren't publishing any FTP servers via this
particular ISA. Is there a way of an attacker disguising their address
with another (e.g. ftp.compaq.com (161.114.1.254)?
T O N Y J O H N S O N
-----Original Message-----
From: Joseph [mailto:cismic@xxxxxxx]
Sent: 25 March 2002 10:48
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Repeated intrusion detection
http://www.ISAserver.org
As with most things FTP ports can be spoofed. I'm not sure if Compaq
would be doing ftp to your site. You might want to not allow for ftp on
ports 20 or 21 until you find out what may be the cause.
Also, run NETSTAT -a on your External ISA machine and see if ports 20/21
are in use.
Joseph
-----Original Message-----
From: t.johnson@xxxxxxxxxxxxxxx [mailto:t.johnson@xxxxxxxxxxxxxxx]
Sent: Monday, March 25, 2002 1:09 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Repeated intrusion detection
http://www.ISAserver.org
I keep getting an intrusion detection alert from one of my ISAs, always
from the address 161.114.1.254. This turns out to be ftp.compaq.com. On
the server affected, I can see three outbound connections to
161.114.1.254:21 (two TIME_WAIT and one ESTABLISHED)and one outbound to
161.114.1.254:20 (ESTABLISHED). I am sure something nasty is going on,
but
my experience on these issues is limited. Can anyone tell me what's
happening?
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
cismic@xxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
t.johnson@xxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
**********************************************************************
This email and any files transmitted with it are confidential
and intended solely for the use of the individual or entity to
whom they are addressed. If you have received this email
in error please notify the postmaster. It is issued on the basis
that Cadogan Tate Limited disclaims all responsibility and
accepts no liability for the consequences of any person
acting, or refraining from acting on it. It must not be
disseminated, copied, disclosed, modified, distributed
and/or published without the express written authority of
Cadogan Tate Limited
This footnote also confirms that this email message has
been swept for the presence of computer viruses.
postmaster@xxxxxxxxxxxxxxx
**********************************************************************
Other related posts:
