Jump to content


Photo

Firewall blocking... LEGION FROMRHINO, NET SPY..etc


  • Please log in to reply
2 replies to this topic

#1 Champion80

Champion80

    Active Member

  • Member
  • 21 posts

Posted 24 August 2006 - 11:27 PM

This is a list of my firewall blocks...I had come to get some help a few weeks ago because I got infected, I just wanted to make sure these are normal or if I have something that is trying to connect..

This weblog of my blocks are not showing the names, but I use FREEDOM security, comes with my TimeWarner/Adelphia cable, there is a TROJAN area that will show a name if I highlight a specific event in my log...some of them that are showing up are LEGION FROM RHINO9, NETSPY, BACK DOOR, EXECUTOR, MAVERICKS MATRIX 1.2, BUBBLE BACK DOOR S, RAT

Those are all that I see right now as I scroll down through my EVENTS. Thanks for your hlep

Protocol Direction Source IP S. Port Destination IP D. Port Date/Time
udp Incoming 69.160.40.66 138 69.160.41.255 138 7/11/2006 6:19:45 PM
udp Incoming 69.160.40.66 137 69.160.41.255 137 7/11/2006 6:19:45 PM
udp Incoming 69.160.40.66 137 69.160.41.255 137 7/11/2006 6:19:46 PM
udp Incoming 69.160.40.66 137 69.160.41.255 137 7/11/2006 6:19:47 PM
udp Incoming 69.160.40.66 138 69.160.41.255 138 7/11/2006 6:19:53 PM
udp Incoming 69.160.40.66 137 69.160.41.255 137 7/11/2006 6:19:53 PM
udp Incoming 69.160.40.66 137 69.160.41.255 137 7/11/2006 6:19:53 PM
udp Incoming 69.160.40.66 137 69.160.41.255 137 7/11/2006 6:19:54 PM
udp Incoming 69.160.40.66 137 69.160.41.255 137 7/11/2006 6:20:09 PM
udp Incoming 69.160.40.66 137 69.160.41.255 137 7/11/2006 6:20:10 PM
udp Incoming 69.160.40.66 137 69.160.41.255 137 7/11/2006 6:20:10 PM
udp Incoming 69.160.40.66 138 69.160.41.255 138 7/11/2006 6:21:26 PM
udp Incoming 145.95.86.27 45604 69.160.40.66 1025 7/11/2006 6:22:58 PM
udp Incoming 69.160.40.66 68 255.255.255.255 67 7/11/2006 6:25:03 PM
udp Incoming 68.66.208.1 67 0.0.0.0 68 7/11/2006 6:25:03 PM
udp Incoming 69.160.40.66 68 255.255.255.255 67 7/11/2006 6:25:06 PM
udp Incoming 68.66.208.1 67 0.0.0.0 68 7/11/2006 6:25:06 PM
tcp Outgoing 69.160.40.66 1030 207.226.177.108 80 7/11/2006 6:26:23 PM
tcp Outgoing 69.160.40.66 1032 66.230.161.236 80 7/11/2006 6:26:23 PM
tcp Outgoing 69.160.40.66 1033 66.230.161.236 80 7/11/2006 6:26:23 PM
tcp Incoming 69.151.156.78 3597 69.160.40.66 1433 7/11/2006 6:26:54 PM
tcp Incoming 69.151.156.78 3597 69.160.40.66 1433 7/11/2006 6:26:57 PM
udp Incoming 207.210.248.51 2047 69.160.40.66 1024 7/11/2006 6:27:46 PM
udp Incoming 69.160.40.66 138 69.160.41.255 138 7/11/2006 6:29:39 PM
udp Incoming 69.160.40.66 68 255.255.255.255 67 7/11/2006 6:29:53 PM
udp Incoming 68.66.208.1 67 0.0.0.0 68 7/11/2006 6:29:53 PM
udp Incoming 69.160.40.66 68 255.255.255.255 67 7/11/2006 6:29:56 PM
udp Incoming 68.66.208.1 67 0.0.0.0 68 7/11/2006 6:29:56 PM
udp Incoming 69.160.40.66 138 69.160.41.255 138 7/11/2006 6:32:16 PM
udp Incoming 69.160.40.66 137 69.160.41.255 137 7/11/2006 6:32:16 PM
udp Incoming 69.160.40.66 137 69.160.41.255 137 7/11/2006 6:32:17 PM
udp Incoming 69.160.40.66 137 69.160.41.255 137 7/11/2006 6:32:17 PM
udp Incoming 69.160.40.66 138 69.160.41.255 138 7/11/2006 6:32:20 PM
udp Incoming 69.160.40.66

Edited by TheSentinel, 26 August 2006 - 04:20 PM.


#2 TheSentinel

TheSentinel

    The man in the dark

  • General Admin
  • 31,817 posts

Posted 26 August 2006 - 04:43 PM

Hi Champion80

this report shows incoming request for connections at some ports known as entry for possible infections. When checking over at Security Storm Center you'll see that there was a worldwide check for vulnerbilities of computer systems using those ports.

You will see maximum peaks for some special ports yesterday too.

Attackers are doing such port scans to verify possible machines at the web they can infect. So what you have noticed was a protocol of that world wide scans only.


Regards
BU

#3 Champion80

Champion80

    Active Member

  • Member
  • 21 posts

Posted 26 August 2006 - 10:54 PM

Thanks, I appreciate that..

Wasnt sure if it had to do with my previous infrections, LOPHAT had helped me clean.. Then I just did another HJ this report and there were a couple files and such still there so I thought they might have something to do with eachother. Thanks again.