Firewall allowing connection

[CuddlesTC]

For the last couple of days my firewall has been reporting almost non-stop MSRPC TCP port probes, whereas this used to be a very rare type of probe - could this be for the same reason?

[Taf]

Any experts out there?

seems to be a bit of a pattern


12/08/03 17:58:13 TCP 80.4.* 135 80.4.75.226 3440 Block
12/08/03 17:58:15 TCP 80.4.* 135 80.4.196.113 2499 Block
12/08/03 17:58:18 TCP 80.4.* 135 80.4.101.122 3838 Block
12/08/03 17:58:48 TCP 80.4.* 135 80.4.198.225 1142 Block
12/08/03 18:00:23 TCP 80.4.* 135 80.4.195.121 2698 Block
12/08/03 18:03:32 TCP 80.4.* 135 80.4.165.105 4328 Block
as you can see the scans are coming from the same IP segment as my addy. I wouldn't mind betting Altis's IP begins with 81.97.*

<edit> sorry Alan didn't see your post re 60/40 while I was typing

[Alan Waddington]

Quote:

Originally posted by CuddlesTC
For the last couple of days my firewall has been reporting almost non-stop MSRPC TCP port probes, whereas this used to be a very rare type of probe - could this be for the same reason?

MSRPC = Microsoft Remote Procedure Call (which uses Port 135)

Thus yes, it is the msblast virus

[Taf]

http://www.ntl-isp.ntl.com/lookup/default.asp

They've put a warning up....

[Alan Waddington]

Note that there is another thread on here covering the same topic
http://www.nthellworld.co.uk/forum/s...&threadid=1791

[Taf]

Time for Admin to merge the two together?

[zoombini]

Before it gets merged can I change it slightly and ask how I can tell if I have had anything past the firewall?

I am running linklogger and see plenty of attacks (green icons) at port 135 from NTL addresses.

But how do I know that they have been stopped or if they got past?

Etc.

Are there any dummies guides to knowing whats what with a firewall available?

[Ramrod]

Quote:

Originally posted by zoombini
Before it gets merged can I change it slightly and ask how I can tell if I have had anything past the firewall?

I am running linklogger and see plenty of attacks (green icons) at port 135 from NTL addresses.

But how do I know that they have been stopped or if they got past?

Etc.

Are there any dummies guides to knowing whats what with a firewall available?

Yes, i was wondering about that but I've run my anti-virus, had my ports checked and checked my registry as well. All clear, so my firewall must be doing it's job. *fingers crossed*

[Taf]

Just think of the iriots out there with no antiviral or firewall......

[Ramrod]

Theres a thread on it on .com

[Xaccers]

Quote:

Originally posted by Taf
And of course NTL has no antiviral running on it's servers to protect it's users?

OI!
As someone who used to build the NT servers for NTL I take objection to that insinuation!
It's not NTL's servers that are infected, it's customers who aren't bright enough to get patched.
None of my servers were ever infected/hacked while I was in charge of them.

[Taf]

Nice to know... is it still that way?

[Lord Nikon]

the 60/40 was on the symantec site

As it infects only windows OSs I doubt it would hit the NTL mailservers anyway.

It will however infect any Windows 2000, Windows NT, XP or Server 2003 system that has not yet been patched.

[Taf]

I'm still getting small packets from other NTL addresses this morning, so lets hope they start patching their PCs soon....