08-07-2003 07:10 AM - edited 03-09-2019 04:20 AM
I was reviewing my logs this morning and noticed that a certain IP address showed up several times. The log file reads:
%PIX-2-106001: Inbound TCP connection denied from 200.54.132.159/2348 to Public_IP_Address/1433 flags SYN on interface outside
Another reads:
%PIX-2-106001: Inbound TCP connection denied from 200.54.132.159/2485 to Public_IP_Address/139 flags SYN on interface outside
There are about 20 of these all from the same address but port change from 2495, 4951,1399, and few more. I'm wondering, was this a simple scan to find out if I have any open doors? Also if he/she found one how would I know if they got through. Also I'm seeing other IP address with similar cases. Any suggestions??
Thanks,
Bob
08-07-2003 07:54 AM
Hello Bob,
Firstly, please read the following cisco document:
http://www.cisco.com/warp/public/110/2.html
And then, go to www.grc.com and choose 'ShieldsUP' to check for posible holes on your outside interface - ShieldsUP is secure and I've used it many times for 'Network penetration testing'
Also, it would be an idea to open a cisco TAC case.
Hope this helps - and let me know how you get on.
Jay
08-07-2003 01:42 PM
Sounds like the combination port scan with syn attack, which is often used to check any open ports.
Since the same IP-address is used, I do not believe this is a professional attacking you bytheway..., scriptkidies often use this kind of scans...., but you should always check your logging in this kind of things, and if discovered like you have, ytou would have to look into the log in more detail to see if any packets were let through...., but if no logging is enabled, there is no way to check.
Hope this helps,
Leo
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide