Need Help On a possible Attack...

bmckinley · ‎08-07-2003

I was reviewing my logs this morning and noticed that a certain IP address showed up several times. The log file reads:

%PIX-2-106001: Inbound TCP connection denied from 200.54.132.159/2348 to Public_IP_Address/1433 flags SYN on interface outside

Another reads:

%PIX-2-106001: Inbound TCP connection denied from 200.54.132.159/2485 to Public_IP_Address/139 flags SYN on interface outside

There are about 20 of these all from the same address but port change from 2495, 4951,1399, and few more. I'm wondering, was this a simple scan to find out if I have any open doors? Also if he/she found one how would I know if they got through. Also I'm seeing other IP address with similar cases. Any suggestions??

Thanks,

Bob

jmia · ‎08-07-2003

Hello Bob,

Firstly, please read the following cisco document:

http://www.cisco.com/warp/public/110/2.html

And then, go to www.grc.com and choose 'ShieldsUP' to check for posible holes on your outside interface - ShieldsUP is secure and I've used it many times for 'Network penetration testing'

Also, it would be an idea to open a cisco TAC case.

Hope this helps - and let me know how you get on.

Jay

l.mourits · ‎08-07-2003

Sounds like the combination port scan with syn attack, which is often used to check any open ports.

Since the same IP-address is used, I do not believe this is a professional attacking you bytheway..., scriptkidies often use this kind of scans...., but you should always check your logging in this kind of things, and if discovered like you have, ytou would have to look into the log in more detail to see if any packets were let through...., but if no logging is enabled, there is no way to check.

Hope this helps,

Leo