Error - template LAYOUT-DATA-WRAPPER not found

A configuration error was detected in the CGI script; the LAYOUT-DATA-WRAPPER template could not be found.

Error - template STYLE-SHEET not found

A configuration error was detected in the CGI script; the STYLE-SHEET template could not be found.

Error - template SUB-TOP-BANNER not found

A configuration error was detected in the CGI script; the SUB-TOP-BANNER template could not be found.
Subject:
Re: Firewall Security Log Question
From:
Loy Pressley <[log in to unmask]>
Reply To:
PCSOFT - Personal Computer software discussion list <[log in to unmask]>
Date:
Sun, 25 Feb 2007 05:32:32 -0600
Content-Type:
text/plain
Parts/Attachments:
text/plain (104 lines) 
Hi David,

Thanks for the kind reply.  According to the logs, the attempted 
outbound violations have stopped, at least for now.

I have scanned this computer with just about everything that I can find 
and nothing shows up.  For a long time, someone in San Marcus, TX pinged 
my computer a hundred times a day.  I finally reported it to the "abuse" 
address for the ISP, but, as usual, never heard anything and I still, 
occasionally,  get  pinged  by the San Marcus address.

This is a dialup machine and a slow one at that; most of the time less 
than 28.8.

Loy

David Gillett wrote:
>   ICMP is a protocol used for network diagnostics and error messages.  The 
> "ping" program (usually) sends ICMP "echo request" messages, and receives 
> ICMP "esho response" messages back, for instance.  There are arguments for 
> blocking ICMP as a confidentiality issue, and for leaving it unblocked as an 
> availability issue.  [Security folks refer to the CIA triad -- 
> Confidentiality, Integrity, and Availability -- as encompassing "security", 
> so both arguments are in favour of different aspects of security.]
>   It would be quite normal for your machine to respond to an unexpected TCP 
> or UDP (these are the protocols most commonly used for actual user traffic) 
> message with an ICMP "port unreachable" message.  But in the normal case, 
> that message would have the IP address of your machine as its source.
>
>   So my suspicion is that the "policy violation" isn't that the message type 
> is "ICMP port unreachable", but that the source address is a lie, claiming 
> that the message is coming from somewhere else.
>   That's not a useful thing for a "phone home" function to do, so I don't 
> think that's what this is.  [It would be possible, though a bit odd, for an 
> ICMP message to include a "payload" of information.]
>
>   ICMP messages are usually quite small.  But there have occasionally been 
> Internet attacks that used large ICMP messages to try to flood a destination 
> computer or network as a "Denial of Service" attack, and these are harder to 
> defend against if the recipient can't tell where they're coming from.
>   So it's *possible* that some bit of malware on your machine is one of 
> hundreds or even thousands all sending junk messages to USLEC at once.  [A 
> dialup machine would not be the attacker's first choice for this purpose, 
> but checking for this is hard to do and rather pointless.]
>
>   So yes, this could be a symptom of a virus.  There have been several 
> viruses over the years that have spread infectiously, with a "detonation" 
> date at which they would unleash some sort of attack.  There is other 
> malware that makes an infected PC a "zombie", awaiting commands from the 
> Internet -- these are more commonly used to forward spam, but certainly 
> *can* be used to launch attacks as well.
>
>   So bottom line is that if the source address had been yours, I wouldn't 
> worry, but since it doesn't appear to be then yes, you may be infected with 
> something.
>
> David Gillett
>
>
>
> On 19 Feb 2007 at 12:22, Loy Pressley wrote:
>
>   
>> My Comodo Firewall security log says
>>
>> "Outbond policy violation (Access Denied, IP =..."
>>
>> When I look under details, the log says:
>>
>> "DESCRIPTION: Outbound Policy Violation (Access Denied, ICMP =  PORT 
>> UNREACHABLE)
>> PROTOCOL: ICMP Outgoing
>> SOURCE: 66.19.112.129
>> DESTINATION: 216.126.128.40
>> MESSAGE: PORT UNREACHABLE"
>>
>> WhoIs says that 66.19.112.129 as above is the USLEC Corp., 6801 Morrison 
>> Blvd., Charlotte, NC 28211 and that 216.127.128.40 is the same place.
>>
>> Does the above indicate that I've got a virus or something on this thing 
>> and it is trying to "phone home?" I've scanned this computer with 
>> everything I can find and nothing has shown up.  Could it be a "rootkit" 
>> or something like that?
>>
>> WinXP Pro SP2 using a dialup modem.
>>
>> Thanks...
>>
>>              PCSOFT maintains many useful files for download
>>                      visit our download web page at:
>>                   http://freepctech.com/downloads.shtml
>>     
>
>                The NOSPIN Group Promotions is now offering
>                  our special coffee cups and mouse pads
>               with the PCSOFT logo...  at a great price!!!
>              http://freepctech.com/goodies/promotions.shtml
>
>   

      "Hold No Punches.." Rode brings you great shareware/freeware
        programs with his honest opinions in this weekly column.
                       http://freepctech.com/rode

ATOM RSS1 RSS2

LISTSERV.ICORS.ORG Secured by F-Secure Anti-Virus CataList Email List Search Powered by LISTSERV