I'm getting these logs back from my router usually out of office hrs and from several ip ranges and although I've checked the security logs on the server with no known breach comparisons I wonder if someone more security aware than me can alleviate my concerns and suggest if I need to take further steps etc. Many thanks. Tue, 2009-12-08 14:00:05 - Send E-mail Success! Tue, 2009-12-08 14:02:01 - TCP Packet - Source:124.93.222.130,1119 Destination:0.0.0.0,1035 - [DOS] Tue, 2009-12-08 14:03:01 - TCP Packet - Source:124.93.222.130,1129 Destination:0.0.0.0,1036 - [DOS] Tue, 2009-12-08 14:03:01 - TCP Packet - Source:124.93.222.130,1140 Destination:0.0.0.0,1037 - [DOS] Tue, 2009-12-08 14:03:01 - TCP Packet - Source:124.93.222.130,1160 Destination:0.0.0.0,1039 - [DOS] Tue, 2009-12-08 14:03:01 - TCP Packet - Source:124.93.222.130,1168 Destination:0.0.0.0,1040 - [DOS] Tue, 2009-12-08 14:03:01 - TCP Packet - Source:124.93.222.130,1178 Destination:0.0.0.0,1041 - [DOS] Tue, 2009-12-08 14:03:01 - TCP Packet - Source:124.93.222.130,1186 Destination:0.0.0.0,1042 - [DOS] Tue, 2009-12-08 14:03:01 - TCP Packet - Source:124.93.222.130 Destination:0.0.0.0 - [PORT SCAN] and another day: Sun, 2009-12-06 15:00:03 - Send E-mail Success! Sun, 2009-12-06 15:50:51 - TCP Packet - Source:118.99.9.10,6000 Destination:0.0.0.0,3389 - [rdp rule match]

Hi Softball,Couple of questions:1.) is this a home connection or work connection? (just curious)2.) does this pass through any firewall if so what kind?3.) Is that IP (124.93...) part of your internal subnet? obviously if its destined for 0.0.0.0 its using your default route and trying to get out externaly. What computer is it coming from (Client or server)if its a server what is the main purpose of that server?I would download something like wireshark and install it on that server and monitor exactly what process (if any) is sending data out on the network...it might be a virus/worm on the server, or it might be something innocent such as a scheduled task and your router is detecting it as a d0s attack by mistake (false positive) or it could be a million other things... sorry for stating the obvious... I know this post wasnt much help, but if you can provide as much information as possible that would be great.thanks mate,Luke.edit: not the RDP port 3389 trying to get out ... is someone RDPing from that machine to an external server? possibly restrict port 3389in your firewall from that server (also make sure all auditing is enabled).

Hey Luke...thanks for the reply - [please see comments below and if there's anything you might suggest please feel free mate.................. Hi Softball, Couple of questions: 1.) is this a home connection or work connection? (just curious) A1) Work Connection (server2008R2) 2.) does this pass through any firewall if so what kind? A2) Only firewall at present is the router firewall which is a netgear DGN2000 dsl modem/router and Windows on the server 3.) Is that IP (124.93...) part of your internal subnet? A3) No it's not...most of these attacks seem to be from China via whois. obviously if its destined for 0.0.0.0 its using your default route and trying to get out externaly. What computer is it coming from (Client or server) if its a server what is the main purpose of that server? A4) Sorry I should of placed x.x.x.x but it messed up when i posted so I placed 0.0.0.0 which replaces our WAN IP so Source is the outsider and Destination is our WAN IP I would download something like wireshark and install it on that server and monitor exactly what process (if any) is sending data out on the network... it might be a virus/worm on the server, or it might be something innocent such as a scheduled task and your router is detecting it as a d0s attack by mistake (false positive) or it could be a million other things... sorry for stating the obvious... I know this post wasnt much help, but if you can provide as much information as possible that would be great. thanks mate, Luke. edit: not the RDP port 3389 trying to get out ... is someone RDPing from that machine to an external server? possibly restrict port 3389 in your firewall from that server (also make sure all auditing is enabled). No-one on site has access to the server aprt from myself and 10 users due to this being a remote office so 3389 shouldn't be trying to get out? The server is just DC/DHCP/DNS and file&print server

Hello softball,From the log of your router, it looks like a DDOS attack from 124.93.222.130. As a suggestion, I suggest you block this IP addressvia your firewall on your co-opration edge server.Begining to investigate the source, you may check here to trace this IP source.http://www.ip-adress.com/whois/124.93.222.130Tue, 2009-12-08 14:02:01 - TCP Packet - Source:124.93.222.130,1119 Destination:0.0.0.0,1035 - [DOS] Tue, 2009-12-08 14:03:01 - TCP Packet - Source:124.93.222.130,1129 Destination:0.0.0.0,1036 - [DOS] Tue, 2009-12-08 14:03:01 - TCP Packet - Source:124.93.222.130,1140 Destination:0.0.0.0,1037 - [DOS] Tue, 2009-12-08 14:03:01 - TCP Packet - Source:124.93.222.130,1160 Destination:0.0.0.0,1039 - [DOS] Tue, 2009-12-08 14:03:01 - TCP Packet - Source:124.93.222.130,1168 Destination:0.0.0.0,1040 - [DOS] Tue, 2009-12-08 14:03:01 - TCP Packet - Source:124.93.222.130,1178 Destination:0.0.0.0,1041 - [DOS] Tue, 2009-12-08 14:03:01 - TCP Packet - Source:124.93.222.130,1186 Destination:0.0.0.0,1042 - [DOS] Tue, 2009-12-08 14:03:01 - TCP Packet - Source:124.93.222.130 Destination:0.0.0.0 - [PORT SCAN]Thanks and Regards,ScorprioMCTS: Windows Vista | Exchange Server 2007 MCITP: Enterprise Support Technician | Server & Enterprise Admin

Hello,According to arin/apnic this IP address is originating from China.You are getting scanned.As in aport scan. As you can see, it's methodically querying your ports one by one looking for exploits or trying to enumerate your ports and services.If your organization is highlysecurite (like gov, mil,edu, med, etc); and by the model of your router I would guess not, thenit's worth looking in to. Otherwise, I would not worry too much. There are millions of infected zombie computers (botnets) and thousand of scriptbunniesthat do this all day long. To protect yourself you can do the followowing:1. Make sure your servers or workstation are patched up (any open ports like SMTP, RDP, etc) should forward only to patched systems2. Get a router with a packet filter so that you can block incoming traffic from that address (Sonicwall TZ-200, Multitech RF-820, others).3. Report the port scan to apnic and to the ISP abuse@chinaunicom.cnmost ISP'swill usually do something about it.4. Use strong passwords and enable strong password authenticationfor domain users as well.5. Make sure your firewall is properly configured. Usually you see dropped oraccepted at the end of each line, call the firewall MFG to make sure that traffic is not traversing your firewall.Here's the originating network: inetnum: 124.92.0.0 - 124.95.255.255 netname: UNICOM-LN country: CN descr: China Unicom Liaoning province network descr: China Unicom admin-c: CH1302-AP tech-c: GZ84-AP status: ALLOCATED PORTABLE mnt-by: APNIC-HM mnt-lower: MAINT-CNCGROUP-LN mnt-routes: MAINT-CNCGROUP-RR remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+ remarks: This object can only be updated by APNIC hostmasters. remarks: To update this object, please contact APNIC remarks: hostmasters and include your organisation's account remarks: name in the subject line. remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+ changed: hm-changed@apnic.net 20060215 changed: hm-changed@apnic.net 20090508 source: APNIC route: 124.92.0.0/14 descr: CNC Group CHINA169 Liaoning Province Network country: CN origin: AS4837 mnt-by: MAINT-CNCGROUP-RR changed: abuse@cnc-noc.net 20060215 source: APNIC person: ChinaUnicom Hostmaster nic-hdl: CH1302-AP e-mail: abuse@chinaunicom.cn address: No.21,Jin-Rong Street address: Beijing,100140 address: P.R.China phone: +86-10-66259940 fax-no: +86-10-66259764 country: CN changed: abuse@chinaunicom.cn 20090408 mnt-by: MAINT-CNCGROUP source: APNIC person: Guangyu Zhan nic-hdl: GZ84-AP e-mail: abuse@online.ln.cn address: DATA Communication Bureau of Liaoning Province,China address: 38 Lianhe Road,Dadong District Shenyang 110044,China phone: +86-24-22800809 fax-no: +86-24-22800077 country: CN changed: jinjl@lntelecom.com 20090803 mnt-by: MAINT-CNCGROUP-LN source: APNIC Sun, 2009-12-06 15:50:51 - TCP Packet - Source:118.99.9.10,6000 Destination:0.0.0.0,3389 - [rdp rule match] This looks like an incoming RDP request thattraversed the firewall (I'm guessing from the [rdp rule match] it must mean accepted) so youprobrably have RDP port 3389 open and forwarded to somewhere. Make sure you have strong passwords. If you see thisline multiple times (like, a lot) then it's likely someone is using a brute force or dictionary attack on your administrator password.Links:http://en.wikipedia.org/wiki/Script_kiddiehttp://en.wikipedia.org/wiki/Port_scannerhttp://en.wikipedia.org/wiki/Zombie_botnethttp://wq.apnic.net/apnic-bin/whois.plhttp://en.wikipedia.org/wiki/Password_crackingGood luck and don't lose too much sleep over this. Miguel Fra / Falcon ITSComputer and Network Service and Support, Miami, Fl

Thanks for the info Scorprio

Many thanks for the info Falcon. Yeah it's only a substandard dsl gateway. I'll check out those links though and I'm currently setting up an Untangle server to configure packet filtering. Thanks again for the input. K