Comcast is pretty slick
Kenyon Ralph
news:69bs1v4i2f6ro304c...@4ax.com...
> Received a message tonight from Norton Firewall that it had blocked
> an attack from comcast.
>
> This wouldn't be so bad except it came right thru my
> Netgear FVS318 firewall router. firmware 1.2
>
> FWIW, everything is supposedly turned off, no remote management
> enabled, no DMZ server, no added services.
>
> Tested it on GRC.com site, no open ports.
>
> Are there any known exploits of this particular router?
>
> Any ideas?
What kind of "attack" was this?
--
Kenyon Ralph | http://home.san.rr.com/ralphs/ | Semper Fi
Larry W4CSC
In order for anything to come through the Netgear router's NAT,
something INSIDE your computer, like Comcast's software, or some other
worm/virus/trojan/spyware, MUST tell the router what port to open up
and the router determines which port to route back to that computer so
the computer will receive a REPLY to its call out......
The only other way to get from the net to that router is DMZ you say
is off or some manually entered PORTS entry. The router isn't
clairvoyant, you know...(c;
I think you have spyware, bad guy or commercial.
Have you run AdAware from www.lavasoft.de on the computer?
On Thu, 09 Jan 2003 21:18:43 -0500, aac <a...@bubsbs.neyt> wrote:
>Received a message tonight from Norton Firewall that it had blocked
>an attack from comcast.
>
>This wouldn't be so bad except it came right thru my
>Netgear FVS318 firewall router. firmware 1.2
>
>FWIW, everything is supposedly turned off, no remote management
>enabled, no DMZ server, no added services.
>
>Tested it on GRC.com site, no open ports.
>
>Are there any known exploits of this particular router?
>
>Any ideas?
>
>
Larry W4CSC and other fine old calls since 1957...
Larry W4CSC
>Never loaded there software. Would not let the tech who delivered the
>modem do so either. But that was years ago.
>
>As far as spyware is concerned, the OS is only about 2 weeks old.
>Haven't even had a chance to add the usual crap. I ran Adaware and
>only found Alexa (OS delivered) and the usual 4 ad cookies.
>
>No one was more surprised than me to see norton catch inbound
>problems. I honestly only expected it to control outbound data.
>
>I did upgrade the router firmware (from v1.1 to v1.2). I'm wondering
>if somethings changed in the setup?
>
>The router config was the first thing I checked. I assumed I must
>have inadvertantly opened something. Found nothing. like I said no
>remote management enabled, no DMZ server, no added services.
>nothing. I have only had the modem online for about 1 week.
>Was dead quiet until today.
>
>Larry I agree with you, logic prevails. I'm just not done scratching
>my head yet.
>
>Here is a copy of the norton log for the Comcast exploit and a more
>recent one from another URL
>
>COMCAST
>-----------------------------------
>Intrusion: Invalid TCP Options
>Intruder: mail.comcast.net(24.153.64.3)
>Risk Level: Medium
>Source IP address: mail.comcast.net(24.153.64.3)
>Destination IP address: Me (192.168.0.2)
>TCP Source Port: pop3(110)
>TCP Destination Port: 2283
>Invalid TCP Option: 0x000000ba
>
>
>MOST RECENT
>-------------------------------------
>Intrusion: Invalid TCP Options
>Intruder: 194.102.180.38
>Risk Level: Medium
>Source IP address: 194.102.180.38
>Destination IP address: Me (192.168.0.2)
>TCP Source Port: http(80)
>TCP Destination Port: 2259
>Invalid TCP Option: 0xb5305e2c
>
This IP belongs to RIPE.
18 193.226.179.10 164ms 168ms 167ms TTL: 0
(r1-PO4-0-0.brv-KQ2.RO.kq-gts.net bogus rDNS: host not found
[authoritative])
19 193.226.179.30 167ms 176ms 171ms TTL: 0
(r1-PO9-0-0.buh-KQ1.RO.kq-gts.net bogus rDNS: host not found
[authoritative])
20 193.226.131.196 171ms 170ms 169ms TTL: 0
(r4-Fe8-0-0.buh-KQ2.RO.kq-gts.net bogus rDNS: host not found
[authoritative])
21 193.226.152.14 206ms 210ms 192ms TTL: 0
(r1-Se4-1.0.101.sib-KQ1.RO.kq-gts.net bogus rDNS: host not found
[authoritative])
22 194.102.180.38 350ms 1385ms 421ms TTL:232
(07.PrimSB.DirectNET.ro ok)
DirectNET.ro is one of the big carriers in Romania. Their webpage is:
http://www.directnet.ro/index.htm
Click up the contact and ask their abuse department to look into what
is going on.
PrimSB redirects on port 80 to:
http://www.sibiu.ro/
who's english webpage is:
http://www.sibiu.ro/index-en.htm
This is a promo page for a town in Transylvania! I don't see a server
of any kind. There's a contact point in English on this page. Might
also be fun to ask them about PrimSB.
The webpage code is simply a redirector to the town's page, here.
That could have happened when it encountered protected Opera 6,
though.
I think your answer is probably back at the ISP, directnet.ro. Send
an email to ab...@directnet.ro and send them this information.
timeOday
> "aac" <a...@bubsbs.neyt> wrote in message
> news:69bs1v4i2f6ro304c...@4ax.com...
>> Received a message tonight from Norton Firewall that it had blocked
>> an attack from comcast.
>>
>> This wouldn't be so bad except it came right thru my
>> Netgear FVS318 firewall router. firmware 1.2
>>
>> FWIW, everything is supposedly turned off, no remote management
>> enabled, no DMZ server, no added services.
>>
>> Tested it on GRC.com site, no open ports.
>>
>> Are there any known exploits of this particular router?
>>
>> Any ideas?
>
> What kind of "attack" was this?
>
What do you think the DoD is talking about when they claim some ridiculous
number of "attacks" on their systems every day? Portscans, probably.
Larry W4CSC
I knew something inside had to make that NAT hole. The router is
actually quite stupid and is meant to be that way, which makes it
fairly immune, no matter what the FUDware hawkers say.
What virus scanner was running on the compromised computer??
On Fri, 10 Jan 2003 22:22:55 -0500, aac <a...@bubsbs.neyt> wrote:
>
>Thanks Larry, you were right. Upon further examination another
>computer on the network had a trojan that was broadcasting its
>control. Problem was they used it to get onto the network and then
>worked there way to me thru the network (behind the firewall).
>
>Thats why I thought the firewall was breached.
>
>I'm guessing Comcasts port/server scanner(s) picked up on this and
>also came in and took a look around.
>
>aac
Tim Smith
> COMCAST
> -----------------------------------
> Intrusion: Invalid TCP Options
> Intruder: mail.comcast.net(24.153.64.3)
> Risk Level: Medium
> Source IP address: mail.comcast.net(24.153.64.3)
> Destination IP address: Me (192.168.0.2)
> TCP Source Port: pop3(110)
> TCP Destination Port: 2283
> Invalid TCP Option: 0x000000ba
Without more information from Norton, it is not possible to tell exactly what
it is complaining about. The TCP header can include options, and that's
what it sounds like it is complaining about. However, TCP options are not a
fixed length field in the header, but rather are variable length, so it is
not clear what Norton is dumping there for the "Invalid TCP Option" data.
Anyway, what you are seeing there is that during a connection to your ISP's
mail server, Norton did not like one of the packets the mail server sent
back. That packet got past your router because your computer was talking to
the mail server, so of course packets from the mail server back to your
computer are allowed in.
> MOST RECENT
> -------------------------------------
> Intrusion: Invalid TCP Options
> Intruder: 194.102.180.38
> Risk Level: Medium
> Source IP address: 194.102.180.38
> Destination IP address: Me (192.168.0.2)
> TCP Source Port: http(80)
> TCP Destination Port: 2259
> Invalid TCP Option: 0xb5305e2c
Same as above, except this time it is a web server your computer is talking
to.
--Tim Smith
Larry W4CSC
<reply_i...@mouse-potato.com> wrote:
>> Invalid TCP Option: 0xb5305e2c
>
Wasn't the 0xb5305e2c the disk drive motor in the Apple 2e or the left
radiator mounting bracket in the 63 Chevy Impala with the 283 V-8 and
no A/C?.....
Dontcha just love crypto messages from software? You'd think they
never wrote an INTERPRETER into BASIC!