----- Original Message ----- From: <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, September 12, 2001 3:47 PM Subject: Firewalls digest, Vol 1 #259 - 5 msgs > Send Firewalls mailing list submissions to > [EMAIL PROTECTED] > > To subscribe or unsubscribe via the World Wide Web, visit > http://lists.gnac.net/mailman/listinfo/firewalls > or, via email, send a message with subject or body 'help' to > [EMAIL PROTECTED] > > You can reach the person managing the list at > [EMAIL PROTECTED] > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Firewalls digest..." > > > Today's Topics: > > 1. Re: AOL probe - "just" Code Red (Ron DuFresne) > 2. RE: AOL probe - "just" Code Red (Ron DuFresne) > 3. Re: (no subject) ([EMAIL PROTECTED]) > 4. Re: WINS with PIX ([EMAIL PROTECTED]) > 5. RE: AOL probe - "just" Code Red (william.wells) > > --__--__-- > > Message: 1 > Date: Wed, 12 Sep 2001 16:21:48 -0500 (CDT) > From: Ron DuFresne <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Cc: [EMAIL PROTECTED] > Subject: Re: AOL probe - "just" Code Red > > > > Perhaps this is what he was seeing, perhaps not, there is something > different coming out of the AOL address space. It looks like folks at > leat in that address space might well be scanning for infected machines > for some other purpose. The attack signatures are different in that a > single attempt tp 'infect' another machine, rather there are repeated > attempts to hit other servers: > > Sep-12-2001 01:41:40 [EDT] : CR2 : 172.180.53.153 : Notify to > '[EMAIL PROTECTED]' > Sep-12-2001 01:41:41 [EDT] : CR2 : 172.180.53.153 : Notify to > '[EMAIL PROTECTED]' > Sep-12-2001 01:41:42 [EDT] : CR2 : 172.180.53.153 : Notify to > '[EMAIL PROTECTED]' > Sep-12-2001 01:41:43 [EDT] : CR2 : 172.180.53.153 : Notify to > '[EMAIL PROTECTED]' > Sep-12-2001 01:41:45 [EDT] : CR2 : 172.180.53.153 : Notify to > '[EMAIL PROTECTED]' > Sep-12-2001 01:41:47 [EDT] : CR2 : 172.180.53.153 : Notify to > '[EMAIL PROTECTED]' > Sep-12-2001 01:41:48 [EDT] : CR2 : 172.180.53.153 : Notify to > '[EMAIL PROTECTED]' > Sep-12-2001 01:41:50 [EDT] : CR2 : 172.180.53.153 : Notify to > '[EMAIL PROTECTED]' > Sep-12-2001 01:41:51 [EDT] : CR2 : 172.180.53.153 : Notify to > '[EMAIL PROTECTED]' > Sep-12-2001 01:41:56 [EDT] : CR2 : 172.180.53.153 : Notify to > '[EMAIL PROTECTED]' > Sep-12-2001 01:42:05 [EDT] : CR2 : 172.180.53.153 : Notify to > '[EMAIL PROTECTED]' > Sep-12-2001 01:42:10 [EDT] : CR2 : 172.180.53.153 : Notify to > '[EMAIL PROTECTED]' > Sep-12-2001 01:42:08 [EDT] : CR2 : 172.180.53.153 : Notify to > '[EMAIL PROTECTED]' > > > Please be advised that AOL is NOT the only address space such signature > attacks are coming from: > > Sep-09-2001 13:42:31 [EDT] : CR2 : 208.59.71.90 : Notify to '[EMAIL PROTECTED]' > Sep-09-2001 13:42:39 [EDT] : CR2 : 208.59.71.90 : Notify to '[EMAIL PROTECTED]' > Sep-09-2001 13:43:37 [EDT] : CR2 : 208.59.71.90 : Notify to '[EMAIL PROTECTED]' > Sep-09-2001 13:44:14 [EDT] : CR2 : 208.59.71.90 : Notify to '[EMAIL PROTECTED]' > Sep-09-2001 13:45:54 [EDT] : CR2 : 208.59.71.90 : Notify to '[EMAIL PROTECTED]' > Sep-09-2001 13:48:46 [EDT] : CR2 : 208.59.71.90 : Notify to '[EMAIL PROTECTED]' > Sep-09-2001 13:49:36 [EDT] : CR2 : 208.59.71.90 : Notify to '[EMAIL PROTECTED]' > Sep-09-2001 13:49:47 [EDT] : CR2 : 208.59.71.90 : Notify to '[EMAIL PROTECTED]' > Sep-09-2001 13:50:42 [EDT] : CR2 : 208.59.71.90 : Notify to '[EMAIL PROTECTED]' > Sep-09-2001 13:51:43 [EDT] : CR2 : 208.59.71.90 : Notify to '[EMAIL PROTECTED]' > Sep-09-2001 13:51:51 [EDT] : CR2 : 208.59.71.90 : Notify to '[EMAIL PROTECTED]' > Sep-09-2001 13:51:54 [EDT] : CR2 : 208.59.71.90 : Notify to '[EMAIL PROTECTED]' > Sep-09-2001 13:51:55 [EDT] : CR2 : 208.59.71.90 : Notify to '[EMAIL PROTECTED]' > Sep-09-2001 13:51:57 [EDT] : CR2 : 208.59.71.90 : Notify to '[EMAIL PROTECTED]' > Sep-09-2001 13:54:21 [EDT] : CR2 : 208.59.71.90 : Notify to '[EMAIL PROTECTED]' > Sep-09-2001 13:54:29 [EDT] : CR2 : 208.59.71.90 : Notify to '[EMAIL PROTECTED]' > Sep-09-2001 13:59:51 [EDT] : CR2 : 208.59.71.90 : Notify to '[EMAIL PROTECTED]' > > > One mistake we are seeing admins of infected machines taking is they > either merely reboots the server, thinking this rids them of the viri and > cures the problems, or they infact rebuild the system and go no further, > also thinking the issues is fixed in total. We are seeing such systems > either reinfected, or further compromised and striking out at others with > the same attacks again shortly after being put back online. These > NT/win2k admins seem to be totally clueless and unable to properly care > for their systems. Thusly their skills for the jobs that maintain are > doubtful. > > Thanks, > > Ron DuFresne > > On Wed, 12 Sep 2001 [EMAIL PROTECTED] wrote: > > > William-- > > > > What you've received is a probe by a machine infected with Code Red or > > similar. > > > > The fact that it's from an IP address in AOL's range is just a coincidence. > > > > Whilst it could be one of AOL's own servers that has been infected and is > > trying to spread, it more likely to be one of it's users with an infected > > machine. > > > > All you have to do is make sure that if you're running IIS (server or > > personal version) that you are properly patched. > > > > Russell > > > > > > From: "william.wells" <[EMAIL PROTECTED]> > > To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]> > > Date: Tue, 11 Sep 2001 17:38:05 -0500 > > Subject: (no subject) > > > > My PC is loaded with intrusion detection and other types of software. > > For > > the first time, AOL has tripped one of those alarms. The message > > indicated > > that a connection from AOL's system 172.165.224.93 > > (ACA5E05D.ipt.aol.com) > > attempted to scan my PC on port 80 with the URL of: > > GET /default.ida?XXXXXXXXX...XXX%u9090%u685...... > > > > I've currently got AOL disabled at my firewall as a result. Normally, > > the > > firewall only lets ports 5190 out and only to AOL's systems. The > > implication > > of this is that, once connected to AOL, they allow both inbound and > > outbound > > connections. The system (172.165.224.93) also isn't one of the > > permitted IP > > addresses for which the firewall will allow connections to. A > > traceroute, > > however, clearly showed that the packet when through AOL's adapter > > running > > on Windows. > > > > Comments? > > > > > > > > _______________________________________________ > > Firewalls mailing list > > [EMAIL PROTECTED] > > http://lists.gnac.net/mailman/listinfo/firewalls > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > "Cutting the space budget really restores my faith in humanity. It > eliminates dreams, goals, and ideals and lets us get straight to the > business of hate, debauchery, and self-annihilation." -- Johnny Hart > ***testing, only testing, and damn good at it too!*** > > OK, so you're a Ph.D. Just don't touch anything. > > > --__--__-- > > Message: 2 > Date: Wed, 12 Sep 2001 16:31:00 -0500 (CDT) > From: Ron DuFresne <[EMAIL PROTECTED]> > To: "william.wells" <[EMAIL PROTECTED]> > Cc: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]>, > "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]> > Subject: RE: AOL probe - "just" Code Red > > > Basically what you are saying is that AOL should be treated no differently > then cable modem users on the @home.com networks, a long known issue. > Yes? > > Thanks, > > Ron DuFresne > > > On Wed, 12 Sep 2001, william.wells wrote: > > > AOL is configured to use a LAN(TCP/IP) connection which means its connecting > > on port 5190 through our firewall and then setting up a virtual network over > > that. When I get hit on port 80, I do a traceroute back to the port reported > > by my intrusion detection software on my PC. That traceroute returned via > > their virtual network to named system (server?) in their DNS space. > > > > Our firewall is configured to block inbound port 80 so, up until yesterday, > > I have literally 0 attempts of connections to port 80 over the past couple > > of years. Our firewall is constantly scanned and blocks things accordingly. > > > > Hence, > > If one of their servers is attempting to access my PC via port 80 and send > > me a CodeRed URL, then there is something wrong with their servers (my > > opinion). > > > > If one of their customers can attempt to connect to port 80 on my PC through > > AOL's virtual network connection which AOL establishes, then any company or > > person which allows AOL's virtual adapter to run is opening up a hole around > > any network security which they might have; only software resident on the PC > > might protect them. The implication, if this is true (and the same mechanism > > is used for dial-up), is that AOL shouldn't be allowed to run on any system > > unless that system has personal firewall software. AOL, by itself, should be > > considered unsecure. If that were true and became public, I'd think AOL > > would rapidly be out of business. > > > > I've been approaching this assuming that my connection to them was solely to > > their servers implying that they can control what "touches" my system. If, > > when I connect, I am just another node in a virtual IP space which contains > > all other active AOL connections and all systems can freely access my > > system, then I need to seriously rethink AOL. I wouldn't think that my > > system would have a resolvable name in their address space, but maybe so. > > Next time I come up, I'll have to do a DNS lookup of my PC's IP address. > > > > Incidentally, I enabled the AOL proxy this morning, connected to AOL, and > > had another alarm in probably under 1 minute; different IP address but > > everything else is the same. > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] [SMTP:[EMAIL PROTECTED]] > > > Sent: Wednesday, September 12, 2001 12:41 PM > > > To: william.wells > > > Cc: [EMAIL PROTECTED] > > > Subject: RE: AOL probe - "just" Code Red > > > > > > William--- > > > > > > Are you getting your Internet access from AOL or do you have another > > > Internet provide and connect to AOL through that? > > > > > > I'm no expert on AOL, but my understanding is that it's dial-up access > > > uses > > > it's own proprietary protocol, and it provide winsock-based IP access > > > through it's own virtual network adaptor - at least this is how previous > > > versions in the UK worked. > > > > > > If, however, you have a "proper" Internet connection (ie. broadband or > > > proper PPP dialup), and you access AOL over that, then AOL uses it's own > > > special port over IP to communicate with it's servers, and it's that port > > > you need to allow through your IP firewall. > > > > > > However, unless you've set your personal firewall rules up correctly, > > > there > > > is no way you can stop ANY box TRYING to communicate with you on port 80, > > > whether from AOL or not. If you're not running a web server of any kind > > > on > > > your box, then just block port 80, and don't bother configuring your > > > firewall to notify you. There is so much background noise on the Internet > > > that the value of receiving individual alerts is pretty meaningless > > > (although it's obviously useful to look at longer term trends for the > > > connections made to your box, to identify repeated connection attempts). > > > > > > So, although AOL may block communication via it's own protocol from other > > > users, you should not rely on them to block anything else, whether from > > > other AOL users of anyone on the Internet. You're being scanned at an IP > > > level, not a proprietary AOL protocol level.. > > > > > > If you've never been scanned before, that more due to your luck than > > > anything else.... > > > > > > Russell > > > > > > > > > ----- Forwarded by Russell Donoff/GB/ABNAMRO/NL on 12/09/2001 > > > 18:38 > > > ----- > > > > > > > > > "william.wells" > > > > > > <william.wells@pr To: > > > "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]> > > > > > > ovell.com> cc: > > > > > > Subject: RE: AOL probe - > > > "just" Code Red > > > 12/09/2001 18:21 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > What you are saying implies that other AOL users could access my > > > system from > > > their systems while I was logged into AOL. I thought AOL blocked > > > that - > > > perhaps not. I'm still talking to AOL. I've never been scanned > > > while on AOL > > > previously. > > > > > > > > > > > _______________________________________________ > > Firewalls mailing list > > [EMAIL PROTECTED] > > http://lists.gnac.net/mailman/listinfo/firewalls > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > "Cutting the space budget really restores my faith in humanity. It > eliminates dreams, goals, and ideals and lets us get straight to the > business of hate, debauchery, and self-annihilation." -- Johnny Hart > ***testing, only testing, and damn good at it too!*** > > OK, so you're a Ph.D. Just don't touch anything. > > > --__--__-- > > Message: 3 > From: [EMAIL PROTECTED] > To: [EMAIL PROTECTED] > Date: Wed, 12 Sep 2001 15:23:56 -0700 > Subject: Re: (no subject) > > I see 172.165.x.x addresses spoofed (probably by accident, by > people who meant to type 172.16.x.x) that if this were connectionless > traffic, I wouldn't leap to blame AOL for it. But having an > established TCP connection makes it much more likely that this really > is from them.... > > DG > > > On 11 Sep 2001, at 17:38, william.wells wrote: > > > My PC is loaded with intrusion detection and other types of software. For > > the first time, AOL has tripped one of those alarms. The message indicated > > that a connection from AOL's system 172.165.224.93 (ACA5E05D.ipt.aol.com) > > attempted to scan my PC on port 80 with the URL of: > > GET /default.ida?XXXXXXXXX...XXX%u9090%u685...... > > > > I've currently got AOL disabled at my firewall as a result. Normally, the > > firewall only lets ports 5190 out and only to AOL's systems. The implication > > of this is that, once connected to AOL, they allow both inbound and outbound > > connections. The system (172.165.224.93) also isn't one of the permitted IP > > addresses for which the firewall will allow connections to. A traceroute, > > however, clearly showed that the packet when through AOL's adapter running > > on Windows. > > > > Comments? > > _______________________________________________ > > Firewalls mailing list > > [EMAIL PROTECTED] > > http://lists.gnac.net/mailman/listinfo/firewalls > > > > > > --__--__-- > > Message: 4 > From: [EMAIL PROTECTED] > To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]> > Date: Wed, 12 Sep 2001 15:23:56 -0700 > Subject: Re: WINS with PIX > > On 12 Sep 2001, at 16:00, Volker Tanger wrote: > > > Greetings! > > > > Johnston Mark schrieb: > > > > > I have set up a PIX firewall with VPN capabilities. Everything seems > > > to be working except for WINS. I dont want to go through the whole > > > configuration, but I'm calling on anyone that has run into the same > > > problem or can give me any pointers. > > > > Which WINS? I guess setting up a WINS server and pointing the clients > > to it should do the work. > > > > NETBIOS name resolution (often confused with WINS) is broadcast-based > > which probably does not across networks with different IP addresses > > (e.g. local 10.0.0.0/8, remote 192.168.0.0/16). > > NetBIOS clients can be set to do name resolution in four ways: > > 1. broadcast > 2. direct to WINS server > 3. direct to WINS server, broadcast if no answer > 4. broadcast, direct to WINS server if no answer (silly...) > > In addition, any NT/2000 box can be told, via the registry, to act > as a WINS proxy: when you see a bradcast name resolution request, > forward it to the WINS server. > > IF the client type is broadcast and there are no proxies in the > broadcast domain, then the only way to resolve NetBIOS addresses > outside the BD is via the lmhosts file. > > David Gillett > > > --__--__-- > > Message: 5 > From: "william.wells" <[EMAIL PROTECTED]> > To: "'Ron DuFresne'" <[EMAIL PROTECTED]>, > "william.wells" <[EMAIL PROTECTED]> > Cc: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]>, > "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]> > Subject: RE: AOL probe - "just" Code Red > Date: Wed, 12 Sep 2001 17:30:54 -0500 > > AOL hasn't gotten back to me on if this is expected behavior or not. Since > it just started, I'm inclined to believe that something is amiss at AOL. My > primary reason for writing to y'all was to confirm that the URL and activity > I was seeing was consistent with Code Red and to see if y'all could provide > some ideas for investigating this. If someone else was seeing this, that > would also eliminate my PC's configuration and our Corporate environment > from the mix. > > Rod wrote: > Basically what you are saying is that AOL should be treated no differently > then cable modem users on the @home.com networks, a long known issue. Yes? > > I'm still waiting for some response from AOL. However, if this is normal - > that is, there are no clamps which tie the connections which utilize their > virtual network to their servers, then you have to assume that any use of > AOL's virtual network (which they seem to be using for dial-up and/or LAN > connections - that is everything) could allow any connection attempt to hit > a PC running AOL regardless of modem or firewall settings. The only > potential way to protect against AOL is to run firewall software on the > individual PC. I'm not a PC firewall guru to know if their virtual network > adapter could get around a firewall or not. > > I think this is somewhat different than a cable modem in that you can > connect a firewall between the modem and your home network. In this case, > the firewall wouldn't protect your network since AOL would blow right > through it. > > Again, my feeling is that there is either some weird configuration on my > system which I can't explain nor remember making or that there is something > amiss at AOL which they will resolve. Thus far, I've only had people take > information from me at AOL to pass along to others. The general feeling at > AOL is that their security is so tight that there is no way they could > possibly be sending me a Code Red URL or that I need to talk to Microsoft > Windows 95 support; that is, it must be Windows or a network problem (I > don't understand that idea). Supposedly, the people in Virginia were made > aware of my experiences this morning. > > I'm not ready to agree with Ron's summary yet. However, I'm also not > comfortable enough with what I'm seeing to re-enable AOL on the Corporate > firewall except when I'm trying another test. If it turns out that what I'm > seeing is normal, then AOL won't be enabled on the Corporate firewall. > > To provide the latest information from this mornings test (essentially what > I've sent AOL). Suggestions are very welcome. > > ---- Mail snippet follows: > > All times are Central. My PC clock is approximately 3 minutes fast. > > Yesterday, when I logged into AOL from work, my intrusion detection software > on my PC reported that one of your servers attempted to connect to port 80 > (http) on my PC using a URL which has been associated with Code Red. Until > yesterday, I have NEVER had an intrusion alarm when accessing AOL under any > conditions which makes the following very worrisome. > > Yesterday, when I encountered the alarm, I killed outbound AOL access > through my firewall. I just re-enable AOL access and tried again. Once > again, within a minute or two, I have an intrusion alarm. The alarms are: > > Tue Sep 11 13:19:21 HTTP request from 172.165.224.93: GET > /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX > XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX > XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX > XXXXXXXXX%u9090%u685... > Wed Sep 12 10:25:10 HTTP request from 172.173.194.54: GET > /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX > XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX > XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX > XXXXXXXXX%u9090%u685... > > Today's trackback from my PC is (copied by hand): > > C:\WINDOWS\tracert 172.173.194.54 > > Tracing route to ACADC236.ipt.aol.com [172.173.194.54] > over a maximum of 30 hops: > > 1 874 ms 775 ms 888 ms ipt-mq05.proxy.aol.com [64.12.101.234] > 2 928 ms 942 ms 879 ms tot5-mc2-G4-0.proxy.aol.com [64.12.101.251] > 3 890 ms 846 ms 826 ms ipt-mp04.proxy.aol.com [64.12.101.223] > 4 2327 ms 2291 ms 2146 ms ACADC236.ipt.aol.com [172.173.194.54] > > Our firewall is configured, when AOL is enabled, to allow transparently > outside access on port 5190 to any server on the following networks; 64.12, > 152.163, and 205.188. The first hops on the traceroutes are to servers on > the 64.12 networks. The 172.173.194.54 system is only accessible via your > AOL adapter software (when I drop AOL, that system is no longer accessible). > "Transparency" means, among other things, that there are no special > configurations or settings on my PC, Internet Explorer (see below), or AOL. > This configuration has worked for years. > > Other than setting AOL to use a LAN (TCP/IP) in the Setup box, no other > changes or proxy settings are set. I am not in the web browser when this > occurs; I am completely within the AOL software. The intrusion alarm only > occurs when logged into AOL and the IP addresses involved are only AOL's > systems. > > > -----Original Message----- > > From: Ron DuFresne [SMTP:[EMAIL PROTECTED]] > > Sent: Wednesday, September 12, 2001 4:31 PM > > To: william.wells > > Cc: '[EMAIL PROTECTED]'; '[EMAIL PROTECTED]' > > Subject: RE: AOL probe - "just" Code Red > > > > > > Basically what you are saying is that AOL should be treated no differently > > then cable modem users on the @home.com networks, a long known issue. > > Yes? > > > > Thanks, > > > > Ron DuFresne > > > > > > On Wed, 12 Sep 2001, william.wells wrote: > > > > > AOL is configured to use a LAN(TCP/IP) connection which means its > > connecting > > > on port 5190 through our firewall and then setting up a virtual network > > over > > > that. When I get hit on port 80, I do a traceroute back to the port > > reported > > > by my intrusion detection software on my PC. That traceroute returned > > via > > > their virtual network to named system (server?) in their DNS space. > > > > > > Our firewall is configured to block inbound port 80 so, up until > > yesterday, > > > I have literally 0 attempts of connections to port 80 over the past > > couple > > > of years. Our firewall is constantly scanned and blocks things > > accordingly. > > > > > > Hence, > > > If one of their servers is attempting to access my PC via port 80 and > > send > > > me a CodeRed URL, then there is something wrong with their servers (my > > > opinion). > > > > > > If one of their customers can attempt to connect to port 80 on my PC > > through > > > AOL's virtual network connection which AOL establishes, then any company > > or > > > person which allows AOL's virtual adapter to run is opening up a hole > > around > > > any network security which they might have; only software resident on > > the PC > > > might protect them. The implication, if this is true (and the same > > mechanism > > > is used for dial-up), is that AOL shouldn't be allowed to run on any > > system > > > unless that system has personal firewall software. AOL, by itself, > > should be > > > considered unsecure. If that were true and became public, I'd think AOL > > > would rapidly be out of business. > > > > > > I've been approaching this assuming that my connection to them was > > solely to > > > their servers implying that they can control what "touches" my system. > > If, > > > when I connect, I am just another node in a virtual IP space which > > contains > > > all other active AOL connections and all systems can freely access my > > > system, then I need to seriously rethink AOL. I wouldn't think that my > > > system would have a resolvable name in their address space, but maybe > > so. > > > Next time I come up, I'll have to do a DNS lookup of my PC's IP address. > > > > > > Incidentally, I enabled the AOL proxy this morning, connected to AOL, > > and > > > had another alarm in probably under 1 minute; different IP address but > > > everything else is the same. > > > > > > > -----Original Message----- > > > > From: [EMAIL PROTECTED] > > [SMTP:[EMAIL PROTECTED]] > > > > Sent: Wednesday, September 12, 2001 12:41 PM > > > > To: william.wells > > > > Cc: [EMAIL PROTECTED] > > > > Subject: RE: AOL probe - "just" Code Red > > > > > > > > William--- > > > > > > > > Are you getting your Internet access from AOL or do you have another > > > > Internet provide and connect to AOL through that? > > > > > > > > I'm no expert on AOL, but my understanding is that it's dial-up access > > > > uses > > > > it's own proprietary protocol, and it provide winsock-based IP access > > > > through it's own virtual network adaptor - at least this is how > > previous > > > > versions in the UK worked. > > > > > > > > If, however, you have a "proper" Internet connection (ie. broadband or > > > > proper PPP dialup), and you access AOL over that, then AOL uses it's > > own > > > > special port over IP to communicate with it's servers, and it's that > > port > > > > you need to allow through your IP firewall. > > > > > > > > However, unless you've set your personal firewall rules up correctly, > > > > there > > > > is no way you can stop ANY box TRYING to communicate with you on port > > 80, > > > > whether from AOL or not. If you're not running a web server of any > > kind > > > > on > > > > your box, then just block port 80, and don't bother configuring your > > > > firewall to notify you. There is so much background noise on the > > Internet > > > > that the value of receiving individual alerts is pretty meaningless > > > > (although it's obviously useful to look at longer term trends for the > > > > connections made to your box, to identify repeated connection > > attempts). > > > > > > > > So, although AOL may block communication via it's own protocol from > > other > > > > users, you should not rely on them to block anything else, whether > > from > > > > other AOL users of anyone on the Internet. You're being scanned at an > > IP > > > > level, not a proprietary AOL protocol level.. > > > > > > > > If you've never been scanned before, that more due to your luck than > > > > anything else.... > > > > > > > > Russell > > > > > > > > > > > > ----- Forwarded by Russell Donoff/GB/ABNAMRO/NL on 12/09/2001 > > > > 18:38 > > > > ----- > > > > > > > > > > > > "william.wells" > > > > > > > > <william.wells@pr To: > > > > "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]> > > > > > > > > ovell.com> cc: > > > > > > > > Subject: RE: AOL > > probe - > > > > "just" Code Red > > > > 12/09/2001 18:21 > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > What you are saying implies that other AOL users could access > > my > > > > system from > > > > their systems while I was logged into AOL. I thought AOL > > blocked > > > > that - > > > > perhaps not. I'm still talking to AOL. I've never been scanned > > > > while on AOL > > > > previously. > > > > > > > > > > > > > > > _______________________________________________ > > > Firewalls mailing list > > > [EMAIL PROTECTED] > > > http://lists.gnac.net/mailman/listinfo/firewalls > > > > > > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > "Cutting the space budget really restores my faith in humanity. It > > eliminates dreams, goals, and ideals and lets us get straight to the > > business of hate, debauchery, and self-annihilation." -- Johnny Hart > > ***testing, only testing, and damn good at it too!*** > > > > OK, so you're a Ph.D. Just don't touch anything. > > > --__--__-- > > _______________________________________________ > Firewalls mailing list > [EMAIL PROTECTED] > http://lists.gnac.net/mailman/listinfo/firewalls > > > End of Firewalls Digest _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
