[Wolves] smoothwall advice please

kev adams kev at magicmoon.co.uk
Tue Jun 7 20:46:19 BST 2005 

Hi

Can anyone give me any advice regarding this excerpt from my smoothwall IDS 
log please?

I've got a fairly common set up : ADSL router - smoothwall - switch to LAN

-------------------------------------------
Date: 06/07 16:14:05
Name: ICMP PING NMAP
Priority: 2
Type: Attempted Information Leak
IP Info: 10.0.0.2:n/a -> 10.0.0.5:n/a
Refs: http://www.whitehats.com/info/IDS162,

Date: 06/07 16:18:43
Name: ICMP PING NMAP
Priority: 2
Type: Attempted Information Leak
IP Info: 10.0.0.2:n/a -> 10.0.0.5:n/a
Refs: http://www.whitehats.com/info/IDS162,

Date: 06/07 16:31:22
Name: ICMP PING NMAP
Priority: 2
Type: Attempted Information Leak
IP Info: 10.0.0.2:n/a -> 10.0.0.5:n/a
Refs: http://www.whitehats.com/info/IDS162,

Date: 06/07 16:31:30
Name: ICMP PING NMAP
Priority: 2
Type: Attempted Information Leak
IP Info: 10.0.0.2:n/a -> 10.0.0.5:n/a
Refs: http://www.whitehats.com/info/IDS162,

Date: 06/07 19:53:49
Name: (http_inspect) OVERSIZE REQUEST-URI DIRECTORY
Priority: n/a
Type: n/a
IP Info: 10.0.0.5:33214 -> 67.15.2.10:80
Refs: 

Date: 06/07 20:06:14
Name: (http_inspect) OVERSIZE REQUEST-URI DIRECTORY
Priority: n/a
Type: n/a
IP Info: 10.0.0.5:33259 -> 67.15.2.10:80
Refs: 
--------------------------------------------------



10.0.0.2 is the address of my router & 10.0.0.5 the address of my smoothwall 
box.    Have I read it correctly - has my smoothwall box been compromised & 
used for an "OVERSIZE REQUEST-URI DIRECTORY" attack on IP 67.15.2.10:80
Or did I read it wrong?

I've noticed over the last few days that there's been a worryingly regular 
flash of activity from the ADSL router RXD light but it wasn't until 
yesterday that smoothwall logs showed this sort of activity.

Here's the last three entries from yesterdays IDS log :

-----------------------------------------
Date: 06/06 16:38:28
Name: (http_inspect) OVERSIZE REQUEST-URI DIRECTORY
Priority: n/a
Type: n/a
IP Info: 10.0.0.5:33887 -> 216.113.178.146:80
Refs: 

Date: 06/06 16:38:53
Name: (http_inspect) OVERSIZE REQUEST-URI DIRECTORY
Priority: n/a
Type: n/a
IP Info: 10.0.0.5:33889 -> 66.135.214.195:80
Refs: 

Date: 06/06 16:38:54
Name: (http_inspect) OVERSIZE REQUEST-URI DIRECTORY
Priority: n/a
Type: n/a
IP Info: 10.0.0.5:33891 -> 66.135.192.41:80
Refs: 
-------------------------------------------------



Yesterdays firewall log also showed two attempts at access blocked from 
213.232.80.150 which turns out to be image.ebuyer.com - maybe spoofed?

Any advice would be appreciated - all updates are installed on the smoothwall 
box.  This morning I installed DShield smoothwall mod too - 
http://community.smoothwall.org/forum/viewtopic.php?t=6351

It'd be a real pain to have to re-install but what the hell, is that my best 
plan of action?  I didn't think I had a problem as my switch wasn't showing 
activity between the ADSL router & smoothwall but maybe the router was 
compromised first & now smoothwall is too?

cheers
kev

More information about the Wolves mailing list