[Wolves] smoothwall advice please

Ron Wellsted ron at wellsted.org.uk
Tue Jun 7 22:17:46 BST 2005 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

kev adams wrote:
> On Tuesday 07 Jun 2005 21:08, Ron Wellsted wrote:
> 
>>kev adams wrote:
>>
>>>10.0.0.2 is the address of my router & 10.0.0.5 the address of my
>>>smoothwall box.    Have I read it correctly - has my smoothwall box been
>>>compromised & used for an "OVERSIZE REQUEST-URI DIRECTORY" attack on IP
>>>67.15.2.10:80 Or did I read it wrong?
>>>
>>>I've noticed over the last few days that there's been a worryingly
>>>regular flash of activity from the ADSL router RXD light but it wasn't
>>>until yesterday that smoothwall logs showed this sort of activity.
>>
>>Sorry, no quick answers, just a load of questions.
> 
> 
> I appreciate you taking the time - cheers.
> 
> 
>>Is the smoothie setup as a transparent proxy?
> 
> No
> 
>>What other systems are on the inside of the smoothie? Any Windows boxes?
> 
> 
> Ocassional windows dual boot systems but not for a few days & I put an up to 
> date copy of zonealarm on them as a matter of course.  I'd like to find a way 
> to prevent windows boxes accessing the outside world via smoothwall but 
> haven't come across anything - it's really useful to have them access the LAN 
> but an unecessary risk having them access the outside world.  One mandrake 
> system, kubuntu & a knoppmyth system are on the LAN at different times.
> 
> 
>>Was anyone accessing ebay, ebuyer or Hosting Unlimited at about 16:30?
> 
> 
> Not ebuyer but very likely ebay & hosting unlimited.  It's possible I was 
> linked to ebuyer from another site but didn't finish viewing the site - I 
> certainly didn't visit there in ages & no one else connects to the LAN - not 
> that I know of anyway!
> 
> 
>>Do you use any of those web sites?
> 
> yes
> 
> 
>>Have you opened any ports on the smoothie to allow external access to or
>>through the firewall?
> 
> No.
> 
> I have a fixed IP & am paranoid enough to think I'm being targetted by some 
> arse who thinks my network might be far more interesting than it really 
> is ;~)
> 
> From what you've said already though it could be just me being paranoid again.

I suspect that snort is being overly cautious and giving a false
positive on the very long URLs that these websites are generating
(session ID embedded in the URL)

I doubt that the box has been compromised.  However just to check, next
time you login to ebay, ebuyer or Hosting Unlimited, note the time then
check the smoothie logs (checking the smoothie clock for accuracy first!)

Looking back at your first post, I presume that your router is
performing NAT.  It would appear that somebody may have tried to nmap
your smoothie by using the NAT built into the router.

Of course you're paranoid, but are you paranoid enough? (or, just
because you're paranoid it doesn't mean that they are not out to get you!)

- --
Ron Wellsted
http://www.wellsted.org.uk
ron at wellsted.org.uk
FWD:519961  Gossiptel:9309811
N 52.567623, W 2.137621
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iQEVAwUBQqYOuEtP/KMNOfRbAQIitQf/VrpWxUb+CMMc+QJrPdPsHi7J6MA11MhM
YSffqiaXfrtAilbn9lcJeYeoqlZ4dZSThv0Ys9yEg0EdqMqKmIQdiBYOLEUOOc18
TGtHjGE00djdnFFfLW9Jpqca4agCyu/BjIEKnypAnt67+QPSP/R74osEbM/6V6FP
XaXwrX+s75Gs1VySG8Ju3JGo5eCe4qNzAY8O8O5nxGcJ0mcXbucWbStEVzlbrXGy
idtJh6U0x/STu+FEnpxkZcYpu/w1JN0tj++fjMFetqMa41Wy5WNtoibPS4nPIL4J
OLOM9bXHRrc/j7VFPvq5A9KS0pIaKoFZ1nPob1Wq6TkH4xFR6U4Hpg==
=CgAq
-----END PGP SIGNATURE-----

More information about the Wolves mailing list