[Wolves] what the hell is DCOM-scm

Adam Sweet drinky76 at yahoo.com
Tue Aug 23 21:55:09 BST 2005


--- Ron Wellsted <ron at wellsted.org.uk> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> David Goodwin wrote:
> > David Morley wrote:
> > 
> >> I've set up firestarter as a basic firewall but
> what the hell are
> >> these inbound service connections
> >>
> >> DCOM-scm from blueyonder <- ??
> >> UDP Samba <- File sharing
> >> Microsoft-ds from blueyonder (might be something
> to do with aMsn) <-
> >> File sharing
> >> MS-SQL-S <- SQL (Probably sql slammer or what
> ever it was called)
> >> MS-SQL-M <- SQL (ditto)
> >> HTTP from walsall, dudley, wolverhampton
> blueyonder <- IIS attacks
> >> Unknown UDP's from about 20 addresses <- Random
> scanning or looking
> >> for other holes

I got half way through writing you a decent email
about these, but the damned synaptics touchpad browser
back capabilities conspired against me and I lost my
post.

The MS-SQL ones are unsurprisingly Microsoft SQL
server ports, in the same way as Ron said about the
DCOM-scm ones, these are most likely someone, or
compromised MS SQL Servers, scanning IP ranges looking
for new machines to infect.

The fact that these are getting picked up by your
firewall means that they're getting blocked which is
what you want. I admit, the first time I looked at
Smoothwall logs I went pale at the thought that I'd
lived without a proper firewall for so long, if you've
never looked before, reading firewall logs for the
first time will do the same to you, make you realise
how important a firewall is and also make you realise
that it's important to turn off the serviecs that you
don't use.

The UDP Samba Microsoft-ds are Windows networking and
you *really* want those firewalled off from the
internet, thats ports 137, 138 and 139 in all Windows 
9x and NT, plus 445 on Win2k and up.

> >> Is there a site where I can look up whats what,
> that is written for
> >> someone who has no idea about firewalls.

The problem with this is that firewalls aren't a
simple topic and the guide can't be easier than the
topic due to nature if the subject matter.

The least you need to know is that every machine has
thousands of 'logical' network ports and certain
services connect to these ports, ie web servers talk
on port 80, ssh talks on 22 and so on. This is so that
data meant for the SSH server doesn't get sent to the
web server by mistake and vice versa. This is why it's
also possible to telnet port 80 on a machine and talk
http to the web server or 25 and talk smtp to the smtp
server.

Look at the netstat command to see open connections on
your machines. When looking at your firewall logs,
look at either the service or protocol names; or the
port number and search google. For example just
googling for the word 'ports' brought up the following
link:

http://www.iss.net/security_center/advice/Exploits/Ports/default.htm

Good a starting place as any. If you have a particular
program or service that won't work then google to see
which ports it uses and open them up in your firewall.
It's better to start with everything turned off and
open things up than start with everything on and turn
things off.

> >> HTTP from walsall, dudley, wolverhampton
> blueyonder <- IIS attacks

This is people looking to exploit Microsoft IIS web
server in the same ways as mentioned before.

The last one is self explanatory.

If you want a one stop job with no hairy details then
look at Smoothwall or IP Cop for installation on a
redundant machine, or buy a hardware router/firewall.

Ad

-- 

http://www.drinky.org.uk

http://blog.drinky.org.uk


		
___________________________________________________________ 
To help you stay safe and secure online, we've developed the all new Yahoo! Security Centre. http://uk.security.yahoo.com



More information about the Wolves mailing list