[Wolves] what the hell is DCOM-scm
David Morley
davmor2 at gmail.com
Wed Aug 24 08:33:51 BST 2005
thanks for the info it wasn't hairy and firestarter seems to be doing
a good job and was really easy to set up which was what I liked but
within about 40 seconds i'd had 2pages of hits. Lets face it you only
need one to cripple a system even linux. Next question what is a SQL
I keep hearing about them but don't know what they are. Also ran
clamav it found a Phishing email stored in .evolution what's Phishing
so deleted it.
On 23/08/05, Adam Sweet <drinky76 at yahoo.com> wrote:
> --- Ron Wellsted <ron at wellsted.org.uk> wrote:
>
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > David Goodwin wrote:
> > > David Morley wrote:
> > >
> > >> I've set up firestarter as a basic firewall but
> > what the hell are
> > >> these inbound service connections
> > >>
> > >> DCOM-scm from blueyonder <- ??
> > >> UDP Samba <- File sharing
> > >> Microsoft-ds from blueyonder (might be something
> > to do with aMsn) <-
> > >> File sharing
> > >> MS-SQL-S <- SQL (Probably sql slammer or what
> > ever it was called)
> > >> MS-SQL-M <- SQL (ditto)
> > >> HTTP from walsall, dudley, wolverhampton
> > blueyonder <- IIS attacks
> > >> Unknown UDP's from about 20 addresses <- Random
> > scanning or looking
> > >> for other holes
>
> I got half way through writing you a decent email
> about these, but the damned synaptics touchpad browser
> back capabilities conspired against me and I lost my
> post.
>
> The MS-SQL ones are unsurprisingly Microsoft SQL
> server ports, in the same way as Ron said about the
> DCOM-scm ones, these are most likely someone, or
> compromised MS SQL Servers, scanning IP ranges looking
> for new machines to infect.
>
> The fact that these are getting picked up by your
> firewall means that they're getting blocked which is
> what you want. I admit, the first time I looked at
> Smoothwall logs I went pale at the thought that I'd
> lived without a proper firewall for so long, if you've
> never looked before, reading firewall logs for the
> first time will do the same to you, make you realise
> how important a firewall is and also make you realise
> that it's important to turn off the serviecs that you
> don't use.
>
> The UDP Samba Microsoft-ds are Windows networking and
> you *really* want those firewalled off from the
> internet, thats ports 137, 138 and 139 in all Windows
> 9x and NT, plus 445 on Win2k and up.
>
> > >> Is there a site where I can look up whats what,
> > that is written for
> > >> someone who has no idea about firewalls.
>
> The problem with this is that firewalls aren't a
> simple topic and the guide can't be easier than the
> topic due to nature if the subject matter.
>
> The least you need to know is that every machine has
> thousands of 'logical' network ports and certain
> services connect to these ports, ie web servers talk
> on port 80, ssh talks on 22 and so on. This is so that
> data meant for the SSH server doesn't get sent to the
> web server by mistake and vice versa. This is why it's
> also possible to telnet port 80 on a machine and talk
> http to the web server or 25 and talk smtp to the smtp
> server.
>
> Look at the netstat command to see open connections on
> your machines. When looking at your firewall logs,
> look at either the service or protocol names; or the
> port number and search google. For example just
> googling for the word 'ports' brought up the following
> link:
>
> http://www.iss.net/security_center/advice/Exploits/Ports/default.htm
>
> Good a starting place as any. If you have a particular
> program or service that won't work then google to see
> which ports it uses and open them up in your firewall.
> It's better to start with everything turned off and
> open things up than start with everything on and turn
> things off.
>
> > >> HTTP from walsall, dudley, wolverhampton
> > blueyonder <- IIS attacks
>
> This is people looking to exploit Microsoft IIS web
> server in the same ways as mentioned before.
>
> The last one is self explanatory.
>
> If you want a one stop job with no hairy details then
> look at Smoothwall or IP Cop for installation on a
> redundant machine, or buy a hardware router/firewall.
>
> Ad
>
> --
>
> http://www.drinky.org.uk
>
> http://blog.drinky.org.uk
>
>
>
> ___________________________________________________________
> To help you stay safe and secure online, we've developed the all new Yahoo! Security Centre. http://uk.security.yahoo.com
>
> _______________________________________________
> Wolves LUG mailing list
> Homepage: http://www.wolveslug.org.uk/
> Mailing list: Wolves at mailman.lug.org.uk
> Mailing list home: http://mailman.lug.org.uk/mailman/listinfo/wolves
>
--
Seek That Thy Might Know
More information about the Wolves
mailing list