This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Hacked by a pro

It seems that my ASL 6.001 box has been hacked from the external interface (the internet). I have some evidence of a rather well-known hacker [not an oxymoron - just a moron] sniffing my network. Then today all network functions were running afoul and the source of the trouble was ASL. Reloading the configuration from backup seemed to do the trick in getting basic network function back, but this does not solve the problem of the integrity of the machien itself. It appears that there is no feature/function that one can use to determine which files have been altered on the system. This I find hard to believe so I'd like to be proven wrong.

Can anyone help?
Basically I'm looking for Astaro forensic tools.
Tripwire might do the trick.

Thanks

This thread was automatically locked due to age.

Parents

0 SecApp over 20 years ago

Was the firewall administerable from the external interface? SSH accessible too?

What proxies were you using and how were they configured?

No holes in the rules to accommodate chat and whatnot?

How often do you access the firewall from the inside, and from where? (e.g., maybe a keystroke logger on the workstation from which you administrate??)

And of course you will have to look for anomalous activity in all the logs.

I have an idea for his next visit, if you are somewhat technically proficient. Email me; no sense in telling him what we're going to do...

P.S. Redman posted at the same time as I did, and he has a point: What makes the loss of function convince you it's a breach?? Given the title of your post, I counted on your not relating some information that indicates it's malicious, but what if it was merely a loss of the machine's config due to hardware failure??
Cancel
Vote Up 0 Vote Down

Cancel
0 SalishSwede over 20 years ago in reply to SecApp

Sec APP:

No administration from external: only two machines on one internal interface can access Web Admin.

Allowed traffic OUTBOUND from central internal interface:
DNS
Streaming apps
IRC - (after hours only)
NTP
HTTPS
FTP
WHOIS
Traceroute

Also see Proxys in earlier comment

As to a possible non-malicious cause... I really am unsure. Id o have evidence of specific attempts from a well-known hacker to determine the version of my smtp server. This I caught this week. The chronological proximity of these problems are really the only evidence that I have of malicious activity. Weak I admit.

I'll email you regarding your idea.

Cheers
Cancel
Vote Up 0 Vote Down

Cancel
0 NimmdirKeks over 20 years ago in reply to SalishSwede

Hi,

ehm, know what exactly do you think has been cracked? Your SMTP server or the Astaro?

Chris
Cancel
Vote Up 0 Vote Down

Cancel
0 SalishSwede over 20 years ago in reply to NimmdirKeks

yes
Cancel
Vote Up 0 Vote Down

Cancel
0 NimmdirKeks over 20 years ago in reply to SalishSwede

Hi,

what yes?

Chris
Cancel
Vote Up 0 Vote Down

Cancel
0 KKnecht over 20 years ago in reply to SalishSwede

Hi,
yould you be more specific ??
[ QUOTE ]
Then today all network functions were running afoul and the source of the trouble was ASL

[/ QUOTE ]
How do you know, ASL causes the trouble ?
What was the trouble ?

Sorry, i have a problem to understand your problem, sounds like:
A friend of mine is hacker. He told me i am unsafe. He maybe hacked my network. My network was slow. Im must be ASL.
Now he told me to check SMTP. Still afraid of beeing hacked.

Don't want to blame you.
But really not sure what kind of help you want without telling facts ??
Cancel
Vote Up 0 Vote Down

Cancel
0 NimmdirKeks over 20 years ago in reply to KKnecht

Hi,

you are not the only one [:S]

Chris
Cancel
Vote Up 0 Vote Down

Cancel
0 SalishSwede over 20 years ago in reply to NimmdirKeks

Hey folks,

THis is and was a lame thread. I'm sorry. I don't adequate forensic evidence of the hack - IDS logs and suddenly and highly unstable systems. ASL has no functions for identifying it's own hacks and I don't have the required skills or time to find a hacker who's covering his/her tracks. Which should include just about everyone.

Sorry to trouble you.
Cancel
Vote Up 0 Vote Down

Cancel
0 BarryG over 20 years ago in reply to SalishSwede

Interesting point... Perhaps ASL should have something like Tripwire or AIDE to recognize if it's been hijacked.

Barry
Cancel
Vote Up 0 Vote Down

Cancel
0 Simon Shaw over 20 years ago in reply to BarryG

Tripwire would be nice.

We had a case recently where I suspect a malicious person removed all accounts from a server and changed the Admin password.

Very hard to see what had happened since all the security logs in event viewer were gone.

Suspect a disgruntled staff member but when you have cases like this it's very hard to pinpoint what happened and why.
Cancel
Vote Up 0 Vote Down

Cancel
0 NimmdirKeks over 20 years ago in reply to Simon Shaw

Hi,

that is and always was a major problem with windows.
Under Linux you mostly find a least some clues what was going on (Bash history ....), except if you realy had a pro on your system.

Chris
Cancel
Vote Up 0 Vote Down

Cancel
0 SalishSwede over 20 years ago in reply to NimmdirKeks

I'm assuming a pro (or at least an expert).

It appears that I'm going ot have to reinstall de novo most of my systems due to this apparent intrusion and I'm not very happy about it.

I'm wondering if using ASL is worth the risk. What are thoughts on competitive more traditional firewalls like Watchguard etc....
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 SalishSwede over 20 years ago in reply to NimmdirKeks

I'm assuming a pro (or at least an expert).

It appears that I'm going ot have to reinstall de novo most of my systems due to this apparent intrusion and I'm not very happy about it.

I'm wondering if using ASL is worth the risk. What are thoughts on competitive more traditional firewalls like Watchguard etc....
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 SalishSwede over 20 years ago in reply to SalishSwede

Here's some interesting information from my packet filter[:P]ost reinstall. Note the geographical location of each address is included. It seems that someone rather sophisticated is using a port common to ICQ to get at my machine. Given my suspicions of a previous hack, I'm thinking this was indeed the means of data transfer.

Time Stamp Action Source Interface Source IP Address Location of Source Destination IP Address
2005:08:01-15:15:20 DROP: IN eth2 SRC 61.233.40.169 China DST PROTO UDP SPT 42982 DPT 1027 LEN 292
2005:08:01-15:20:05 DROP: IN eth2 SRC 222.141.102.11 China DST PROTO UDP SPT 54522 DPT 1027 LEN 292
2005:08:01-15:22:46 DROP: IN eth2 SRC 221.211.255.12 China DST PROTO UDP SPT 32824 DPT 1027 LEN 474
2005:08:01-15:24:08 DROP: IN eth2 SRC 212.21.124.26 "UK, London" DST PROTO UDP SPT 21989 DPT 1027 LEN 888
2005:08:01-15:28:20 DROP: IN eth2 SRC 221.10.201.190 China DST PROTO UDP SPT 41776 DPT 1027 LEN 327
2005:08:01-15:39:10 DROP: IN eth2 SRC 222.47.76.232 China DST PROTO UDP SPT 56003 DPT 1027 LEN 479
2005:08:01-15:41:16 DROP: IN eth2 SRC 222.241.95.3 China DST PROTO UDP SPT 41339 DPT 1027 LEN 292
2005:08:01-15:45:02 DROP: IN eth2 SRC 61.129.115.99 China DST PROTO UDP SPT 49337 DPT 1027 LEN 406
2005:08:01-15:51:14 DROP: IN eth2 SRC 221.10.201.181 China DST PROTO UDP SPT 57001 DPT 1027 LEN 325
2005:08:01-15:51:37 DROP: IN eth2 SRC 220.175.8.134 China DST PROTO UDP SPT 43344 DPT 1027 LEN 325
2005:08:01-16:09:15 DROP: IN eth2 SRC 222.141.69.129 China DST PROTO UDP SPT 55620 DPT 1027 LEN 280
2005:08:01-16:12:49 DROP: IN eth2 SRC 218.66.104.139 China DST PROTO UDP SPT 48328 DPT 1027 LEN 472
2005:08:01-16:39:45 DROP: IN eth2 SRC 61.233.40.169 China DST PROTO UDP SPT 53223 DPT 1027 LEN 292
2005:08:01-16:51:50 DROP: IN eth2 SRC 221.211.255.12 China DST PROTO UDP SPT 32824 DPT 1027 LEN 474
2005:08:01-16:56:56 DROP: IN eth2 SRC 222.136.188.49 China DST PROTO UDP SPT 49646 DPT 1027 LEN 446
2005:08:01-17:04:05 DROP: IN eth2 SRC 202.99.172.160 "Beijing, China" DST PROTO UDP SPT 40142 DPT 1027 LEN 326
2005:08:01-17:15:36 DROP: IN eth2 SRC 218.66.104.139 China DST PROTO UDP SPT 48339 DPT 1027 LEN 472
2005:08:01-17:35:10 DROP: IN eth2 SRC 61.53.154.89 "China [City: Shanghai, Shanghai]" DST PROTO UDP SPT 52005 DPT 1027 LEN 356
2005:08:01-17:36:28 DROP: IN eth2 SRC 212.136.194.59 Netherlands DST PROTO UDP SPT 20027 DPT 1027 LEN 888
2005:08:01-17:37:42 DROP: IN eth2 SRC 222.241.95.3 China DST PROTO UDP SPT 58551 DPT 1027 LEN 292
2005:08:01-17:43:38 DROP: IN eth2 SRC 222.136.188.49 China DST PROTO UDP SPT 44620 DPT 1027 LEN 446
2005:08:01-18:04:04 DROP: IN eth2 SRC 61.233.40.169 China DST PROTO UDP SPT 35118 DPT 1027 LEN 292
2005:08:01-18:18:53 DROP: IN eth2 SRC 218.66.104.139 China DST PROTO UDP SPT 48350 DPT 1027 LEN 472
2005:08:01-18:20:50 DROP: IN eth2 SRC 221.211.255.12 China DST PROTO UDP SPT 32824 DPT 1027 LEN 474
2005:08:01-18:29:22 DROP: IN eth2 SRC 219.148.64.95 China DST PROTO UDP SPT 58435 DPT 1027 LEN 476
2005:08:01-18:35:14 DROP: IN eth2 SRC 221.211.255.8 China DST PROTO UDP SPT 37015 DPT 1027 LEN 474
2005:08:01-18:48:21 DROP: IN eth2 SRC 222.136.188.49 China DST PROTO UDP SPT 47661 DPT 1027 LEN 446
2005:08:01-18:58:10 DROP: IN eth2 SRC 222.141.93.27 China DST PROTO UDP SPT 45995 DPT 1027 LEN 409
2005:08:01-18:59:20 DROP: IN eth2 SRC 220.175.8.134 China DST PROTO UDP SPT 37261 DPT 1027 LEN 325
2005:08:01-19:05:03 DROP: IN eth2 SRC 222.141.69.129 China DST PROTO UDP SPT 48797 DPT 1027 LEN 280
2005:08:01-19:05:16 DROP: IN eth2 SRC 221.211.255.12 China DST PROTO UDP SPT 32824 DPT 1027 LEN 474
2005:08:01-19:13:34 DROP: IN eth2 SRC 222.47.76.232 China DST PROTO UDP SPT 54759 DPT 1027 LEN 479
2005:08:01-19:18:49 DROP: IN eth2 SRC 66.160.191.166 "United States [City: Milpitas, California]" DST PROTO UDP SPT 34267 DPT 1027 LEN 346
2005:08:01-19:23:30 DROP: IN eth2 SRC 218.66.104.139 China DST PROTO UDP SPT 48363 DPT 1027 LEN 472
2005:08:01-19:27:58 DROP: IN eth2 SRC 61.233.40.169 China DST PROTO UDP SPT 44959 DPT 1027 LEN 292
2005:08:01-19:48:48 DROP: IN eth2 SRC 212.187.74.10 "Netherlands, Amsterdam" DST PROTO UDP SPT 20608 DPT 1027 LEN 888
2005:08:01-19:49:11 DROP: IN eth2 SRC 61.235.154.92 China DST PROTO UDP SPT 40596 DPT 1027 LEN 499
2005:08:01-19:49:13 DROP: IN eth2 SRC 221.211.255.8 China DST PROTO UDP SPT 37015 DPT 1027 LEN 474
2005:08:01-19:51:28 DROP: IN eth2 SRC 219.148.126.156 China DST PROTO UDP SPT 38203 DPT 1027 LEN 327
2005:08:01-20:01:34 DROP: IN eth2 SRC 222.241.95.3 China DST PROTO UDP SPT 45721 DPT 1027 LEN 292
2005:08:01-20:27:46 DROP: IN eth2 SRC 221.10.201.181 China DST PROTO UDP SPT 45022 DPT 1027 LEN 325
2005:08:01-20:58:44 DROP: IN eth2 SRC 222.141.102.11 China DST PROTO UDP SPT 42467 DPT 1027 LEN 292
2005:08:01-21:01:54 DROP: IN eth2 SRC 70.85.176.210 US DST PROTO UDP SPT 36061 DPT 1027 LEN 323
2005:08:01-21:03:14 DROP: IN eth2 SRC 221.211.255.8 China DST PROTO UDP SPT 37015 DPT 1027 LEN 474
2005:08:01-21:11:34 DROP: IN eth2 SRC 221.10.201.190 China DST PROTO UDP SPT 33469 DPT 1027 LEN 434
2005:08:01-21:27:41 DROP: IN eth2 SRC 218.66.104.140 China DST PROTO UDP SPT 52376 DPT 1027 LEN 319
2005:08:01-22:01:01 DROP: IN eth2 SRC 212.60.95.216 Gambia DST PROTO UDP SPT 25991 DPT 1027 LEN 888
2005:08:01-22:01:06 DROP: IN eth2 SRC 221.10.201.181 China DST PROTO UDP SPT 51486 DPT 1027 LEN 325
2005:08:01-22:02:25 DROP: IN eth2 SRC 221.211.255.12 China DST PROTO UDP SPT 32824 DPT 1027 LEN 474
2005:08:01-22:08:09 DROP: IN eth2 SRC 220.175.8.134 China DST PROTO UDP SPT 60381 DPT 1027 LEN 325
2005:08:01-22:17:16 DROP: IN eth2 SRC 221.211.255.8 China DST PROTO UDP SPT 37016 DPT 1027 LEN 474
2005:08:01-22:17:50 DROP: IN eth2 SRC 61.53.154.89 "China [City: Shanghai, Shanghai]" DST PROTO UDP SPT 48224 DPT 1027 LEN 356
2005:08:01-22:18:20 DROP: IN eth2 SRC 222.141.93.27 China DST PROTO UDP SPT 48120 DPT 1027 LEN 446
2005:08:01-22:32:16 DROP: IN eth2 SRC 61.129.115.99 China DST PROTO UDP SPT 40046 DPT 1027 LEN 406
2005:08:01-22:37:32 DROP: IN eth2 SRC 61.235.154.92 China DST PROTO UDP SPT 54709 DPT 1027 LEN 499
2005:08:01-22:57:17 DROP: IN eth2 SRC 222.47.76.232 China DST PROTO UDP SPT 52326 DPT 1027 LEN 479
2005:08:01-23:02:41 DROP: IN eth2 SRC 219.148.64.95 China DST PROTO UDP SPT 60525 DPT 1027 LEN 476
2005:08:01-23:26:29 DROP: IN eth2 SRC 221.10.201.181 China DST PROTO UDP SPT 54415 DPT 1027 LEN 325
2005:08:01-23:35:36 DROP: IN eth2 SRC 221.10.201.190 China DST PROTO UDP SPT 44689 DPT 1027 LEN 434
2005:08:01-23:38:15 DROP: IN eth2 SRC 61.233.40.169 China DST PROTO UDP SPT 46043 DPT 1027 LEN 292
2005:08:01-23:43:10 DROP: IN eth2 SRC 222.141.93.27 China DST PROTO UDP SPT 57228 DPT 1027 LEN 446
2005:08:01-23:47:53 DROP: IN eth2 SRC 222.141.102.11 China DST PROTO UDP SPT 36315 DPT 1027 LEN 292
2005:08:02-00:13:33 DROP: IN eth2 SRC 212.87.152.146 Germany DST PROTO UDP SPT 27488 DPT 1027 LEN 888
2005:08:02-00:45:19 DROP: IN eth2 SRC 221.211.255.8 China DST PROTO UDP SPT 37016 DPT 1027 LEN 474
2005:08:02-00:52:52 DROP: IN eth2 SRC 222.141.69.129 China DST PROTO UDP SPT 34965 DPT 1027 LEN 280
2005:08:02-00:58:05 DROP: IN eth2 SRC 221.10.201.181 China DST PROTO UDP SPT 41705 DPT 1027 LEN 325
2005:08:02-01:08:57 DROP: IN eth2 SRC 70.85.176.218 US DST PROTO UDP SPT 57443 DPT 1027 LEN 319
2005:08:02-01:12:38 DROP: IN eth2 SRC 220.175.8.134 China DST PROTO UDP SPT 53268 DPT 1027 LEN 325
2005:08:02-01:24:29 DROP: IN eth2 SRC 222.136.188.49 China DST PROTO UDP SPT 53300 DPT 1027 LEN 446
2005:08:02-01:30:56 DROP: IN eth2 SRC 61.172.240.137 China DST PROTO UDP SPT 59709 DPT 1027 LEN 323
2005:08:02-02:12:52 DROP: IN eth2 SRC 210.21.110.100 China DST PROTO UDP SPT 52452 DPT 1027 LEN 479
2005:08:02-05:01:39 DROP: IN eth2 SRC 218.66.104.139 China DST PROTO UDP SPT 48479 DPT 1027 LEN 472
2005:08:02-05:22:45 DROP: IN eth2 SRC 61.172.240.137 China DST PROTO UDP SPT 48915 DPT 1027 LEN 323
2005:08:02-05:41:47 DROP: IN eth2 SRC 221.211.255.8 China DST PROTO UDP SPT 37023 DPT 1027 LEN 474
2005:08:02-05:52:21 DROP: IN eth2 SRC 221.10.201.181 China DST PROTO UDP SPT 56723 DPT 1027 LEN 325
2005:08:02-06:07:12 DROP: IN eth2 SRC 218.66.104.139 China DST PROTO UDP SPT 48491 DPT 1027 LEN 472
2005:08:02-06:12:19 DROP: IN eth2 SRC 202.99.172.160 "Beijing, China" DST PROTO UDP SPT 56472 DPT 1027 LEN 326
2005:08:02-06:25:03 DROP: IN eth2 SRC 222.241.95.3 China DST PROTO UDP SPT 50413 DPT 1027 LEN 292
2005:08:02-06:40:19 DROP: IN eth2 SRC 222.141.69.129 China DST PROTO UDP SPT 48877 DPT 1027 LEN 280
2005:08:02-06:42:00 DROP: IN eth2 SRC 221.10.201.190 China DST PROTO UDP SPT 45682 DPT 1027 LEN 434
2005:08:02-06:45:46 DROP: IN eth2 SRC 222.141.102.7 China DST PROTO UDP SPT 37503 DPT 1027 LEN 446
2005:08:02-06:48:37 DROP: IN eth2 SRC 70.85.176.210 US DST PROTO UDP SPT 36111 DPT 1027 LEN 323
2005:08:02-06:50:36 DROP: IN eth2 SRC 212.51.134.226 Italy DST PROTO UDP SPT 23885 DPT 1027 LEN 888
2005:08:02-06:55:53 DROP: IN eth2 SRC 221.211.255.8 China DST PROTO UDP SPT 37024 DPT 1027 LEN 474
2005:08:02-07:13:13 DROP: IN eth2 SRC 218.66.104.139 China DST PROTO UDP SPT 48507 DPT 1027 LEN 472
2005:08:02-07:14:39 DROP: IN eth2 SRC 218.66.104.140 China DST PROTO UDP SPT 55265 DPT 1027 LEN 319
2005:08:02-07:30:31 DROP: IN eth2 SRC 220.175.8.134 China DST PROTO UDP SPT 44116 DPT 1027 LEN 325
2005:08:02-07:49:10 DROP: IN eth2 SRC 222.136.188.49 China DST PROTO UDP SPT 48068 DPT 1027 LEN 446
2005:08:02-08:08:44 DROP: IN eth2 SRC 219.148.64.95 China DST PROTO UDP SPT 64793 DPT 1027 LEN 476
2005:08:02-08:09:57 DROP: IN eth2 SRC 221.211.255.8 China DST PROTO UDP SPT 37024 DPT 1027 LEN 474
2005:08:02-08:13:48 DROP: IN eth2 SRC 222.141.102.11 China DST PROTO UDP SPT 45549 DPT 1027 LEN 292
2005:08:02-08:17:52 DROP: IN eth2 SRC 218.66.104.139 China DST PROTO UDP SPT 48520 DPT 1027 LEN 472
2005:08:02-08:41:45 DROP: IN eth2 SRC 221.10.201.181 China DST PROTO UDP SPT 46367 DPT 1027 LEN 325
2005:08:02-08:42:06 DROP: IN eth2 SRC 61.233.40.169 China DST PROTO UDP SPT 42908 DPT 1027 LEN 292
2005:08:02-09:09:24 DROP: IN eth2 SRC 221.211.255.12 China DST PROTO UDP SPT 32824 DPT 1027 LEN 474
2005:08:02-09:14:00 DROP: IN eth2 SRC 222.47.76.232 China DST PROTO UDP SPT 51598 DPT 1027 LEN 479
2005:08:02-09:22:08 DROP: IN eth2 SRC 222.141.102.7 China DST PROTO UDP SPT 44529 DPT 1027 LEN 446
2005:08:02-09:24:03 DROP: IN eth2 SRC 221.211.255.8 China DST PROTO UDP SPT 37027 DPT 1027 LEN 474
2005:08:02-09:24:18 DROP: IN eth2 SRC 222.241.95.3 China DST PROTO UDP SPT 38779 DPT 1027 LEN 292
2005:08:02-09:34:00 DROP: IN eth2 SRC 222.141.69.129 China DST PROTO UDP SPT 42124 DPT 1027 LEN 280
2005:08:02-10:06:33 DROP: IN eth2 SRC 61.233.40.169 China DST PROTO UDP SPT 53561 DPT 1027 LEN 292
2005:08:02-10:14:21 DROP: IN eth2 SRC 61.235.154.103 China DST PROTO UDP SPT 38566 DPT 1027 LEN 463
2005:08:02-10:24:24 DROP: IN eth2 SRC 61.172.249.200 China DST PROTO UDP SPT 33581 DPT 1027 LEN 471
2005:08:02-10:27:54 DROP: IN eth2 SRC 218.66.104.139 China DST PROTO UDP SPT 48544 DPT 1027 LEN 472
2005:08:02-10:38:11 DROP: IN eth2 SRC 221.211.255.8 China DST PROTO UDP SPT 37027 DPT 1027 LEN 474
2005:08:02-10:38:37 DROP: IN eth2 SRC 220.175.8.134 China DST PROTO UDP SPT 37403 DPT 1027 LEN 325
2005:08:02-10:38:51 DROP: IN eth2 SRC 221.10.201.190 China DST PROTO UDP SPT 42569 DPT 1027 LEN 434
2005:08:02-11:00:25 DROP: IN eth2 SRC 222.141.102.11 China DST PROTO UDP SPT 38381 DPT 1027 LEN 292
2005:08:02-11:10:54 DROP: IN eth2 SRC 222.141.93.27 China DST PROTO UDP SPT 45642 DPT 1027 LEN 409
2005:08:02-11:14:52 DROP: IN eth2 SRC 212.218.151.224 Germany DST PROTO UDP SPT 12044 DPT 1027 LEN 888
2005:08:02-11:23:38 DROP: IN eth2 SRC 221.211.255.12 China DST PROTO UDP SPT 32824 DPT 1027 LEN 474
2005:08:02-11:31:19 DROP: IN eth2 SRC 61.233.40.169 China DST PROTO UDP SPT 36251 DPT 1027 LEN 292
2005:08:02-11:31:20 DROP: IN eth2 SRC 221.10.201.181 China DST PROTO UDP SPT 38698 DPT 1027 LEN 325
2005:08:02-11:31:53 DROP: IN eth2 SRC 218.66.104.139 China DST PROTO UDP SPT 48561 DPT 1027 LEN 472
2005:08:02-11:51:27 DROP: IN eth2 SRC 222.241.95.3 China DST PROTO UDP SPT 45259 DPT 1027 LEN 292
2005:08:02-11:52:18 DROP: IN eth2 SRC 221.211.255.8 China DST PROTO UDP SPT 37029 DPT 1027 LEN 474
2005:08:02-11:58:21 DROP: IN eth2 SRC 222.136.188.49 China DST PROTO UDP SPT 35489 DPT 1027 LEN 377
2005:08:02-11:58:21 DROP: IN eth2 SRC 222.136.188.49 China DST PROTO UDP SPT 35490 DPT 1027 LEN 377
2005:08:02-12:08:15 DROP: IN eth2 SRC 221.211.255.12 China DST PROTO UDP SPT 32824 DPT 1027 LEN 474
2005:08:02-12:27:40 DROP: IN eth2 SRC 222.141.69.129 China DST PROTO UDP SPT 35793 DPT 1027 LEN 280
2005:08:02-12:39:32 DROP: IN eth2 SRC 222.47.76.232 China DST PROTO UDP SPT 63257 DPT 1027 LEN 479
2005:08:02-12:41:39 DROP: IN eth2 SRC 219.148.64.95 China DST PROTO UDP SPT 55563 DPT 1027 LEN 476
2005:08:02-12:48:21 DROP: IN eth2 SRC 222.141.93.27 China DST PROTO UDP SPT 59790 DPT 1027 LEN 446
2005:08:02-12:49:49 DROP: IN eth2 SRC 61.172.249.200 China DST PROTO UDP SPT 33581 DPT 1027 LEN 471
2005:08:02-12:51:57 DROP: IN eth2 SRC 222.136.188.49 China DST PROTO UDP SPT 34946 DPT 1027 LEN 377
2005:08:02-12:52:53 DROP: IN eth2 SRC 221.211.255.12 China DST PROTO UDP SPT 32824 DPT 1027 LEN 474
2005:08:02-12:56:24 DROP: IN eth2 SRC 61.233.40.169 China DST PROTO UDP SPT 47275 DPT 1027 LEN 292
2005:08:02-13:06:32 DROP: IN eth2 SRC 221.211.255.8 China DST PROTO UDP SPT 37029 DPT 1027 LEN 474
2005:08:02-13:09:52 DROP: IN eth2 SRC 221.10.201.181 China DST PROTO UDP SPT 55526 DPT 1027 LEN 325
2005:08:02-13:27:17 DROP: IN eth2 SRC 212.28.143.13 "Switzerland, Lausanne" DST PROTO UDP SPT 7126 DPT 1027 LEN 888
2005:08:02-13:43:50 DROP: IN eth2 SRC 220.175.8.134 China DST PROTO UDP SPT 58166 DPT 1027 LEN 325
2005:08:02-13:48:50 DROP: IN eth2 SRC 222.136.188.49 China DST PROTO UDP SPT 60138 DPT 1027 LEN 377
2005:08:02-13:50:35 DROP: IN eth2 SRC 222.141.102.11 China DST PROTO UDP SPT 59778 DPT 1027 LEN 292
2005:08:02-14:02:39 DROP: IN eth2 SRC 61.53.154.89 "China [City: Shanghai, Shanghai]" DST PROTO UDP SPT 45612 DPT 1027 LEN 356
2005:08:02-14:19:04 DROP: IN eth2 SRC 222.241.95.3 China DST PROTO UDP SPT 40039 DPT 1027 LEN 292
2005:08:02-14:21:33 DROP: IN eth2 SRC 61.233.40.169 China DST PROTO UDP SPT 58163 DPT 1027 LEN 292
2005:08:02-14:22:09 DROP: IN eth2 SRC 221.211.255.12 China DST PROTO UDP SPT 32824 DPT 1027 LEN 474
2005:08:02-14:23:15 DROP: IN eth2 SRC 221.211.255.8 China DST PROTO UDP SPT 37033 DPT 1027 LEN 474
2005:08:02-14:43:25 DROP: IN eth2 SRC 218.66.104.139 China DST PROTO UDP SPT 48659 DPT 1027 LEN 472
2005:08:02-14:49:16 DROP: IN eth2 SRC 61.53.154.89 "China [City: Shanghai, Shanghai]" DST PROTO UDP SPT 39742 DPT 1027 LEN 356
2005:08:02-15:15:46 DROP: IN eth2 SRC 61.172.249.200 China DST PROTO UDP SPT 33589 DPT 1027 LEN 471
2005:08:02-15:25:38 DROP: IN eth2 SRC 222.141.102.7 China DST PROTO UDP SPT 58538 DPT 1027 LEN 377
2005:08:02-15:37:37 DROP: IN eth2 SRC 221.211.255.8 China DST PROTO UDP SPT 37035 DPT 1027 LEN 474
2005:08:02-15:39:37 DROP: IN eth2 SRC 212.17.91.236 "Austira, Vienna" DST PROTO UDP SPT 5460 DPT 1027 LEN 888
2005:08:02-15:46:17 DROP: IN eth2 SRC 61.233.40.169 China DST PROTO UDP SPT 40658 DPT 1027 LEN 292
2005:08:02-15:51:14 DROP: IN eth2 SRC 221.211.255.12 China DST PROTO UDP SPT 32824 DPT 1027 LEN 474
2005:08:02-15:59:10 DROP: IN eth2 SRC 221.10.201.181 China DST PROTO UDP SPT 58338 DPT 1027 LEN 325
2005:08:02-16:05:14 DROP: IN eth2 SRC 222.47.76.232 China DST PROTO UDP SPT 59338 DPT 1027 LEN 479
2005:08:02-16:05:49 DROP: IN eth2 SRC 202.99.172.160 "Beijing, China" DST PROTO UDP SPT 55587 DPT 1027 LEN 326
2005:08:02-16:10:38 DROP: IN eth2 SRC 220.175.8.134 China DST PROTO UDP SPT 35783 DPT 1027 LEN 325
2005:08:02-16:20:26 DROP: IN eth2 SRC 61.235.154.103 China DST PROTO UDP SPT 43869 DPT 1027 LEN 463
2005:08:02-16:39:26 DROP: IN eth2 SRC 222.141.102.11 China DST PROTO UDP SPT 53742 DPT 1027 LEN 292
2005:08:02-16:46:53 DROP: IN eth2 SRC 222.136.188.49 China DST PROTO UDP SPT 50914 DPT 1027 LEN 377
2005:08:02-16:48:34 DROP: IN eth2 SRC 70.85.176.210 US DST PROTO UDP SPT 36171 DPT 1027 LEN 323
2005:08:02-16:51:17 DROP: IN eth2 SRC 220.175.8.134 China DST PROTO UDP SPT 52639 DPT 1027 LEN 325
2005:08:02-16:51:52 DROP: IN eth2 SRC 221.211.255.8 China DST PROTO UDP SPT 37035 DPT 1027 LEN 474
2005:08:02-17:01:10 DROP: IN eth2 SRC 61.172.240.137 China DST PROTO UDP SPT 43041 DPT 1027 LEN 323
2005:08:02-17:10:59 DROP: IN eth2 SRC 61.233.40.169 China DST PROTO UDP SPT 51309 DPT 1027 LEN 292
2005:08:02-17:15:21 DROP: IN eth2 SRC 219.148.64.95 China DST PROTO UDP SPT 53758 DPT 1027 LEN 476
2005:08:02-17:20:31 DROP: IN eth2 SRC 221.211.255.12 China DST PROTO UDP SPT 32824 DPT 1027 LEN 474
2005:08:02-17:44:33 DROP: IN eth2 SRC 222.141.93.27 China DST PROTO UDP SPT 46781 DPT 1027 LEN 446
2005:08:02-17:51:58 DROP: IN eth2 SRC 212.201.78.74 Germany DST PROTO UDP SPT 20603 DPT 1027 LEN 888
2005:08:02-17:55:04 DROP: IN eth2 SRC 222.241.95.3 China DST PROTO UDP SPT 33640 DPT 1027 LEN 292
2005:08:02-17:55:27 DROP: IN eth2 SRC 218.66.104.139 China DST PROTO UDP SPT 48711 DPT 1027 LEN 472
2005:08:02-18:05:26 DROP: IN eth2 SRC 221.211.255.12 China DST PROTO UDP SPT 32824 DPT 1027 LEN 474
2005:08:02-18:06:07 DROP: IN eth2 SRC 221.211.255.8 China DST PROTO UDP SPT 37035 DPT 1027 LEN 474
2005:08:02-18:14:44 DROP: IN eth2 SRC 222.141.69.129 China DST PROTO UDP SPT 51620 DPT 1027 LEN 280
2005:08:02-18:15:59 DROP: IN eth2 SRC 222.136.188.49 China DST PROTO UDP SPT 60502 DPT 1027 LEN 377
2005:08:02-18:22:33 DROP: IN eth2 SRC 61.152.158.125 China DST PROTO UDP SPT 58855 DPT 1027 LEN 499
2005:08:02-18:50:14 DROP: IN eth2 SRC 221.211.255.12 China DST PROTO UDP SPT 32824 DPT 1027 LEN 474
2005:08:02-18:54:55 DROP: IN eth2 SRC 221.10.201.181 China DST PROTO UDP SPT 55326 DPT 1027 LEN 325
2005:08:02-19:00:09 DROP: IN eth2 SRC 218.66.104.139 China DST PROTO UDP SPT 48723 DPT 1027 LEN 472
2005:08:02-19:20:19 DROP: IN eth2 SRC 221.211.255.8 China DST PROTO UDP SPT 37037 DPT 1027 LEN 474
2005:08:02-19:21:36 DROP: IN eth2 SRC 222.141.102.7 China DST PROTO UDP SPT 42618 DPT 1027 LEN 377
2005:08:02-19:23:44 DROP: IN eth2 SRC 61.235.154.103 China DST PROTO UDP SPT 59686 DPT 1027 LEN 463
2005:08:02-19:27:50 DROP: IN eth2 SRC 222.141.102.11 China DST PROTO UDP SPT 47397 DPT 1027 LEN 292
2005:08:02-19:30:43 DROP: IN eth2 SRC 61.53.154.89 "China [City: Shanghai, Shanghai]" DST PROTO UDP SPT 59532 DPT 1027 LEN 356
2005:08:02-19:34:43 DROP: IN eth2 SRC 221.211.255.12 China DST PROTO UDP SPT 32824 DPT 1027 LEN 474
2005:08:02-19:46:10 DROP: IN eth2 SRC 222.136.188.49 China DST PROTO UDP SPT 42358 DPT 1027 LEN 377
2005:08:02-20:04:11 DROP: IN eth2 SRC 212.220.102.118 Russian Federation DST PROTO UDP SPT 5745 DPT 1027 LEN 888
2005:08:02-20:04:40 DROP: IN eth2 SRC 218.66.104.139 China DST PROTO UDP SPT 48735 DPT 1027 LEN 472
2005:08:02-20:06:07 DROP: IN eth2 SRC 220.175.8.134 China DST PROTO UDP SPT 50284 DPT 1027 LEN 325
2005:08:02-20:06:14 DROP: IN eth2 SRC 61.172.249.200 China DST PROTO UDP SPT 33589 DPT 1027 LEN 471
2005:08:02-20:19:09 DROP: IN eth2 SRC 221.211.255.12 China DST PROTO UDP SPT 32824 DPT 1027 LEN 474
2005:08:02-20:19:50 DROP: IN eth2 SRC 61.53.154.89 "China [City: Shanghai, Shanghai]" DST PROTO UDP SPT 54468 DPT 1027 LEN 356
2005:08:02-20:20:02 DROP: IN eth2 SRC 221.10.201.181 China DST PROTO UDP SPT 55532 DPT 1027 LEN 325
2005:08:02-20:29:56 DROP: IN eth2 SRC 222.241.95.3 China DST PROTO UDP SPT 46706 DPT 1027 LEN 292
2005:08:02-20:34:26 DROP: IN eth2 SRC 221.211.255.8 China DST PROTO UDP SPT 37037 DPT 1027 LEN 474
2005:08:02-20:45:10 DROP: IN eth2 SRC 61.235.154.103 China DST PROTO UDP SPT 58073 DPT 1027 LEN 463
2005:08:02-21:05:32 DROP: IN eth2 SRC 61.235.154.103 China DST PROTO UDP SPT 53864 DPT 1027 LEN 463
2005:08:02-21:09:30 DROP: IN eth2 SRC 222.141.69.129 China DST PROTO UDP SPT 45182 DPT 1027 LEN 280
2005:08:02-21:09:39 DROP: IN eth2 SRC 218.66.104.139 China DST PROTO UDP SPT 48746 DPT 1027 LEN 472
2005:08:02-21:17:33 DROP: IN eth2 SRC 222.136.188.49 China DST PROTO UDP SPT 53073 DPT 1027 LEN 377
2005:08:02-21:25:57 DROP: IN eth2 SRC 61.235.154.103 China DST PROTO UDP SPT 42653 DPT 1027 LEN 463
2005:08:02-21:34:53 DROP: IN eth2 SRC 222.141.102.7 China DST PROTO UDP SPT 40564 DPT 1027 LEN 377
2005:08:02-21:47:40 DROP: IN eth2 SRC 221.211.255.12 China DST PROTO UDP SPT 32824 DPT 1027 LEN 474
2005:08:02-21:48:16 DROP: IN eth2 SRC 219.148.64.95 China DST PROTO UDP SPT 55272 DPT 1027 LEN 476
2005:08:02-21:48:42 DROP: IN eth2 SRC 221.211.255.8 China DST PROTO UDP SPT 37081 DPT 1027 LEN 474
2005:08:02-21:50:53 DROP: IN eth2 SRC 216.67.231.137 "US, New Jersey" DST PROTO UDP SPT 36717 DPT 1027 LEN 305
2005:08:02-22:14:49 DROP: IN eth2 SRC 218.66.104.139 China DST PROTO UDP SPT 48761 DPT 1027 LEN 472
2005:08:02-22:16:28 DROP: IN eth2 SRC 213.18.58.252 "UK, Harlow, England" DST PROTO UDP SPT 9523 DPT 1027 LEN 888
2005:08:02-22:16:35 DROP: IN eth2 SRC 222.141.102.11 China DST PROTO UDP SPT 40981 DPT 1027 LEN 292
2005:08:02-22:18:32 DROP: IN eth2 SRC 222.241.95.3 China DST PROTO UDP SPT 51593 DPT 1027 LEN 292
2005:08:02-22:22:17 DROP: IN eth2 SRC 222.208.168.145 China DST PROTO UDP SPT 39076 DPT 1027 LEN 325
2005:08:02-22:31:13 DROP: IN eth2 SRC 61.172.249.200 China DST PROTO UDP SPT 33589 DPT 1027 LEN 471
2005:08:02-22:33:42 DROP: IN eth2 SRC 222.141.93.27 China DST PROTO UDP SPT 60566 DPT 1027 LEN 446
2005:08:02-22:38:08 DROP: IN eth2 SRC 216.67.231.137 "US, New Jersey" DST PROTO UDP SPT 36738 DPT 1027 LEN 305
2005:08:02-22:49:14 DROP: IN eth2 SRC 222.136.188.49 China DST PROTO UDP SPT 35991 DPT 1027 LEN 377
2005:08:02-23:02:59 DROP: IN eth2 SRC 221.211.255.8 China DST PROTO UDP SPT 37082 DPT 1027 LEN 474
2005:08:02-23:16:09 DROP: IN eth2 SRC 221.211.255.12 China DST PROTO UDP SPT 32824 DPT 1027 LEN 474
2005:08:02-23:16:55 DROP: IN eth2 SRC 220.175.8.134 China DST PROTO UDP SPT 46185 DPT 1027 LEN 325
2005:08:02-23:23:26 DROP: IN eth2 SRC 218.66.104.139 China DST PROTO UDP SPT 48775 DPT 1027 LEN 472
2005:08:02-23:36:34 DROP: IN eth2 SRC 221.10.201.181 China DST PROTO UDP SPT 47639 DPT 1027 LEN 325
2005:08:02-23:40:45 DROP: IN eth2 SRC 222.141.102.7 China DST PROTO UDP SPT 35621 DPT 1027 LEN 377
2005:08:02-23:40:52 DROP: IN eth2 SRC 216.67.231.137 "US, New Jersey" DST PROTO UDP SPT 36764 DPT 1027 LEN 305
2005:08:02-23:46:25 DROP: IN eth2 SRC 210.21.110.100 China DST PROTO UDP SPT 62994 DPT 1027 LEN 479
2005:08:03-00:04:17 DROP: IN eth2 SRC 222.141.69.129 China DST PROTO UDP SPT 38768 DPT 1027 LEN 280
2005:08:03-00:17:12 DROP: IN eth2 SRC 221.211.255.8 China DST PROTO UDP SPT 37082 DPT 1027 LEN 474
2005:08:03-00:18:31 DROP: IN eth2 SRC 218.66.104.140 China DST PROTO UDP SPT 40363 DPT 1027 LEN 319
2005:08:03-00:20:02 DROP: IN eth2 SRC 222.136.188.49 China DST PROTO UDP SPT 46357 DPT 1027 LEN 377
2005:08:03-00:28:49 DROP: IN eth2 SRC 212.99.167.112 Germany DST PROTO UDP SPT 4808 DPT 1027 LEN 888
2005:08:03-00:32:28 DROP: IN eth2 SRC 218.66.104.139 China DST PROTO UDP SPT 48790 DPT 1027 LEN 472
2005:08:03-00:44:12 DROP: IN eth2 SRC 221.211.255.12 China DST PROTO UDP SPT 32824 DPT 1027 LEN 474
2005:08:03-00:46:24 DROP: IN eth2 SRC 61.172.240.137 China DST PROTO UDP SPT 48823 DPT 1027 LEN 323
2005:08:03-01:03:09 DROP: IN eth2 SRC 221.10.201.181 China DST PROTO UDP SPT 38516 DPT 1027 LEN 325
2005:08:03-01:04:47 DROP: IN eth2 SRC 222.141.102.11 China DST PROTO UDP SPT 34484 DPT 1027 LEN 292
2005:08:03-01:08:37 DROP: IN eth2 SRC 61.53.154.89 "China [City: Shanghai, Shanghai]" DST PROTO UDP SPT 48991 DPT 1027 LEN 356
2005:08:03-01:17:28 DROP: IN eth2 SRC 222.241.95.3 China DST PROTO UDP SPT 40299 DPT 1027 LEN 292
2005:08:03-01:28:18 DROP: IN eth2 SRC 221.211.255.12 China DST PROTO UDP SPT 32824 DPT 1027 LEN 474
2005:08:03-01:31:21 DROP: IN eth2 SRC 221.211.255.8 China DST PROTO UDP SPT 37082 DPT 1027 LEN 474
2005:08:03-01:41:40 DROP: IN eth2 SRC 218.66.104.139 China DST PROTO UDP SPT 48805 DPT 1027 LEN 472
2005:08:03-01:52:18 DROP: IN eth2 SRC 222.136.188.49 China DST PROTO UDP SPT 57676 DPT 1027 LEN 377
2005:08:03-01:53:39 DROP: IN eth2 SRC 222.141.102.7 China DST PROTO UDP SPT 33644 DPT 1027 LEN 377
2005:08:03-01:57:47 DROP: IN eth2 SRC 61.53.154.89 "China [City: Shanghai, Shanghai]" DST PROTO UDP SPT 43957 DPT 1027 LEN 356
2005:08:03-02:21:02 DROP: IN eth2 SRC 219.148.64.95 China DST PROTO UDP SPT 57929 DPT 1027 LEN 476
2005:08:03-02:25:58 DROP: IN eth2 SRC 220.175.8.134 China DST PROTO UDP SPT 39230 DPT 1027 LEN 325
2005:08:03-02:40:50 DROP: IN eth2 SRC 212.121.194.115 Germany DST PROTO UDP SPT 15428 DPT 1027 LEN 888
2005:08:03-02:45:29 DROP: IN eth2 SRC 221.211.255.8 China DST PROTO UDP SPT 37084 DPT 1027 LEN 474
2005:08:03-02:57:03 DROP: IN eth2 SRC 221.211.255.12 China DST PROTO UDP SPT 32824 DPT 1027 LEN 474
2005:08:03-02:58:28 DROP: IN eth2 SRC 222.141.69.129 China DST PROTO UDP SPT 33017 DPT 1027 LEN 280
2005:08:03-03:05:33 DROP: IN eth2 SRC 222.241.95.3 China DST PROTO UDP SPT 41909 DPT 1027 LEN 292
2005:08:03-03:19:23 DROP: IN eth2 SRC 61.233.40.169 China DST PROTO UDP SPT 42723 DPT 1027 LEN 292
2005:08:03-03:22:46 DROP: IN eth2 SRC 222.136.188.49 China DST PROTO UDP SPT 39698 DPT 1027 LEN 377
2005:08:03-03:26:16 DROP: IN eth2 SRC 222.141.93.27 China DST PROTO UDP SPT 46137 DPT 1027 LEN 446
2005:08:03-03:40:36 DROP: IN eth2 SRC 222.208.168.145 China DST PROTO UDP SPT 40697 DPT 1027 LEN 325
2005:08:03-03:41:16 DROP: IN eth2 SRC 221.211.255.12 China DST PROTO UDP SPT 32824 DPT 1027 LEN 474
2005:08:03-03:52:52 DROP: IN eth2 SRC 222.141.93.27 China DST PROTO UDP SPT 57932 DPT 1027 LEN 409
2005:08:03-03:53:10 DROP: IN eth2 SRC 222.141.102.11 China DST PROTO UDP SPT 55941 DPT 1027 LEN 292
2005:08:03-03:59:40 DROP: IN eth2 SRC 221.211.255.8 China DST PROTO UDP SPT 37084 DPT 1027 LEN 474
2005:08:03-04:02:19 DROP: IN eth2 SRC 218.66.104.139 China DST PROTO UDP SPT 48832 DPT 1027 LEN 472
2005:08:03-04:07:39 DROP: IN eth2 SRC 221.10.201.181 China DST PROTO UDP SPT 54015 DPT 1027 LEN 325
2005:08:03-04:15:23 DROP: IN eth2 SRC 222.47.76.232 China DST PROTO UDP SPT 64368 DPT 1027 LEN 479
2005:08:03-04:43:16 DROP: IN eth2 SRC 61.233.40.169 China DST PROTO UDP SPT 53494 DPT 1027 LEN 292
2005:08:03-04:52:38 DROP: IN eth2 SRC 222.136.188.49 China DST PROTO UDP SPT 49744 DPT 1027 LEN 377
2005:08:03-04:53:10 DROP: IN eth2 SRC 212.93.14.17 Germany DST PROTO UDP SPT 5187 DPT 1027 LEN 888
2005:08:03-04:54:12 DROP: IN eth2 SRC 222.241.95.3 China DST PROTO UDP SPT 58344 DPT 1027 LEN 292
2005:08:03-04:58:55 DROP: IN eth2 SRC 222.141.93.27 China DST PROTO UDP SPT 58073 DPT 1027 LEN 446
2005:08:03-05:12:53 DROP: IN eth2 SRC 218.66.104.139 China DST PROTO UDP SPT 48842 DPT 1027 LEN 472
2005:08:03-05:13:45 DROP: IN eth2 SRC 61.235.154.103 China DST PROTO UDP SPT 58287 DPT 1027 LEN 463
2005:08:03-05:13:47 DROP: IN eth2 SRC 221.211.255.8 China DST PROTO UDP SPT 37084 DPT 1027 LEN 474
2005:08:03-05:33:18 DROP: IN eth2 SRC 220.175.8.134 China DST PROTO UDP SPT 32991 DPT 1027 LEN 325
2005:08:03-06:07:04 DROP: IN eth2 SRC 61.233.40.169 China DST PROTO UDP SPT 35646 DPT 1027 LEN 292
2005:08:03-06:18:23 DROP: IN eth2 SRC 222.208.168.145 China DST PROTO UDP SPT 54031 DPT 1027 LEN 325
2005:08:03-06:23:43 DROP: IN eth2 SRC 218.66.104.139 China DST PROTO UDP SPT 48854 DPT 1027 LEN 472
2005:08:03-06:27:51 DROP: IN eth2 SRC 221.211.255.8 China DST PROTO UDP SPT 37084 DPT 1027 LEN 474
2005:08:03-06:30:38 DROP: IN eth2 SRC 61.152.158.125 China DST PROTO UDP SPT 42430 DPT 1027 LEN 499
2005:08:03-06:41:18 DROP: IN eth2 SRC 222.141.102.11 China DST PROTO UDP SPT 49552 DPT 1027 LEN 292
2005:08:03-06:44:14 DROP: IN eth2 SRC 61.53.154.89 "China [City: Shanghai, Shanghai]" DST PROTO UDP SPT 37840 DPT 1027 LEN 356
2005:08:03-06:54:36 DROP: IN eth2 SRC 219.148.64.95 China DST PROTO UDP SPT 64089 DPT 1027 LEN 476
2005:08:03-07:05:25 DROP: IN eth2 SRC 212.250.125.164 "UK, Doncaster, England" DST PROTO UDP SPT 9387 DPT 1027 LEN 888
2005:08:03-07:12:07 DROP: IN eth2 SRC 222.241.95.3 China DST PROTO UDP SPT 60705 DPT 1027 LEN 292
2005:08:03-07:13:21 DROP: IN eth2 SRC 220.175.8.134 China DST PROTO UDP SPT 47082 DPT 1027 LEN 325
2005:08:03-07:29:06 DROP: IN eth2 SRC 222.47.76.232 China DST PROTO UDP SPT 65408 DPT 1027 LEN 479
2005:08:03-07:30:27 DROP: IN eth2 SRC 61.233.40.169 China DST PROTO UDP SPT 45905 DPT 1027 LEN 292
2005:08:03-07:32:45 DROP: IN eth2 SRC 61.53.154.89 "China [City: Shanghai, Shanghai]" DST PROTO UDP SPT 60699 DPT 1027 LEN 356
2005:08:03-07:34:45 DROP: IN eth2 SRC 218.66.104.139 China DST PROTO UDP SPT 48869 DPT 1027 LEN 472
2005:08:03-07:41:40 DROP: IN eth2 SRC 222.141.69.129 China DST PROTO UDP SPT 52687 DPT 1027 LEN 280
2005:08:03-07:41:56 DROP: IN eth2 SRC 221.211.255.8 China DST PROTO UDP SPT 37085 DPT 1027 LEN 474
2005:08:03-07:52:11 DROP: IN eth2 SRC 222.136.188.49 China DST PROTO UDP SPT 40719 DPT 1027 LEN 377
2005:08:03-08:04:30 DROP: IN eth2 SRC 216.67.231.137 "US, New Jersey" DST PROTO UDP SPT 36960 DPT 1027 LEN 305
2005:08:03-08:21:16 DROP: IN eth2 SRC 222.141.93.27 China DST PROTO UDP SPT 33224 DPT 1027 LEN 446
2005:08:03-08:36:08 DROP: IN eth2 SRC 221.10.201.181 China DST PROTO UDP SPT 36752 DPT 1027 LEN 325
2005:08:03-08:53:55 DROP: IN eth2 SRC 222.208.168.145 China DST PROTO UDP SPT 38425 DPT 1027 LEN 325
2005:08:03-08:54:14 DROP: IN eth2 SRC 61.233.40.169 China DST PROTO UDP SPT 56557 DPT 1027 LEN 292
2005:08:03-08:55:59 DROP: IN eth2 SRC 221.211.255.8 China DST PROTO UDP SPT 37085 DPT 1027 LEN 474
2005:08:03-08:57:44 DROP: IN eth2 SRC 61.235.154.103 China DST PROTO UDP SPT 54338 DPT 1027 LEN 463
2005:08:03-09:17:21 DROP: IN eth2 SRC 212.253.78.245 "Turkey, Istanbul" DST PROTO UDP SPT 3456 DPT 1027 LEN 888
2005:08:03-09:30:13 DROP: IN eth2 SRC 222.141.102.11 China DST PROTO UDP SPT 42924 DPT 1027 LEN 292
2005:08:03-09:35:17 DROP: IN eth2 SRC 221.211.255.12 China DST PROTO UDP SPT 32824 DPT 1027 LEN 474
2005:08:03-09:54:17 DROP: IN eth2 SRC 218.66.104.139 China DST PROTO UDP SPT 48898 DPT 1027 LEN 472
2005:08:03-10:02:36 DROP: IN eth2 SRC 222.241.95.3 China DST PROTO UDP SPT 50201 DPT 1027 LEN 292
2005:08:03-10:10:05 DROP: IN eth2 SRC 221.211.255.8 China DST PROTO UDP SPT 37085 DPT 1027 LEN 474
2005:08:03-10:19:18 DROP: IN eth2 SRC 61.233.40.169 China DST PROTO UDP SPT 39358 DPT 1027 LEN 292
2005:08:03-10:26:28 DROP: IN eth2 SRC 222.141.69.129 China DST PROTO UDP SPT 45473 DPT 1027 LEN 280
2005:08:03-10:41:34 DROP: IN eth2 SRC 70.85.176.210 US DST PROTO UDP SPT 36757 DPT 1027 LEN 323
2005:08:03-10:42:49 DROP: IN eth2 SRC 222.47.76.232 China DST PROTO UDP SPT 52856 DPT 1027 LEN 479
2005:08:03-11:03:18 DROP: IN eth2 SRC 218.66.104.139 China DST PROTO UDP SPT 48913 DPT 1027 LEN 472
2005:08:03-11:04:23 DROP: IN eth2 SRC 221.211.255.12 China DST PROTO UDP SPT 32824 DPT 1027 LEN 474
2005:08:03-11:24:11 DROP: IN eth2 SRC 221.211.255.8 China DST PROTO UDP SPT 37087 DPT 1027 LEN 474
2005:08:03-11:29:40 DROP: IN eth2 SRC 212.149.110.224 Findland DST PROTO UDP SPT 26146 DPT 1027 LEN 888
2005:08:03-11:33:38 DROP: IN eth2 SRC 222.208.168.145 China DST PROTO UDP SPT 53978 DPT 1027 LEN 325
2005:08:03-11:35:42 DROP: IN eth2 SRC 222.141.102.7 China DST PROTO UDP SPT 46881 DPT 1027 LEN 377
2005:08:03-11:40:13 DROP: IN eth2 SRC 221.10.201.181 China DST PROTO UDP SPT 38578 DPT 1027 LEN 325
2005:08:03-11:48:46 DROP: IN eth2 SRC 221.211.255.12 China DST PROTO UDP SPT 32824 DPT 1027 LEN 474
2005:08:03-11:56:19 DROP: IN eth2 SRC 220.175.8.134 China DST PROTO UDP SPT 54416 DPT 1027 LEN 325
2005:08:03-12:01:13 DROP: IN eth2 SRC 61.235.154.103 China DST PROTO UDP SPT 53129 DPT 1027 LEN 463
2005:08:03-12:11:26 DROP: IN eth2 SRC 61.53.154.89 "China [City: Shanghai, Shanghai]" DST PROTO UDP SPT 51054 DPT 1027 LEN 356
2005:08:03-12:11:48 DROP: IN eth2 SRC 218.66.104.139 China DST PROTO UDP SPT 48924 DPT 1027 LEN 472
2005:08:03-12:11:55 DROP: IN eth2 SRC 222.136.188.49 China DST PROTO UDP SPT 36690 DPT 1027 LEN 377
2005:08:03-12:18:21 DROP: IN eth2 SRC 222.141.102.11 China DST PROTO UDP SPT 36902 DPT 1027 LEN 292
2005:08:03-12:21:37 DROP: IN eth2 SRC 61.235.154.103 China DST PROTO UDP SPT 37648 DPT 1027 LEN 463
2005:08:03-12:33:09 DROP: IN eth2 SRC 221.211.255.12 China DST PROTO UDP SPT 32824 DPT 1027 LEN 474
2005:08:03-12:38:19 DROP: IN eth2 SRC 221.211.255.8 China DST PROTO UDP SPT 37087 DPT 1027 LEN 474
2005:08:03-13:00:24 DROP: IN eth2 SRC 61.172.249.200 China DST PROTO UDP SPT 33591 DPT 1027 LEN 471
2005:08:03-13:00:53 DROP: IN eth2 SRC 61.53.154.89 "China [City: Shanghai, Shanghai]" DST PROTO UDP SPT 46596 DPT 1027 LEN 356
2005:08:03-13:09:34 DROP: IN eth2 SRC 61.233.40.169 China DST PROTO UDP SPT 60752 DPT 1027 LEN 292
2005:08:03-13:12:39 DROP: IN eth2 SRC 222.141.69.129 China DST PROTO UDP SPT 38956 DPT 1027 LEN 280
2005:08:03-13:41:56 DROP: IN eth2 SRC 212.39.27.72 Italy DST PROTO UDP SPT 5283 DPT 1027 LEN 888
2005:08:03-13:54:16 DROP: IN eth2 SRC 221.211.255.8 China DST PROTO UDP SPT 37087 DPT 1027 LEN 474
2005:08:03-13:56:35 DROP: IN eth2 SRC 222.47.76.232 China DST PROTO UDP SPT 54166 DPT 1027 LEN 479
2005:08:03-14:01:49 DROP: IN eth2 SRC 221.211.255.12 China DST PROTO UDP SPT 32824 DPT 1027 LEN 474
2005:08:03-14:03:41 DROP: IN eth2 SRC 61.235.154.103 China DST PROTO UDP SPT 35591 DPT 1027 LEN 463
2005:08:03-14:10:03 DROP: IN eth2 SRC 222.241.95.3 China DST PROTO UDP SPT 55309 DPT 1027 LEN 292
2005:08:03-14:11:21 DROP: IN eth2 SRC 222.208.168.145 China DST PROTO UDP SPT 39501 DPT 1027 LEN 325
2005:08:03-14:29:14 DROP: IN eth2 SRC 218.66.104.139 China DST PROTO UDP SPT 48952 DPT 1027 LEN 472
2005:08:03-14:37:54 DROP: IN eth2 SRC 70.85.176.210 US DST PROTO UDP SPT 36772 DPT 1027 LEN 323
2005:08:03-14:46:04 DROP: IN eth2 SRC 221.211.255.12 China DST PROTO UDP SPT 32824 DPT 1027 LEN 474
2005:08:03-14:48:10 DROP: IN eth2 SRC 221.10.201.181 China DST PROTO UDP SPT 40288 DPT 1027 LEN 325
2005:08:03-15:06:31 DROP: IN eth2 SRC 220.175.8.134 China DST PROTO UDP SPT 50328 DPT 1027 LEN 325
2005:08:03-15:08:06 DROP: IN eth2 SRC 222.141.102.11 China DST PROTO UDP SPT 58222 DPT 1027 LEN 292
2005:08:03-15:09:00 DROP: IN eth2 SRC 221.211.255.8 China DST PROTO UDP SPT 37098 DPT 1027 LEN 474
2005:08:03-15:30:23 DROP: IN eth2 SRC 221.211.255.12 China DST PROTO UDP SPT 32824 DPT 1027 LEN 474
2005:08:03-15:37:30 DROP: IN eth2 SRC 218.66.104.139 China DST PROTO UDP SPT 50687 DPT 1027 LEN 472
2005:08:03-15:54:17 DROP: IN eth2 SRC 212.179.34.254 Isreal DST PROTO UDP SPT 13423 DPT 1027 LEN 888
2005:08:03-15:57:21 DROP: IN eth2 SRC 222.141.102.7 China DST PROTO UDP SPT 39069 DPT 1027 LEN 377
2005:08:03-15:59:18 DROP: IN eth2 SRC 222.141.69.129 China DST PROTO UDP SPT 60736 DPT 1027 LEN 280
2005:08:03-15:59:56 DROP: IN eth2 SRC 61.233.40.169 China DST PROTO UDP SPT 53423 DPT 1027 LEN 292
2005:08:03-16:07:56 DROP: IN eth2 SRC 222.241.95.3 China DST PROTO UDP SPT 55843 DPT 1027 LEN 292
2005:08:03-16:14:40 DROP: IN eth2 SRC 221.211.255.12 China DST PROTO UDP SPT 32824 DPT 1027 LEN 474
2005:08:03-16:23:11 DROP: IN eth2 SRC 221.211.255.8 China DST PROTO UDP SPT 37098 DPT 1027 LEN 474
2005:08:03-16:26:13 DROP: IN eth2 SRC 61.235.154.103 China DST PROTO UDP SPT 60157 DPT 1027 LEN 463
2005:08:03-16:33:51 DROP: IN eth2 SRC 222.136.188.49 China DST PROTO UDP SPT 33481 DPT 1027 LEN 377
2005:08:03-16:45:39 DROP: IN eth2 SRC 218.66.104.139 China DST PROTO UDP SPT 50701 DPT 1027 LEN 472
2005:08:03-16:58:59 DROP: IN eth2 SRC 221.211.255.12 China DST PROTO UDP SPT 33047 DPT 1027 LEN 474
2005:08:03-17:10:21 DROP: IN eth2 SRC 222.47.76.232 China DST PROTO UDP SPT 52957 DPT 1027 LEN 479
2005:08:03-17:24:46 DROP: IN eth2 SRC 61.233.40.169 China DST PROTO UDP SPT 35413 DPT 1027 LEN 292
2005:08:03-17:37:20 DROP: IN eth2 SRC 221.211.255.8 China DST PROTO UDP SPT 37488 DPT 1027 LEN 474
2005:08:03-17:48:22 DROP: IN eth2 SRC 222.241.95.3 China DST PROTO UDP SPT 38794 DPT 1027 LEN 292
2005:08:03-17:50:11 DROP: IN eth2 SRC 222.141.93.27 China DST PROTO UDP SPT 38667 DPT 1027 LEN 446
2005:08:03-17:53:57 DROP: IN eth2 SRC 218.66.104.139 China DST PROTO UDP SPT 50714 DPT 1027 LEN 472
2005:08:03-17:57:25 DROP: IN eth2 SRC 222.141.102.11 China DST PROTO UDP SPT 51667 DPT 1027 LEN 292
2005:08:03-17:57:48 DROP: IN eth2 SRC 61.53.154.89 "China [City: Shanghai, Shanghai]" DST PROTO UDP SPT 44053 DPT 1027 LEN 356
2005:08:03-18:00:33 DROP: IN eth2 SRC 222.136.188.49 China DST PROTO UDP SPT 41363 DPT 1027 LEN 377
2005:08:03-18:06:30 DROP: IN eth2 SRC 212.72.141.203 Georgia (Tiblisi) DST PROTO UDP SPT 25059 DPT 1027 LEN 888
2005:08:03-18:14:26 DROP: IN eth2 SRC 220.175.8.134 China DST PROTO UDP SPT 44042 DPT 1027 LEN 325
2005:08:03-18:39:26 DROP: IN eth2 SRC 70.85.176.210 US DST PROTO UDP SPT 36777 DPT 1027 LEN 323
2005:08:03-18:45:34 DROP: IN eth2 SRC 222.141.69.129 China DST PROTO UDP SPT 54292 DPT 1027 LEN 280
2005:08:03-18:46:53 DROP: IN eth2 SRC 61.53.154.89 "China [City: Shanghai, Shanghai]" DST PROTO UDP SPT 39061 DPT 1027 LEN 356
2005:08:03-18:51:28 DROP: IN eth2 SRC 221.211.255.8 China DST PROTO UDP SPT 37490 DPT 1027 LEN 474
2005:08:03-19:00:35 DROP: IN eth2 SRC 218.66.104.139 China DST PROTO UDP SPT 50728 DPT 1027 LEN 472
2005:08:03-19:05:20 DROP: IN eth2 SRC 221.10.201.181 China DST PROTO UDP SPT 56651 DPT 1027 LEN 325
2005:08:03-19:11:37 DROP: IN eth2 SRC 61.233.40.209 China DST PROTO UDP SPT 42622 DPT 1027 LEN 325
2005:08:03-19:12:18 DROP: IN eth2 SRC 221.211.255.12 China DST PROTO UDP SPT 33047 DPT 1027 LEN 474
2005:08:03-19:45:13 DROP: IN eth2 SRC 61.233.40.85 China DST PROTO UDP SPT 60738 DPT 1027 LEN 325
2005:08:03-20:04:35 DROP: IN eth2 SRC 61.172.240.137 China DST PROTO UDP SPT 46073 DPT 1027 LEN 323
2005:08:03-20:05:39 DROP: IN eth2 SRC 221.211.255.8 China DST PROTO UDP SPT 37490 DPT 1027 LEN 474
2005:08:03-20:18:52 DROP: IN eth2 SRC 212.114.140.138 Germany DST PROTO UDP SPT 19956 DPT 1027 LEN 888
2005:08:03-20:23:42 DROP: IN eth2 SRC 222.141.102.7 China DST PROTO UDP SPT 34258 DPT 1027 LEN 377
2005:08:03-20:24:07 DROP: IN eth2 SRC 222.47.76.232 China DST PROTO UDP SPT 57245 DPT 1027 LEN 479
2005:08:03-20:34:44 DROP: IN eth2 SRC 219.148.64.95 China DST PROTO UDP SPT 55414 DPT 1027 LEN 476
2005:08:03-20:45:43 DROP: IN eth2 SRC 222.141.102.11 China DST PROTO UDP SPT 45321 DPT 1027 LEN 292
Cancel
Vote Up 0 Vote Down

Cancel
0 BarryG over 20 years ago in reply to SalishSwede

How would an ICQ exploit affect ASL?

Barry
Cancel
Vote Up 0 Vote Down

Cancel
0 NimmdirKeks over 20 years ago in reply to BarryG

Hi,

first, this is UDP, so you cant be sure it is from the visible source IP address. Second, it tries to connect to a server port on the astaro, that isnt bound to anything (even wouldnt effect any machine that goes over a nat gateway, except you nat the port into you net). Can remember that some of the mydoom viruses tried to connect/spread via ICQ.
So from all the info you posted here, it looks more like your internal network is infected with a virus/trojan/worm.

Chris
Cancel
Vote Up 0 Vote Down

Cancel
0 SalishSwede over 20 years ago in reply to BarryG

Barry,
I'm just relaying information from my systems. ASL is my firewall (currently) and if it has been compromised, it's likely that other systems were in fact the target. The other systems would more than likely show signs of hacks before ASL though ASL would need to be compromised first, yes? I've shown a temporary storm of UDP traffic on a port commonly used by ICQ. I think the later post is correct that one of my internal machines has been compromised by a worm (or related code). I just need to find the machine at this point.

This does not bring me closer to determining how they got by ASL.

Cheers,

~D
Cancel
Vote Up 0 Vote Down

Cancel
0 BarryG over 20 years ago in reply to SalishSwede

[ QUOTE ]
though ASL would need to be compromised first, yes?

[/ QUOTE ]

NO

Any services you have open (ICQ), or any vulnerable applications you use internally (Internet Explorer, OutLook), or any users you have that are stupid enough to open a trojan (via email, P2P, sneakernet) MAY expose/infect you no matter what kind of firewall you use!

Barry
Cancel
Vote Up 0 Vote Down

Cancel
0 ReD-MaN over 20 years ago in reply to SalishSwede

[ QUOTE ]
I'm assuming a pro (or at least an expert).

It appears that I'm going ot have to reinstall de novo most of my systems due to this apparent intrusion and I'm not very happy about it.

I'm wondering if using ASL is worth the risk. What are thoughts on competitive more traditional firewalls like Watchguard etc....

[/ QUOTE ]

I can tell you, I manage 7 different installations of ASL, including my own at home. In using Astaro for the last 4 years, I have NEVER had a compromised firewall. Not at GOV offices, not at clients, not at home, not at my office... did you have anything DNATed from the outside into the internal?
Cancel
Vote Up 0 Vote Down

Cancel
0 NimmdirKeks over 20 years ago in reply to ReD-MaN

Hi,

there are many ways to get a Virus past the Astaro.

For example, password protected attachments, services that dont go trough virus engine of the proxies (like MSN), users that hook up their home notebook to the corp network, or the ones who use usb-stick to transfer data ect. ect.

Chris
Cancel
Vote Up 0 Vote Down

Cancel
0 SalishSwede over 20 years ago in reply to NimmdirKeks

Yes I have DNS NATed throught the firewall.
I'm running a DNS server and thus need external servers to be able to connect to mine.
Cancel
Vote Up 0 Vote Down

Cancel
0 dayne1432 over 20 years ago in reply to SalishSwede

If the DNS server that is accessible from the internet is not on the DMZ, you are just asking to get hacked.
Cancel
Vote Up 0 Vote Down

Cancel
0 SalishSwede over 20 years ago in reply to dayne1432

Hmmmmm perhaps a reconfiguration is in order.
I've been playing around with Microsoft's Small Business Server and they incorporate a potpourrie of "services" in the one server. Putting this beast out in the real world would be a disaster: Microsoft can't handle the storm. Perhaps a secondary linux DNS server placed out in the DMZ is indeed the answer.

Thanks
Cancel
Vote Up 0 Vote Down

Cancel