Ethereal-users: RE: [Ethereal-users] Newbie in a jam

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

From: "Jason Hernandez" <jason.hernandez@xxxxxxxxxxxxx>
Date: Tue, 28 Feb 2006 15:53:23 -0800
I have a feeling on what computer it might be and have disconnected it today
and will follow up with my IPS tomorrow to check their logs. This PC is a
Window 2000 Advance server, a straight install stand alone server only with
IIS on in. On it I installed and am testing this mail server program from
IPSWITCH, that does calendar sharing ect...I know that when we do the client
install( within Outlook) on the local pc it asks that we have port 139 (I
think) and 445 open, so the server could well be the problem. 



Jason 

-----Original Message-----
From: ethereal-users-bounces@xxxxxxxxxxxx
[mailto:ethereal-users-bounces@xxxxxxxxxxxx] On Behalf Of Andreas Fink
Sent: Tuesday, February 28, 2006 12:43 PM
To: Ethereal user support
Subject: Re: [Ethereal-users] Newbie in a jam

Why would filtering  ICMP stop anything??
It wouldn't help finding him anything. The "bad" guy inside his  
network will still be there. Instead use of ethereal should make him  
spot the right machine and be able to take corresponding action. ICMP  
is a important service and I don't see why users should not be able  
to use it. There are far more dangerouse services like Windows  
Messaging (see http://www.itc.virginia.edu/desktop/docs/ 
messagepopup/) or simpyl use of Windows file service from remote  
(most users dont need that so its usually not a bad idea to close  
those ports).
There was only one reason to filter ICMP and that was during the  
known bug of WindowsNT and Windows95 called "ping-of-death" where a  
well crafted overlength ICMP packet was able to crash any windows  
machine within seconds.

So it would take a brainwashed system administrator to put a totally  
outdated 10 year old machine with Windows95 or WindowsNT without any  
security patches on to the internet. If you have that on your  
network, then you might want to block ICMP.

On 28.02.2006, at 21:22, FRANCIS PROVENCHER wrote:

> Hi
> To stop the problem, you can deny the icmp echo request on your  
> firewall. Its not a good thing to lets user make icmp echo reply  
> (ping) outdoor of your network. Creat a rule on your firewall to  
> deny it, you can add some exception on this rule to lets  
> administrator to ping outdoor.
>
> Sorry i can give you some advise with ethereal.
> You can also check for a Snort (Intrusion Detection System)
>
>
>
> Francis Provencher
> Ministère de la Sécurité publique
> Réalisations et Systèmes réseaux
> Tél: (418) 646-3258
> Courriel:   Francis.provencher@xxxxxxxxxxxxxx
>
> CEH - Certified Ethical Hackers
> SSCP - System Security Certified Practionner
> Sec+ - Security +
>>>> jason.hernandez@xxxxxxxxxxxxx 02/28/06 2:36 PM >>>
> Hello all,
>
>
>
> I am very new to protocol analyzing and packet sniffing. I usually  
> just
> support pc, but an now supporting our network. I've been contacted my
> company's ISP and they say some machine behind my router is  
> scanning their
> network. I have made sure all my PC's are patched, and have up to  
> day anti
> virus software ( McAfee) as well as anti spyware software (Windows
> Defender), but I am still having this issue.
>
>
>
> How can I use this software to find the culprit? What am I suppose  
> to look
> for? Sorry for being such a newbie...
>
>
>
> Thanks in advance!
>
>
>
>
>
> Jason
>
>
>
>
> _______________________________________________
> Ethereal-users mailing list
> Ethereal-users@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-users
>


Andreas Fink
Fink Consulting GmbH

---------------------------------------------------------------
Tel: +41-61-6666332 Fax: +41-61-6666331  Mobile: +41-79-2457333
Address: Clarastrasse 3, 4058 Basel, Switzerland
E-Mail:  afink@xxxxxxxxxxxxxxxxxx
Homepage: http://www.finkconsulting.com
---------------------------------------------------------------

ICQ: 101946485 MSN: msn1@xxxxxx AIM: smsrelay Skype: andreasfink
Yahoo: finkconsulting SMS: +41792457333
PGP9: 0714 DF2B A189 A760 6201  5CBD D040 3E71 4DAF 68BB


_______________________________________________
Ethereal-users mailing list
Ethereal-users@xxxxxxxxxxxx
http://www.ethereal.com/mailman/listinfo/ethereal-users