On Wed, Aug 10, 2005 at 01:09:15PM +0100, Brett Parker wrote:
Aug 10 12:33:34 zyxel RAS: src="61.55.188.229:3381" dst="84.51.144.229:1433" msg="Firewall default policy: TCP (W to W/PRESTIGE)" note="ACCESS FORWARD" devID="D9C103" cat="Access Control"OK - now this one is a Globally Scoped multicast address [1]... the printer really is trying to make itself known...
OK, so this is alright, just the printer telling the world about itself.
Aug 10 12:34:59 zyxel RAS: src="218.94.232.240:2611" dst="84.51.144.229:1433" msg="Firewall default policy: TCP (W to W/PRESTIGE)" note="ACCESS FORWARD" devID="D9C103" cat="Access Control"Another one to port 1433, which turns out to be "#Microsoft-SQL-Server" what on earth does this suggest?
Suggests that there's a bug in SQL server and people are trying to exploit it. Looking at the messages, I'd expect ACCESS FORWARD to mean that it looks it up to forward it, unless you've got it set up with a DMZ machine that it forwards everything to... the message isn't overly clear on wether or not it's blocking the packet or accepting them, I'd assume, looking at it, that it was accepting them, but they might get no further than that, depending on if they were redirected or anything. Probably worth looking at the handbook to see if it outlines how to interpret the logs.
Thanks, I'll have a dig around in the router documentation to see if I can get it to tell me more (or to understand better what it is telling me). It would be good if I can filter out the innocuous traffic and leave only unknown/suspicious items.