I am seeing ICMP type 3 error message from my firewall logs. However , I am unable to find the original request sent to that external IP [closed]

No matching connection for ICMP error message: icmp src inside: X.X.X.98 dst outside: X.X.X.11 (type 3, code 2) on inside interface. Original IP payload: udp src X.X.X.11/53 dst X.X.X.98/52906.

Can somebody please help me understand the cause.

moving files from veracrypt store logs on windows?

If i move a file from an non-hidden encrypted drive to my main C drive, then move the original file to a hidden container on the encrypted drive, then wipe the original file with ccenhancer/secure erase, is that doing enough to ensure the original location isnt Knowles? Or does windows log moved files by default and someone could tell if the copied file came from the encrypted drive? Additionally, do softwares like ccenhancer/secure erase remove "recently viewed" logs from applications in case they are opened from either hidden or non hidden volume?

Router Security Warning in Logs

I’m getting regular attacks

2020-07-29 14:44:42 Security Warning ‭Intrusion -> SRC=80.227.225.108 DST=156.218.255.222 LEN=40 TOS=0x00 PREC=0x00 TTL=235 ID=63607 PROTO=TCP SPT=52363 DPT=1433 WIN‭ 

it’s every 10 mins as I can see

I changed wifi password and made it hidden AP and the attacks still coming.

I even disconnected all devices and the logs keep getting this attack

Should I be worried?

2020-07-29 14:54:05 Security Warning ‭Intrusion -> SRC=45.129.33.22 DST=156.218.255.222 LEN=40 TOS=0x00 PREC=0x00 TTL=247 ID=40337 PROTO=TCP SPT=42068 DPT=3378 WINDO‭ 

Hacking Attempt Requests Not showing Up on Webserver Logs But Google Analytics Shows it

Which hacking tool makes a request and does not show up on web-server logs?

/en/latest/ has been requested over 116, we don’t have this URL on the website at all!

The request to that URL does not show up on web-server logs but I setup google analytics to track ad-blockers by loading the script on a different URL that ad-blockers don’t know . But ever since i setup this google analytics it has trapped lots of hacking request on none existing URL?

How comes google analytics captures the request(The Hackers don’t actually know) and the request seems not reach the web-server because no logs are shown?

The thing is there is a deliberate request to none existing URL, that don’t show up on web-server logs, but my secrete google analytic scripts captures the URL

Identical records in IIS logs

I am not very knowledgeable about IIS 7, so I thought this was the right place to ask.

While inspecting the web server logs, I came across several instances of separate records that look just the same. For example:

#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken 2020-04-21 00:00:10 ABC.128.138.15 GET /MY/API/HERE departmentId=&prodLineId=&prodUnitId=&puGroupId=&FLId=null&startTime=2019-09-08T21:00:00.000Z&endTime=2019-09-09T21:00:00.000Z&status=null&itemType=&itemComponent=&howFound=&priority=&foundBy=&fixedBy=&flList= 80 - ABC.128.138.15 Apache-HttpClient/4.5.6+(Java/1.8.0_92) - 200 0 0 1453 2020-04-21 00:00:10 ABC.128.138.15 GET /MY/API/HERE departmentId=&prodLineId=&prodUnitId=&puGroupId=&FLId=null&startTime=2019-09-08T21:00:00.000Z&endTime=2019-09-09T21:00:00.000Z&status=null&itemType=&itemComponent=&howFound=&priority=&foundBy=&fixedBy=&flList= 80 - ABC.128.138.15 Apache-HttpClient/4.5.6+(Java/1.8.0_92) - 200 0 0 1453 

The question is – do those records correspond to two actual separate requests, or perhaps it was just one that for some reason got duplicated? This is not an isolated occurrence (there are hundreds more). Just for the record, these are all GET requests coming from the same source (an Apache Tomcat-based application that resides in the same web server and is invoking APIs in different application pools).

Thanks in advance,

Gabriel

Microsoft-Windows-SmbClient/Connectivity logs [closed]

When I’m investigating systems, the SMB client logs are a good place to tell me if a baddie tried mapping/navigating network shares and they often outlive the security logs.

Does anyone know a good reference to find out what exactly the codes mean? Such as event IDs? I tried Google and have not had much luck.

30805 30808 30800 30811 etc. 

Rsyslog not saving logs from another servers into custom directories [migrated]

I am receving logs on UDP 514 from another server and i have configured rsyslog.conf to save the logs to another custom directory but i am unable to do so, i confirmed through tcpdump logs are getting on 514 but not getting saved. Any thing i’ve missed?

Here’s the config i’ve made in rsyslog.conf

$  umask 0000  # ownership and permissions $  FileOwner punk $  FileGroup punk $  FileCreateMode 0640 $  DirCreateMode 0755   # save that when possible $  PreserveFQDN on   # local ruleset (to control local syslogging) $  RuleSet local $  template CustomFormat,"%TIMESTAMP:::date-rfc3339% %HOSTNAME% %syslogtag%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n" $  ActionFileDefaultTemplate CustomFormat  $  template prod1,"/ab/cs/edl/172.x.x.x/%$  now%.log"    if $  fromhost-ip == '172.x.x.x' then ?prod1   

Strange ufw logs

When securing my device (ubuntu) I noticed strange ufw logs. I am behind a router which should be blocking these kinds of requests? I realise these are using port 443 but I was under the impression that my outgoing connections to a website shouldn’t produce incoming connections to me.

[UFW BLOCK] IN=wlp1s0 OUT= MAC=b0:fc:36:e0:0f:2d:2c:30:33:34:bf:32:08:00 SRC=151.101.64.133 DST=<my ip> LEN=40 TOS=0x00 PREC=0x00 TTL=123 ID=0 DF PROTO=TCP SPT=443 DPT=43648 WINDOW=0 RES=0x00 RST URGP=0 

Other info:

  • There was only one other device connected to the network.
  • This router was recently reset. upnp is disabled.
  • Recently plugged a usb stick into the pc.
  • I have all incoming connections blocked and only allow http, https and dns out.