Re: Weird Incoming IP's and port numbers.

From: West P. (god-adminat_private)
Date: Mon Aug 27 2001 - 18:52:10 PDT

Next message: NESTING, DAVID M (SBCSI): "RE: Weird Incoming IP's and port numbers."

Previous message: Michael J. Cannon: "Re: Code Red - A Possible Origin?"
In reply to: West P.: "Weird Incoming IP's and port numbers."
Next in thread: NESTING, DAVID M (SBCSI): "RE: Weird Incoming IP's and port numbers."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

At the time of these connections there are a lot of requests to AIM and
MSN's messanger services.  Two computers where running one of each.  These
connections are probably to get the ad's and ticker news.

So if the answer lies as a badly configured HTTP server farm wouldn't others
be getting the same requests?  (Im sure there are other users that have the
same setup using AIM and MSN)

Another suggestion was that my NAT wasn't blocking it as it should.  If this
is the case, how is the person connecting to me with 192.168.1.x address?
Wouldn't it be their NAT that wasn't changing their internal IP back to
their external IP?

Since these last entries I have blocked all 192.168.1.x address except the
ones I am using, and I distanced the IP's so they are not just 2, 3, and 4.
I also haven't received any more requests.

-West P.

----- Original Message -----
From: West P. <god-adminat_private>
To: <incidentsat_private>
Sent: Sunday, August 26, 2001 10:21 PM
Subject: Weird Incoming IP's and port numbers.


> I'm using @home internet cable.  I have the linksys cable router + 4 port
> switch.  This splits the connection to 3 computers in the house.  DHCP is
> turned off.  The Internal IPs are 192.168.1.x  (2,3,4)... Over the past
day
> I received a couple of weird INCOMING entries in the log.
>
> DATE           TIME        SCR       SCR_PORT      DEST         DEST_PORT
> 08/25/2001 13:24:52  192.168.1.8      80          <my ip address>
3976
> 08/25/2001 19:04:42  192.168.1.16    80         <my ip address>       4319
> 08/25/2001 23:25:38  192.168.1.9      80          <my ip address>
4450
>
> How is it possible that these are coming into the router from the outside?
> Is this an error on the router?  Do any of these ports seem familiar.
>
> Extra note:  When I tried to make a connection with these ports from
within
> my network it refused the connection and didn't put it in the incoming or
> outgoing log.
>
> Is there an explanation for this?
>
>
> --------------------------------------------------------------------------
--
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>


----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: NESTING, DAVID M (SBCSI): "RE: Weird Incoming IP's and port numbers."
Previous message: Michael J. Cannon: "Re: Code Red - A Possible Origin?"
In reply to: West P.: "Weird Incoming IP's and port numbers."
Next in thread: NESTING, DAVID M (SBCSI): "RE: Weird Incoming IP's and port numbers."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Aug 29 2001 - 08:15:39 PDT