RE: Weird Incoming IP's and port numbers.

From: Vachon, Scott (Scott.Vachonat_private)
Date: Tue Aug 28 2001 - 05:40:46 PDT

Next message: Ricky Vludmore: "solaris lpd, KARMAPOLICE?"

Previous message: Ray Beaulieu: "nbsession scans"
Maybe in reply to: West P.: "Weird Incoming IP's and port numbers."
Next in thread: NESTING, DAVID M (SBCSI): "RE: Weird Incoming IP's and port numbers."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

>I'm using @home internet cable.  I have the linksys cable router + 4 port
>switch.  This splits the connection to 3 computers in the house.  DHCP is
>turned off.  The Internal IPs are 192.168.1.x  (2,3,4)... Over the past day
>I received a couple of weird INCOMING entries in the log.

>DATE           TIME        SCR       SCR_PORT      DEST         DEST_PORT
>08/25/2001 13:24:52  192.168.1.8      80          <my ip address>      3976
>08/25/2001 19:04:42  192.168.1.16    80         <my ip address>       4319
>08/25/2001 23:25:38  192.168.1.9      80          <my ip address>      4450

The first two sets of ports are unassigned. The last one is assigned to
CAMP. As near as I can tell, CAMP is an enhanced DOS based OS. See:
http://www.antronics.com/camp/version4.htm  Maybe someone more knowledgeable
can give more insight on this ?


>How is it possible that these are coming into the router from the outside?
>Is this an error on the router?  Do any of these ports seem familiar.

Well obviously, you are not using public IP addresses on your LAN. Did you
open any ports to the internal network ? Is the router set to drop ICMP ? Or
perhaps you have placed some of the destination addresses in the DMZ ?

>Extra note:  When I tried to make a connection with these ports from within
>my network it refused the connection and didn't put it in the incoming or
>outgoing log.

If you tried accessing the ports internally, the router (if set as a
gateway) will not have to pass any traffic externally or accept any in, thus
no log entries. Also, since most likely you are not running any applications
that use those ports, there is nothing to accept the connections. 

I suspect one of two things:

1) You have a dynamically assigned public IP address. The connection
attempts may be intended for the system which last had your current address.

or:

2) Someone is flying blind and trying to probe for responses.

I suggest downloading and installing Tiny Personal software (freeware) to
one of your internal Windows systems. This will help you to get a better
picture of what type of traffic is on your internal network and will allow
you to allow or deny the traffic at a more granular level than the Linksys
will.


~S~

Disclaimer: My own 2 cents.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: Ricky Vludmore: "solaris lpd, KARMAPOLICE?"
Previous message: Ray Beaulieu: "nbsession scans"
Maybe in reply to: West P.: "Weird Incoming IP's and port numbers."
Next in thread: NESTING, DAVID M (SBCSI): "RE: Weird Incoming IP's and port numbers."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Aug 29 2001 - 08:22:11 PDT