Aaron, The packets to port 1900 (first sample) are SSDP, (http://www.kb.cert.org/vuls/id/411059 for a little info) probably from MSN messenger on the W2K machine. Packets to 162 (second sample) are SNMP Traps from your 192.168.1.1 host. Packets to 53 are DNS queries and the packets to 123 are NTP (time) queries/responses All these are 'probably' the services they state they are, further inspection of the packet payload should confirm this for you. Ian. "Klepinger, Aaron" To: "'incidentsat_private'" <incidentsat_private> <Aaron.Klepin cc: ger Subject: DSL Modem or Router Cracked? @CompuCredit. com> 12/06/2002 21:03 I believe my router or DSL modem has been compromised. I'm basically a newbie when it comes to security and setting up a server, but I set one up just to mess around with it. I'm not real worried about someone getting info off of my machine, but they are really slowing down my connection and it's annoying! Here's my setup: Win2K Server running IIS5, Exchange 2000, ZoneAlarm 3.x (with several shady ports open: 113 and 25), Netshield w/latest defs, DNS2Go dns forwarding enabled (advertising...come crack me!!! bad, I know) Mac OS X 10.1.5 with Brickhouse firewall Alcatel Speed Touch Home with 3.2.7 firmware Linksys BEFSR41 with 1.42.7 firmware (port 113 and 25 forwarded to LAN) ->Win2K Server Alcatel->Linksys ->MacOS X Anyone have any idea what happened? Let me know if I missed anything. I found that port 1900 was SSDP, but I'm not sure what that even does. Also, my Win2K box has all the latest patches for Win2K, IIS, IE, Exchange, etc., long & difficult admin password, iislockdown run, etc. ZoneAlarm trusts the network (192.168.1.X...bad idea, I know) and doesn't prompt when a new app hits the network (also bad, I know). That feature was crashing my ZoneAlarm. I tried restarting the router, but the traffic seemed to just continue. I'll try some of the Alcatel updates later: http://security.sdsc.edu/self-help/alcatel http://www.cert.org/advisories/CA-2001-08.html http://online.securityfocus.com/bid/3851 http://online.securityfocus.com/bid/2566 http://online.securityfocus.com/bid/2568 Does anyone have any idea what could be causing this? Thanks in advance, Aaron 06/12-00:45:01.774507 192.168.1.1:1901 -> 239.255.255.250:1900 UDP TTL:150 TOS:0x0 ID:0 IpLen:20 DgmLen:297 Len: 277 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 06/12-00:45:01.786698 192.168.1.1:1901 -> 239.255.255.250:1900 UDP TTL:150 TOS:0x0 ID:8 IpLen:20 DgmLen:349 Len: 329 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 06/12-00:45:01.788292 192.168.1.1:1901 -> 239.255.255.250:1900 UDP TTL:150 TOS:0x0 ID:9 IpLen:20 DgmLen:341 Len: 321 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 06/12-01:10:09.161243 192.168.1.2:20752 -> 205.152.37.254:53 UDP TTL:128 TOS:0x0 ID:32269 IpLen:20 DgmLen:61 Len: 41 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 06/12-01:10:09.178139 205.152.37.254:53 -> 192.168.1.2:20752 UDP TTL:251 TOS:0x0 ID:8301 IpLen:20 DgmLen:155 DF Len: 135 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 06/12-01:10:09.182068 192.168.1.2:20753 -> 129.6.15.29:123 UDP TTL:128 TOS:0x0 ID:32270 IpLen:20 DgmLen:76 Len: 56 =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ 06/12-01:10:09.184166 192.168.1.1:1051 -> 192.168.1.255:162 UDP TTL:150 TOS:0x0 ID:0 IpLen:20 DgmLen:144 Len: 124 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Jun 13 2002 - 12:38:05 PDT