Security Incidents mailing list archives

Re: Weird Incoming IP's and port numbers.

From: "West P." <god-admin () home com>
Date: Mon, 27 Aug 2001 21:52:10 -0400

At the time of these connections there are a lot of requests to AIM and
MSN's messanger services.  Two computers where running one of each.  These
connections are probably to get the ad's and ticker news.

So if the answer lies as a badly configured HTTP server farm wouldn't others
be getting the same requests?  (Im sure there are other users that have the
same setup using AIM and MSN)

Another suggestion was that my NAT wasn't blocking it as it should.  If this
is the case, how is the person connecting to me with 192.168.1.x address?
Wouldn't it be their NAT that wasn't changing their internal IP back to
their external IP?

Since these last entries I have blocked all 192.168.1.x address except the
ones I am using, and I distanced the IP's so they are not just 2, 3, and 4.
I also haven't received any more requests.

-West P.

----- Original Message -----
From: West P. <god-admin () home com>
To: <incidents () securityfocus com>
Sent: Sunday, August 26, 2001 10:21 PM
Subject: Weird Incoming IP's and port numbers.

I'm using @home internet cable.  I have the linksys cable router + 4 port
switch.  This splits the connection to 3 computers in the house.  DHCP is
turned off.  The Internal IPs are 192.168.1.x  (2,3,4)... Over the past

day

I received a couple of weird INCOMING entries in the log.

DATE           TIME        SCR       SCR_PORT      DEST         DEST_PORT
08/25/2001 13:24:52  192.168.1.8      80          <my ip address>

08/25/2001 19:04:42  192.168.1.16    80         <my ip address>       4319
08/25/2001 23:25:38  192.168.1.9      80          <my ip address>


How is it possible that these are coming into the router from the outside?
Is this an error on the router?  Do any of these ports seem familiar.

Extra note:  When I tried to make a connection with these ports from

within

my network it refused the connection and didn't put it in the incoming or
outgoing log.

Is there an explanation for this?


--------------------------------------------------------------------------

--

This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Weird Incoming IP's and port numbers. West P. (Aug 27)
- Re: Weird Incoming IP's and port numbers. Hugo van der Kooij (Aug 29)
- Re: Weird Incoming IP's and port numbers. West P. (Aug 29)
- <Possible follow-ups>
- RE: Weird Incoming IP's and port numbers. NESTING, DAVID M (SBCSI) (Aug 29)
- RE: Weird Incoming IP's and port numbers. Vachon, Scott (Aug 29)
- RE: Weird Incoming IP's and port numbers. NESTING, DAVID M (SBCSI) (Aug 30)