Security Basics mailing list archives
from 127.0.0.1:80 to myIP:1838 on eth0
From: Useru Chior <useru_chior () yahoo com>
Date: 26 Sep 2003 11:54:55 -0000
As I am only a physicist with some computing experience and not a computer professional, I would like to hear as much
as possible about the following issue.
The computer I use at my working place is a personal machine:
- WXP professional with SP1 and all critical updates installed
- Sygate Personal Firewall 5.1 build 1615s with advanced rules (ipchains - like)
I have scanned my system using Sygate' trojan scan service and also I have scanned the system using Sophos
Antivirus. The system seems to be clean.
I am conected to the network of the company via a fibre optic cable (presumably to a switch). The network
configuration looks like:
IP 192.168.1.115
netmask 255.255.255.0
gateway 192.168.1.255
nameservers xx.xx.xx.x1, xx.xx.xx.x2
(In fact I have a routable IP, which is not listed here )
The firewall is usually showing me something like 10 to 30 connection attempts a day on various services (80,
21, 25, 554, 1433 and some high ports which I can only associate with backdoor-type servers). Also is showing from time
to time packets which seem to emerge from routable IPs from outside the company and which seem to try to force open a
connection with a external 'web' (80) server. Normal s***.
One week ago packets like the ones decoded here started to pop-up in the firewall log.
------------------------------------------------------------------------------------
09/25/2003 22:01:09
Ethernet II (Packet Length: 60)
Destination: ff-ff-ff-ff-ff-ff
Source: ZZ-ZZ-ZZ-ZZ-ZZ-ZZ - hardware address of the gateway
Type: IP (0x0800)
Internet Protocol
Version: 4
Header Length: 20 bytes
Flags:
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset:0
Time to live: 1
Protocol: 0x6 (TCP - Transmission Control Protocol)
Header checksum: 0x6951 (Correct)
Source: 127.0.0.1
Destination: 192.168.1.0
Transmission Control Protocol (TCP)
Source port: 80
Destination port: 1823
Sequence number: 0
Acknowledgment number: 1573847041
Header length: 20
Flags:
0... .... = Congestion Window Reduce (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 0... = Push: Not set
.... .1.. = Reset: Set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Checksum: 0xd514 (Correct)
Data (0 Bytes)
------------------------------------------------------------------------------------
09/25/2003 21:57:47
Ethernet II (Packet Length: 60)
Destination: YY-YY-YY-YY-YY-YY - hardware address of my machine
Source: ZZ-ZZ-ZZ-ZZ-ZZ-ZZ - hardware address of the gateway
Type: IP (0x0800)
Internet Protocol
Version: 4
Header Length: 20 bytes
Flags:
.0.. = Don't fragment: Not set
..0. = More fragments: Not set
Fragment offset:0
Time to live: 124
Protocol: 0x6 (TCP - Transmission Control Protocol)
Header checksum: 0x3b07 (Correct)
Source: 127.0.0.1
Destination: 192.168.1.115
Transmission Control Protocol (TCP)
Source port: 80
Destination port: 1838
Sequence number: 0
Acknowledgment number: 404619265
Header length: 20
Flags:
0... .... = Congestion Window Reduce (CWR): Not set
.0.. .... = ECN-Echo: Not set
..0. .... = Urgent: Not set
...1 .... = Acknowledgment: Set
.... 0... = Push: Not set
.... .1.. = Reset: Set
.... ..0. = Syn: Not set
.... ...0 = Fin: Not set
Checksum: 0x135a (Correct)
Data (0 Bytes)
---------------------------------------------------------------------------
----------------------------------------------------------------------------
Current thread:
- from 127.0.0.1:80 to myIP:1838 on eth0 Useru Chior (Sep 26)
- RE: from 127.0.0.1:80 to myIP:1838 on eth0 David Gillett (Sep 26)
- <Possible follow-ups>
- Re: from 127.0.0.1:80 to myIP:1838 on eth0 Useru Chior (Sep 29)