Security Basics mailing list archives
from 127.0.0.1:80 to myIP:1838 on eth0
From: Useru Chior <useru_chior () yahoo com>
Date: 26 Sep 2003 11:54:55 -0000
As I am only a physicist with some computing experience and not a computer professional, I would like to hear as much as possible about the following issue. The computer I use at my working place is a personal machine: - WXP professional with SP1 and all critical updates installed - Sygate Personal Firewall 5.1 build 1615s with advanced rules (ipchains - like) I have scanned my system using Sygate' trojan scan service and also I have scanned the system using Sophos Antivirus. The system seems to be clean. I am conected to the network of the company via a fibre optic cable (presumably to a switch). The network configuration looks like: IP 192.168.1.115 netmask 255.255.255.0 gateway 192.168.1.255 nameservers xx.xx.xx.x1, xx.xx.xx.x2 (In fact I have a routable IP, which is not listed here ) The firewall is usually showing me something like 10 to 30 connection attempts a day on various services (80, 21, 25, 554, 1433 and some high ports which I can only associate with backdoor-type servers). Also is showing from time to time packets which seem to emerge from routable IPs from outside the company and which seem to try to force open a connection with a external 'web' (80) server. Normal s***. One week ago packets like the ones decoded here started to pop-up in the firewall log. ------------------------------------------------------------------------------------ 09/25/2003 22:01:09 Ethernet II (Packet Length: 60) Destination: ff-ff-ff-ff-ff-ff Source: ZZ-ZZ-ZZ-ZZ-ZZ-ZZ - hardware address of the gateway Type: IP (0x0800) Internet Protocol Version: 4 Header Length: 20 bytes Flags: .0.. = Don't fragment: Not set ..0. = More fragments: Not set Fragment offset:0 Time to live: 1 Protocol: 0x6 (TCP - Transmission Control Protocol) Header checksum: 0x6951 (Correct) Source: 127.0.0.1 Destination: 192.168.1.0 Transmission Control Protocol (TCP) Source port: 80 Destination port: 1823 Sequence number: 0 Acknowledgment number: 1573847041 Header length: 20 Flags: 0... .... = Congestion Window Reduce (CWR): Not set .0.. .... = ECN-Echo: Not set ..0. .... = Urgent: Not set ...1 .... = Acknowledgment: Set .... 0... = Push: Not set .... .1.. = Reset: Set .... ..0. = Syn: Not set .... ...0 = Fin: Not set Checksum: 0xd514 (Correct) Data (0 Bytes) ------------------------------------------------------------------------------------ 09/25/2003 21:57:47 Ethernet II (Packet Length: 60) Destination: YY-YY-YY-YY-YY-YY - hardware address of my machine Source: ZZ-ZZ-ZZ-ZZ-ZZ-ZZ - hardware address of the gateway Type: IP (0x0800) Internet Protocol Version: 4 Header Length: 20 bytes Flags: .0.. = Don't fragment: Not set ..0. = More fragments: Not set Fragment offset:0 Time to live: 124 Protocol: 0x6 (TCP - Transmission Control Protocol) Header checksum: 0x3b07 (Correct) Source: 127.0.0.1 Destination: 192.168.1.115 Transmission Control Protocol (TCP) Source port: 80 Destination port: 1838 Sequence number: 0 Acknowledgment number: 404619265 Header length: 20 Flags: 0... .... = Congestion Window Reduce (CWR): Not set .0.. .... = ECN-Echo: Not set ..0. .... = Urgent: Not set ...1 .... = Acknowledgment: Set .... 0... = Push: Not set .... .1.. = Reset: Set .... ..0. = Syn: Not set .... ...0 = Fin: Not set Checksum: 0x135a (Correct) Data (0 Bytes) --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- from 127.0.0.1:80 to myIP:1838 on eth0 Useru Chior (Sep 26)
- RE: from 127.0.0.1:80 to myIP:1838 on eth0 David Gillett (Sep 26)
- <Possible follow-ups>
- Re: from 127.0.0.1:80 to myIP:1838 on eth0 Useru Chior (Sep 29)