Security Incidents mailing list archives

RE: Weird Incoming IP's and port numbers.

From: "Vachon, Scott" <Scott.Vachon () Paymentech com>
Date: Tue, 28 Aug 2001 07:40:46 -0500

I'm using @home internet cable.  I have the linksys cable router + 4 port
switch.  This splits the connection to 3 computers in the house.  DHCP is
turned off.  The Internal IPs are 192.168.1.x  (2,3,4)... Over the past day
I received a couple of weird INCOMING entries in the log.

DATE           TIME        SCR       SCR_PORT      DEST         DEST_PORT
08/25/2001 13:24:52  192.168.1.8      80          <my ip address>      3976
08/25/2001 19:04:42  192.168.1.16    80         <my ip address>       4319
08/25/2001 23:25:38  192.168.1.9      80          <my ip address>      4450


The first two sets of ports are unassigned. The last one is assigned to
CAMP. As near as I can tell, CAMP is an enhanced DOS based OS. See:
http://www.antronics.com/camp/version4.htm  Maybe someone more knowledgeable
can give more insight on this ?

How is it possible that these are coming into the router from the outside?
Is this an error on the router?  Do any of these ports seem familiar.


Well obviously, you are not using public IP addresses on your LAN. Did you
open any ports to the internal network ? Is the router set to drop ICMP ? Or
perhaps you have placed some of the destination addresses in the DMZ ?

Extra note:  When I tried to make a connection with these ports from within
my network it refused the connection and didn't put it in the incoming or
outgoing log.


If you tried accessing the ports internally, the router (if set as a
gateway) will not have to pass any traffic externally or accept any in, thus
no log entries. Also, since most likely you are not running any applications
that use those ports, there is nothing to accept the connections. 

I suspect one of two things:

1) You have a dynamically assigned public IP address. The connection
attempts may be intended for the system which last had your current address.

or:

2) Someone is flying blind and trying to probe for responses.

I suggest downloading and installing Tiny Personal software (freeware) to
one of your internal Windows systems. This will help you to get a better
picture of what type of traffic is on your internal network and will allow
you to allow or deny the traffic at a more granular level than the Linksys
will.


~S~

Disclaimer: My own 2 cents.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Current thread:

Weird Incoming IP's and port numbers. West P. (Aug 27)
- Re: Weird Incoming IP's and port numbers. Hugo van der Kooij (Aug 29)
- Re: Weird Incoming IP's and port numbers. West P. (Aug 29)
- <Possible follow-ups>
- RE: Weird Incoming IP's and port numbers. NESTING, DAVID M (SBCSI) (Aug 29)
- RE: Weird Incoming IP's and port numbers. Vachon, Scott (Aug 29)
- RE: Weird Incoming IP's and port numbers. NESTING, DAVID M (SBCSI) (Aug 30)