[X4U] Stealth Mode connection attempts

Stroller macmonster at myrealbox.com
Fri Jul 22 21:53:04 PDT 2005


On Jul 23, 2005, at 12:25 am, Nick Scalise wrote:
> On Jul 22, 2005, at 6:18 PM, John Kiss wrote:
>
>> I just recently decided to turn on my firewall logging. I'm finding a 
>> lot of Stealth Mode connection attempts in the list. Shown below is 
>> an example. The 192.168.0.100 is my IP address.
>
>> Who is 38.113.192.83?
>
> Not really. It's probably just a compromised Windows box looking for 
> other Windows boxes to compromise.

A port-scan (`nmap -O`) seems to suggest that 38.113.192.83  is 
actually a Linux box, which would make sense if the IP belongs to a 
web-hosting company.

>> .... ipfw: Stealth Mode connection attempt to TCP 192.168.0.100:49425 
>> from 38.113.192.83:80
>
> Ain't logging great? Tells you all sorts of stuff you wish you never 
> knew.
>
> If you really want, you could email the folks at svwh.net and ask them 
> why a machine in their control is attempting to gain access to your 
> machine.

"Attempting to gain access" seems an unhelpful synonym for "a 
connection attempt" to me. Am I "attempting to gain access" when I open 
a webpage?

The original log entry looks bogus to me. 192.168.0.100 is an internal 
address, so unless ports are forwarded to it at the router it shouldn't 
see any attempts to initiate connections - only responses from already 
existing connections. 49425 is an unprivileged port and not listed in 
/etc/services, so I doubt it's one someone would try & run any sort of 
exploits against. It looks to me like the router & `ipfw` have 
different criteria for connection tracking.

Since port is 80 is that of a webserver, is it possible that this is 
something coming back from a webopage Mr Kiss looked at?

... Googling for "ipfw Stealth Mode connection attempts" brings up a 
bunch of relevant-looking hits. I'm inclined to believe Kampl at 
http://forums.macnn.com/showthread.php?t=259581 when he says:

    This is not an attack. It is return traffic from a web server for
    which the firewall connection table timeouts have been exceeded.
    It can be ignored. Latency or misconfiguration on the remote end
    is what I would blame for the delayed response from the server that
    got dropped by the firewall.
and:
    Scans of all kinds from the Internet are a given. It was blocked,
    so nothing to really react to. If you really are paranoid I would
    recommend running an IDS to parse the incoming traffic for further
    insight to the nature of the intrusion attempt.

Stroller.
  



More information about the X4U mailing list