On Jul 23, 2005, at 12:25 am, Nick Scalise wrote: > On Jul 22, 2005, at 6:18 PM, John Kiss wrote: > >> I just recently decided to turn on my firewall logging. I'm finding a >> lot of Stealth Mode connection attempts in the list. Shown below is >> an example. The 192.168.0.100 is my IP address. > >> Who is 18.104.22.168? > > Not really. It's probably just a compromised Windows box looking for > other Windows boxes to compromise. A port-scan (`nmap -O`) seems to suggest that 22.214.171.124 is actually a Linux box, which would make sense if the IP belongs to a web-hosting company. >> .... ipfw: Stealth Mode connection attempt to TCP 192.168.0.100:49425 >> from 126.96.36.199:80 > > Ain't logging great? Tells you all sorts of stuff you wish you never > knew. > > If you really want, you could email the folks at svwh.net and ask them > why a machine in their control is attempting to gain access to your > machine. "Attempting to gain access" seems an unhelpful synonym for "a connection attempt" to me. Am I "attempting to gain access" when I open a webpage? The original log entry looks bogus to me. 192.168.0.100 is an internal address, so unless ports are forwarded to it at the router it shouldn't see any attempts to initiate connections - only responses from already existing connections. 49425 is an unprivileged port and not listed in /etc/services, so I doubt it's one someone would try & run any sort of exploits against. It looks to me like the router & `ipfw` have different criteria for connection tracking. Since port is 80 is that of a webserver, is it possible that this is something coming back from a webopage Mr Kiss looked at? ... Googling for "ipfw Stealth Mode connection attempts" brings up a bunch of relevant-looking hits. I'm inclined to believe Kampl at http://forums.macnn.com/showthread.php?t=259581 when he says: This is not an attack. It is return traffic from a web server for which the firewall connection table timeouts have been exceeded. It can be ignored. Latency or misconfiguration on the remote end is what I would blame for the delayed response from the server that got dropped by the firewall. and: Scans of all kinds from the Internet are a given. It was blocked, so nothing to really react to. If you really are paranoid I would recommend running an IDS to parse the incoming traffic for further insight to the nature of the intrusion attempt. Stroller.