[X4U] Stealth Mode connection attempts

Stroller macmonster at myrealbox.com
Fri Jul 22 21:53:04 PDT 2005

On Jul 23, 2005, at 12:25 am, Nick Scalise wrote:
> On Jul 22, 2005, at 6:18 PM, John Kiss wrote:
>> I just recently decided to turn on my firewall logging. I'm finding a 
>> lot of Stealth Mode connection attempts in the list. Shown below is 
>> an example. The is my IP address.
>> Who is
> Not really. It's probably just a compromised Windows box looking for 
> other Windows boxes to compromise.

A port-scan (`nmap -O`) seems to suggest that  is 
actually a Linux box, which would make sense if the IP belongs to a 
web-hosting company.

>> .... ipfw: Stealth Mode connection attempt to TCP 
>> from
> Ain't logging great? Tells you all sorts of stuff you wish you never 
> knew.
> If you really want, you could email the folks at svwh.net and ask them 
> why a machine in their control is attempting to gain access to your 
> machine.

"Attempting to gain access" seems an unhelpful synonym for "a 
connection attempt" to me. Am I "attempting to gain access" when I open 
a webpage?

The original log entry looks bogus to me. is an internal 
address, so unless ports are forwarded to it at the router it shouldn't 
see any attempts to initiate connections - only responses from already 
existing connections. 49425 is an unprivileged port and not listed in 
/etc/services, so I doubt it's one someone would try & run any sort of 
exploits against. It looks to me like the router & `ipfw` have 
different criteria for connection tracking.

Since port is 80 is that of a webserver, is it possible that this is 
something coming back from a webopage Mr Kiss looked at?

... Googling for "ipfw Stealth Mode connection attempts" brings up a 
bunch of relevant-looking hits. I'm inclined to believe Kampl at 
http://forums.macnn.com/showthread.php?t=259581 when he says:

    This is not an attack. It is return traffic from a web server for
    which the firewall connection table timeouts have been exceeded.
    It can be ignored. Latency or misconfiguration on the remote end
    is what I would blame for the delayed response from the server that
    got dropped by the firewall.
    Scans of all kinds from the Internet are a given. It was blocked,
    so nothing to really react to. If you really are paranoid I would
    recommend running an IDS to parse the incoming traffic for further
    insight to the nature of the intrusion attempt.


More information about the X4U mailing list