[X4U] Stealth Mode connection attempts
Stroller
macmonster at myrealbox.com
Fri Jul 22 21:53:04 PDT 2005
On Jul 23, 2005, at 12:25 am, Nick Scalise wrote:
> On Jul 22, 2005, at 6:18 PM, John Kiss wrote:
>
>> I just recently decided to turn on my firewall logging. I'm finding a
>> lot of Stealth Mode connection attempts in the list. Shown below is
>> an example. The 192.168.0.100 is my IP address.
>
>> Who is 38.113.192.83?
>
> Not really. It's probably just a compromised Windows box looking for
> other Windows boxes to compromise.
A port-scan (`nmap -O`) seems to suggest that 38.113.192.83 is
actually a Linux box, which would make sense if the IP belongs to a
web-hosting company.
>> .... ipfw: Stealth Mode connection attempt to TCP 192.168.0.100:49425
>> from 38.113.192.83:80
>
> Ain't logging great? Tells you all sorts of stuff you wish you never
> knew.
>
> If you really want, you could email the folks at svwh.net and ask them
> why a machine in their control is attempting to gain access to your
> machine.
"Attempting to gain access" seems an unhelpful synonym for "a
connection attempt" to me. Am I "attempting to gain access" when I open
a webpage?
The original log entry looks bogus to me. 192.168.0.100 is an internal
address, so unless ports are forwarded to it at the router it shouldn't
see any attempts to initiate connections - only responses from already
existing connections. 49425 is an unprivileged port and not listed in
/etc/services, so I doubt it's one someone would try & run any sort of
exploits against. It looks to me like the router & `ipfw` have
different criteria for connection tracking.
Since port is 80 is that of a webserver, is it possible that this is
something coming back from a webopage Mr Kiss looked at?
... Googling for "ipfw Stealth Mode connection attempts" brings up a
bunch of relevant-looking hits. I'm inclined to believe Kampl at
http://forums.macnn.com/showthread.php?t=259581 when he says:
This is not an attack. It is return traffic from a web server for
which the firewall connection table timeouts have been exceeded.
It can be ignored. Latency or misconfiguration on the remote end
is what I would blame for the delayed response from the server that
got dropped by the firewall.
and:
Scans of all kinds from the Internet are a given. It was blocked,
so nothing to really react to. If you really are paranoid I would
recommend running an IDS to parse the incoming traffic for further
insight to the nature of the intrusion attempt.
Stroller.
More information about the X4U
mailing list