Welcome to MacTalk Australia

the largest Australian community for Apple discussions and topics

Join the discussions, Register Now!
Results 1 to 11 of 11
  1. #1

    Join Date
    Aug 2005
    Location
    Brisbane, Qld
    Posts
    704

    Default

    I just happened to have a look in the system.log this evening and found a whole bunch of funny messages suggesting that someone has been trying to connect to my iMac. They started just after midday and continue even now. The messages are:

    Aug 1 19:53:18 *****-iMac-G5 kernel[0]: Stealth Mode connection attempt to UDP 192.***.*.*:137 from 192.168.2.1:2123[/b]
    (Obviously I have *'ed out my IP address details.)

    As well as port 137 they have also tried to access the port I use for torrents (which is not the default port - 6881 or whatever it is). There have been a few different IP addresses and I have run a "whois" in the terminal with the following results:

    whois 24.92.25.222:1576

    OrgName: Road Runner HoldCo LLC
    OrgID: RRMA
    Address: 13241 Woodland Park Road
    City: Herndon
    StateProv: VA
    PostalCode: 20171
    Country: US

    ReferralServer: rwhois://ipmt.rr.com:4321

    NetRange: 24.92.0.0 - 24.92.143.255
    CIDR: 24.92.0.0/17, 24.92.128.0/20
    NetName: ROAD-RUNNER-3
    NetHandle: NET-24-92-0-0-1
    Parent: NET-24-0-0-0-0
    NetType: Direct Allocation
    NameServer: DNS1.RR.COM
    NameServer: DNS2.RR.COM
    NameServer: DNS3.RR.COM
    NameServer: DNS4.RR.COM
    Comment:
    RegDate: 2000-06-09
    Updated: 2002-08-22

    RTechHandle: ZS30-ARIN
    RTechName: ServiceCo LLC
    RTechPhone: +1-703-345-3416
    RTechEmail: abuse@rr.com

    OrgAbuseHandle: ABUSE10-ARIN
    OrgAbuseName: Abuse
    OrgAbusePhone: +1-703-345-3416
    OrgAbuseEmail: abuse@rr.com

    OrgTechHandle: IPTEC-ARIN
    OrgTechName: IP Tech
    OrgTechPhone: +1-703-345-3416
    OrgTechEmail: abuse@rr.com

    # ARIN WHOIS database, last updated 2006-07-31 19:10
    # Enter ? for additional hints on searching ARIN's WHOIS database.
    ******$ whois 85.226.62.8:54101

    OrgName: RIPE Network Coordination Centre
    OrgID: RIPE
    Address: P.O. Box 10096
    City: Amsterdam
    StateProv:
    PostalCode: 1001EB
    Country: NL

    ReferralServer: whois://whois.ripe.net:43

    NetRange: 85.0.0.0 - 85.255.255.255
    CIDR: 85.0.0.0/8
    NetName: 85-RIPE
    NetHandle: NET-85-0-0-0-1
    Parent:
    NetType: Allocated to RIPE NCC
    NameServer: NS-PRI.RIPE.NET
    NameServer: NS3.NIC.FR
    NameServer: SEC1.APNIC.NET
    NameServer: SEC3.APNIC.NET
    NameServer: SUNIC.SUNET.SE
    NameServer: TINNIE.ARIN.NET
    NameServer: NS.LACNIC.NET
    Comment: These addresses have been further assigned to users in
    Comment: the RIPE NCC region. Contact information can be found in
    Comment: the RIPE database at http://www.ripe.net/whois
    RegDate: 2004-04-01
    Updated: 2004-04-06

    # ARIN WHOIS database, last updated 2006-07-31 19:10
    # Enter ? for additional hints on searching ARIN's WHOIS database.
    % This is the RIPE Whois query server #1.
    % The objects are in RPSL format.
    %
    % Note: the default output of the RIPE Whois server
    % is changed. Your tools may need to be adjusted. See
    % http://www.ripe.net/db/news/abuse-pr...-20050331.html
    % for more details.
    %
    % Rights restricted by copyright.
    % See http://www.ripe.net/db/copyright.html

    %ERROR:101: no entries found
    %
    % No entries found in the selected source(s).


    *******$ whois 192.168.2.1:2091

    OrgName: Internet Assigned Numbers Authority
    OrgID: IANA
    Address: 4676 Admiralty Way, Suite 330
    City: Marina del Rey
    StateProv: CA
    PostalCode: 90292-6695
    Country: US

    NetRange: 192.168.0.0 - 192.168.255.255
    CIDR: 192.168.0.0/16
    NetName: IANA-CBLK1
    NetHandle: NET-192-168-0-0-1
    Parent: NET-192-0-0-0-0
    NetType: IANA Special Use
    NameServer: BLACKHOLE-1.IANA.ORG
    NameServer: BLACKHOLE-2.IANA.ORG
    Comment: This block is reserved for special purposes.
    Comment: Please see RFC 1918 for additional information.
    Comment:
    RegDate: 1994-03-15
    Updated: 2002-09-16

    OrgAbuseHandle: IANA-IP-ARIN
    OrgAbuseName: Internet Corporation for Assigned Names and Number
    OrgAbusePhone: +1-310-301-5820
    OrgAbuseEmail: abuse@iana.org

    OrgTechHandle: IANA-IP-ARIN
    OrgTechName: Internet Corporation for Assigned Names and Number
    OrgTechPhone: +1-310-301-5820
    OrgTechEmail: abuse@iana.org[/b]
    A quick google search suggests that this is probably an infected PC somewhere randomly trying to connect - the fact that it is mostly trying port 137 seems to support this. But I am concerned that they have also tried the port I use for torrents - though I imagine it would not be very hard for someone out there to get this info while I was sharing *cough* linux distros *cough*.

    iStat Nano says that there is no extra network traffic and there is no other indication that anyone has gained access. As well, the Shields Up site says I have "true stealth" mode - i.e. no responses at all from all the common ports. As such I am not hugely concerned about it but I would like to know if anyone else has experienced this and could/should I do something about it.

    Further info: I am running OSX 10.4.7 on Optus cable behing a Belkin wireless G router which has WAN ping blocking activated and MAC address filtering turned on. I did have port forwarding for bittorrents but I have turned that off on the router as well as closed that port in the OSX firewall.

    Any thoughts? Or am I just being paranoid? h34r:

  2. #2

    Join Date
    May 2005
    Location
    Melbourne
    Posts
    1,664

    Default

    How do one check system log for any such activity?
    A

  3. #3

    Join Date
    Aug 2005
    Location
    Brisbane, Qld
    Posts
    704

    Default

    Applications/Utilities/Console.app will open the console. Then click on "logs" in the top left corner and choose "system.log". You can check all of the logs from here.

    cheers.

  4. #4

    Default

    You have to have firewall logging enabled in system preferences -> sharing -> firewall.


  5. #5

    Join Date
    Apr 2004
    Location
    NE Vic
    Posts
    2,395

    Default

    I have firewall logging switched off & I get the same sort of entries as the OP. If you turn on logging it writes to a different log anyway - /var/log/ipfw.log.

    I don't know what the stealth connection attempts are about either. I checked one the other day & the IP address belonged to Fairfax. I emailed the person whose address was in the whois entry & have had no response as yet.

    Edit: typo

  6. #6

    Join Date
    Apr 2005
    Location
    Sydney
    Posts
    808

    Default

    port 6881 i a bit torrent port number

    It looks for all money a zommbie PC torrent user

    Nick Named RatBag for a very good reason

  7. #7

    Join Date
    Feb 2004
    Posts
    9,050

    Default

    Before I had a router on cable, I got all sorts of shit hitting my computer, filling up the firewall logs. It's normal. There are zillions of zombied, infected PC's out there testing everything on the internet for insecurity. As long as you don't have a vulnerability, then it's not an issue. By the way, 192.168.*.* is for intranets.

    I might add, a lot more than just Bittorrent ends up hitting my BT ports, that's normal too.
    The discussion has continued at AppleTalk Australia.

  8. #8

    Join Date
    Aug 2005
    Location
    Brisbane, Qld
    Posts
    704

    Default

    Thanks for that Currawong. I am way out of my depth when it comes to this sort of stuff so any info is appreciated. I assume that the connection attempts appearing to come from 192.168.2.1:2091 are from a "spoofed" IP address.

    <div class='quotetop'>QUOTE(Currawong &#064; Aug 2 2006, 11&#58;44 AM) [snapback]200489[/snapback]</div>
    Before I had a router on cable, I got all sorts of shit hitting my computer, filling up the firewall logs. It&#39;s normal.[/b]
    Does this mean that your router stops it before it gets to the OSX firewall and you no longer get this stuff in your firewall logs? It would be nice if my router did the same thing.

    cheers.

  9. #9

    Join Date
    Jun 2005
    Location
    Melbourne
    Posts
    2,807

    Default

    I have my default osx firewall up but i can still be pinged is there anyway to stop a response to somebody pinging you?
    Sick of Bullshit? Go here
    www.youngausskeptics.com

    iBook 14'' 1GB Ram, MBP(santa) 15" 4GB ram, iPod Nano(3G) 4gb, iPod shuffle 512mb, iPod Touch 8gb.

  10. #10

    Join Date
    Feb 2004
    Posts
    9,050

    Default

    Any router that translates a single internet address into your internal LAN&#39;s network address (usually 192.168.something or 10.something) will only redirected requested services or forwarded ports, so yeah, I get nothing essentially hitting my machine.

    Fluffy, you could stop pings, but it can stuff up a few services. Is there any particular reason you don&#39;t want pings to be replied to? Most modem/routers have an option to ignore pings on the WAN port I think.
    The discussion has continued at AppleTalk Australia.

  11. #11

    Join Date
    Apr 2004
    Location
    NE Vic
    Posts
    2,395

    Default

    I kept looking into this & finally got a response from an organisation I consider trustworthy. I asked if I could post their response here & they said "only if all references to [us] are removed." So, here it is:
    I am sure you will find that the packets are in fact valid HTTP TCP port
    80 reply packets sent in response to requests made from your site.

    If you decode the packet detected you will find that the ACK bit is set
    identifying it as a reply packet to a HTTP request from the address
    x.x.x.x

    You will find with sites that are located behind load balanced devices
    that the address of all the web sites are behind a single IP address.

    The source port (80) and source IP address (xxx.xx.xx.xx) will always be
    the same for reply packets from our web sites but the destination high
    port will vary - which can, in some cases, give the false impression
    that there is a port scan taking place. Some of the destination high
    ports used may also randomly coincide with those used by some viruses
    etc which can be picked up as a false positive by Firewalls and
    Intrusion Detection Systems.
    [/b]
    I&#39;m prepared to trust this response as it fits with my experience - when I am browsing their site I get stealth mode connection attempts from them but they stop when I stop - but I don&#39;t think this covers all the situations referred to here. Seems like it&#39;&#39;s a combination of legitimate responses that OS X is falsely flagging and other stuff.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •