Routers

oh by the way, when a friend pinged the ip address back, they did it to me?

 

Are you using a Linksys router with SPI?
If so, those will just be late packets from a current connection that the SPI no longer considers valid (normal and nothing to worry about). Blocked unsolicited inbound traffic is recorded differently.

Regards,

CrazyM

 

Linksys Nat - someone is really tring to hack me all attempts are being made on port 80, and he/she tried to download an activeX control to use the Microsoft SSDP protocol,


Maze - stressed

 

microsoftanti-spyware stop a downloaded ACtive X from working

 

I have norton and it shows all inbound events- it shows incoming ip address, s-port d-port, host and event information. that how i know someone is trying so hard to gain access to my computer.

 

LowWaterMark,

Sorry to sond like an idiot, but i am worried - thank for helping me out. Here is a log of some of the inbound eventshope it helps, ive removed my IP address)

2005/05/30 01:31:36 66.249.87.99:80 :1879 Port 1879
(TCP)2005/05/30 01:43:32 66.249.87.99:80 192.168.1.100:1899 MC2Studios

2005/05/30 01:43:53 66.249.87.104:80 :1900 SSDP

2005/05/30 02:38:06 66.249.87.104:80 :1352 Lotus Notes

2005/05/30 01:30:03 66.249.87.99:80 :1870 SunSCALAR DNS Service

2005/05/30 01:29:51 66.249.87.99:80 :1869 Port 1869 (TCP)

2005/05/30 01:26:56 66.249.87.99:80 :1856 Port 1856 (TCP)

2005/05/30 01:26:50 66.249.87.99:80 :1855 Port 1855 (TCP)

2005/05/30 01:18:54 66.249.87.104:80 :1832 ThoughtTreasure

2005/05/30 01:18:33 66.249.87.99:80 :1831 Myrtle

2005/05/30 01:18:20 66.249.87.99:80 :1830 Oracle Net8 CMan Admin

2005/05/30 00:56:36 216.239.59.147:80 :1689 firefox

2005/05/30 02:44:39 66.249.87.104:80 :1363 Network DataMover Requester

2005/05/30 02:45:02 66.249.87.99:80 :1364 Network DataMover Server

2005/05/30 02:45:19 66.249.87.99:80 :1365 Network Software Associates

 

LowWaterMark all the events show port *0, but that cant be Port *) is closed on my router.

 

I just did a whois on all of the ip# and they are all google

 

Maze,

Bigc what doesd that mean, this is very strange

 

Do you have the google toolbar or do you use google mail?

 

Bigc,

I have known of the above. I use firfox with the google default homepage. What do you think is going on.

Maze

 

It is just the google home page trying to update the info on the page, It is not a hack attack. Having the home page as google allows the google server to know where you are on the web and it is just doing it's thing. I really wouldn't worry about it very much. I bet if you changed default home page the connections from google would probably stop or else really slow down.

bigc

 

But Big C,

These events shouldnt be coming through on my software firewall should they? Also the SSDP event is when anti-soyware reported a stopped download of active X. So you think know one is trying to hack me?

maze

 

Ive just checked they are all google, why do they show up on my software firewall and what the names for at the end?

 

I am really not sure what the activex was or where it was going but the info getting to your software firewall is coming through your router on the port that your browser has permission to use. I also use a linksys with the lan firewall and the only thing that ever gets through is info that is requested. Some of it is still stopped by the software firewall. as far as activex goes unless one of my security apps settings specifically blocks that one like the kill bits set by spywareblaster, they will reach my comp. With out knowing specifically what the active x was I am not sure I can suggest anything more for you to do. It may have been a legitimate app. i wish i knew more of what was going on.

 

BIg c,

I will try and change my homepage and see what happens. If it keeps happing cani come back for some more advice? off to bed - take care and keep up the good work helping silly people like me.

all the best,

Mazy

 

Yoou might have to contact google and inquire as to what the labeling they use is.

 

you are always welcome to come here and try to correct a computer problem. good luck

bigc

 

Thank you for taking the time out to help me, i really appriate it so much. i have a quote to share_'Thomas Burke:Evil will only flourish if the good do nothing',

 

Evil will only flourish if the good do nothing, (I believe every word. )

 

As mentioned earlier, these all appear to be releated to connections you have made. If these are logged dropped packets, they are likely just packets your software firewall considers no longer valid (shorter time-out). The router likely has a longer time-out before dropping late packets and that is why they are showing up in the software firewall logs.

The log entry that references SSDP will not be directly related to the download of active x.

This is related to another connection to google from your system. What indicates this is the source port 80. The 1900 was just the port being used by your system for the connection and also happens to be associated with SSDP. Some security software has the bad habit of associating common service names associated with ports in the logs which can be confusing as it may have nothing to do with it.

These would only appear to be packets the firewall/router no longer considers a valid part of a connection you have made. They do not indicate anyone is trying to hack you.

Edit: a sample from my router logs
159572: May 29 2005 20:28:31.292 PDT:
%FW-6-DROP_PKT: Dropping tcp pkt 64.91.226.241:80 => xx.xx.xx.xx:4198

In this case the remote IP is the one for this forum, just a packet that is no longer considered part a current session (late), not that Wilders is trying to hack me

Regards,

CrazyM