|
-
February 23rd, 2003, 06:42 AM
#11
Member
Actually to clairify the 192.168.1.1 source ip has all the different ports showing up and is directed to my network 192.168.1.XXX on port 162 everytime. I tried to post a SS and it wont work as a bitmap or tif for me  .....I cant save anything as a jpeg.
Thanks again, I hope this makes more sense.
-
February 23rd, 2003, 10:15 AM
#12
I have installed quite a few Linksys routers (and none scan the local networks). If you enabled 'logging' it uses port 162 to capture in/out traffic. Did you set your local computer to 'DMZ' ? (basically disabling firewall protection).
Why not try resetting router to factory defaults; and see what happens.
-
February 23rd, 2003, 01:56 PM
#13
I'm with dcongram..... Have you made any changes to the router config by going to http://192.168.1.1 in your browser?
The traffic you are seeing is typical of forwarded traffic on a linksys as far a some logging systems are concerned. They will show the source as the router itself.... Others, (some use snmp trap), are the router itself reporting and will show the true source address. If you are being scanned by, apparently, the router it seems like your reporting program is seeing the router as the source.
The problem with the linksys routers, (and don't get me wrong - I use one at home), is that they really need to be applied to a _known_ clean machine. They only block inbound _unestablished_ connections..... Thus if you click on IE and your home page is yahoo it will allow the inbound connection from yahoo 'cos you, (on the inside), requested the connection. OTOH, if yahoo tried to connect to you at some time the packets woud be dropped because the initial request from you, (on the inside), did not exist....... There are numerous pieces of malware out there that "call home" and establish a connection and then act as the server and relinquish some level of control over the "infected" machine. Thus a hacker could have placed such software on your machine prior to the install of the router. The software would make a call to "home" and the hacker could regain control of your system despite your firewall.... As I said.... linksys are useless if the internal machine was pre-infected.
If this were the case it would be trivial for the hacker to reconfigure your machine into the DMZ, (though I doubt that because it shouldn't work without an additional IP address which your cable company isn't going to give you without the application of cold hard cash). More likely he set up port forwarding to the address range 1-1024 which kind of opens up your machine to the world and is both quick and easy to do.
In your situation I would suggest backing up your data, setting the firewall back to factory defaults and format and reinstall your apps. That will _ensure_ that you are clean and protected..... I don't mean to be rude but all this talk of ethereal and other sniffers only serves to tell you where the stuff is coming from and that probably isn't even the location of the hacker...... The issue is being able to recognize _exactly_ what has been done and reverse the damage..... You don't seem to be at a level that you could do that and frankly - I would do the same myself just to be sure......
Hope this helps
Don\'t SYN us.... We\'ll SYN you..... 
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
February 24th, 2003, 07:15 AM
#14
Member
Yeah I think your right Tiger and ty, I think its time for the old format c:
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote