Should I be worried?
Results 1 to 6 of 6

Thread: Should I be worried?

  1. #1
    Junior Member
    Join Date
    Aug 2003
    Posts
    28

    Should I be worried?

    Today i was looking through logs on my small home network and notice this:

    8/20/2003 00:52:13:721 Outbound TCP 60104 145.40.55.234 11.242.122.141 23168

    Doesn't look out of the ordinary, execpt all ips on my network are static and all are in the 192.168.*.* ip range!
    So I do a whois on 11.242.122.141 and guess who it is, Department of Defense - Network Information Center - Science Applications Center!

    Should i be worried about this?

  2. #2
    Senior Member
    Join Date
    May 2002
    Posts
    101
    DOD yeah you should be worried... They want to nuke you. LMAO. It depends on what you are doing if anything you should ask yourlsef if you should be worried. What are you doing? If I know I am doing nothing wrong then I know I have nothing to worry about. In other words let your counscience be your guide. If you are doing nothing wrong then do a av check and make sure you have firewall should be nothing wrong after you check for little things.

  3. #3
    Junior Member
    Join Date
    Aug 2003
    Posts
    28
    I wasn't do anything except looking another forum when this was logged, and i do have a firewall but not for outbound. I have outbound firewalls on all pcs on my network, but they could have been compromised.
    Basically what I want to know is how to find out how they got in, and how to stop it from happening again.

  4. #4
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    First of all, is this packet picked up outside your router or inside and if it is outside does the 145.40.55 address match that of your router?

    Assuming it was captured on the inside I have to guess that your router would blindly try to route it but on the return packet's arrival it would probably fail to correctly NAT the address backwards and you would not receive any reply. (The reply should come back to the router due to the NAT performed by it originally). The problem with this scenario is that your packet will turn up at DoD with your router's address splattered all over it. Herein lies your problem - the payload of this packet is directly proportional to the likelihood of visitors.....

    Assuming that it was captured on the outside and that the 145.40.55 address is not that of your router the DoD will receive the packet and not know where to send the visitors if the payload in malicious. If it is the address of your router then see above.......

    What we need to determine is which machine is generating those packets and then try to determine what is generating it. I would grab a copy of Ethereal and put it on a hub that can see all inbound and outbound traffic and leave it to log everything for a few days. Create a filter for packets whose destination net is _not_ 192.168.*, (I believe it would be dest net !192.168*, but that's off the top of my head and my manual is at work), I would then precisely log every time anyone uses a computer and what for. Then go back and compare packet times to usage times. Where they don't match investigate the destination. You will eliminate all your windows updates and AV updates and what is left, (if anything), is suspicious...... If there is nothing left you need to begin the tedious task of matching packets to your own activity so keeping your usage to a minimum is a good idea.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  5. #5
    Junior Member
    Join Date
    Aug 2003
    Posts
    28

    another one

    It is not my ip address for the internet or any ip i have ever been to.

    Here is another one:
    8/20/2003 03:04:45:956 Outbound TCP 27695 44.103.109.203 114.110.48.233 11566

    These are coming from inside my router and i have ethereal on my pc, my router is a linksys piece of crap and i can only block internal ips that start with 192.168
    So how would i block these from getting out?
    How would i setup ethereal on a hub?

    Someone must be in my network, my firewall on my pc (the only one one the network on when these happened) is set up only to allow traffic from 192.168.1.102 to go out. any spoofed packets would be blocked, so where are these stupid things coming from?
    Unless they managed to get around my firewall, it's zonealarm pro if it helps any.

  6. #6
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    When I said "set up ethereal on a hub" I meant put all the computers on a hub and connect the hub to the linksys, (it's a switch). Then all the computers can see all the other computer's traffic. Then fire up ethereal on one of them. The packet capture should ID the iffy machine by the mac address of the source machine. Then it's time to turn off the other machines and ethereal all packets on the network, (you can't filter on a mac address in ethereal as far as I know). Then you can work from there......
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides