Results 1 to 9 of 9

Thread: LAN port scanning...i think

  1. #1
    Junior Member
    Join Date
    Nov 2004
    Posts
    5

    LAN port scanning...i think

    Hello all

    Examine exhibit A, an excerpt from my Linxus router's outgoing Log Viewer

    Date Time Src_IP Src_Port Dest_IP Dest_Port
    11/24/2004 11:54:43 127.0.0.1 80 192.168.235.125 1038
    11/24/2004 11:54:43 127.0.0.1 80 192.168.45.252 1641
    11/24/2004 11:54:43 127.0.0.1 80 192.168.111.252 1477
    11/24/2004 11:54:43 127.0.0.1 80 192.168.176.124 1312

    It will keep doing this forever as long as my computer is allowed access to the network. It stops whenever my computer is removed from the network. There are only 3 computers on the network.

    I know 127.0.0.1 is a local host, but is it my computer or the router? And i know the dest_ports are potential LAN IP's. (This is "advice" that i have received from other boards). Can anyone suggest what might be causing this, and what i can do to stop it. McAfee came up empty.

    Please ask for any clarificaion you might find helpful

    Thank you thank you
    Stewie

  2. #2
    Possibly a worm?

    Run a second opinion AV-
    http://housecall.trendmicro.com

  3. #3
    Junior Member
    Join Date
    Nov 2004
    Posts
    5
    Nope, I am worm-free

    Thank you

  4. #4
    Those are all non-routable IPs, so they are on your side of the router. However, the ports indicate that you may have a Blaster variant running. Check that you don't have an unsecured copy of MSSQL or MSDE running.

  5. #5
    Junior Member
    Join Date
    Nov 2004
    Posts
    5
    I'm not sure what those programs are, but the task manager did not show either of those processes, and nothing came up when i searched my hard drive for them. Is there some other way i could find out?

  6. #6
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    Uh.. this stuff is coming from the router.

    an excerpt from my Linxus router's outgoing Log Viewer
    Code:
    Date       Time       Src_IP         Src_Port         Dest_IP            Dest_Port
    11/24/2004 11:54:43 127.0.0.1         80             192.168.235.125     1038
    So wouldn't it be possible it's a spoofed packet from the router? And you do mean Linksys right? not Linux? Which router specifically, version and what firmware update? You may want to fire up a packet sniffer and verify that those packets are indeed happening.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  7. #7
    Junior Member
    Join Date
    Nov 2004
    Posts
    5
    So the packet sniffer sniffed the following

    11:02:57.533 127.0.0.1:80 192.168.43.181.1910 TCP:http
    11:02:57.533 192.168.1.1:65094 192.168.1.100:162 UDP:snmp-trap
    11:02:57.543 127.0.0.1:90 192.168.108.181:1514 TCP:http
    11:02:57.543 192.168.1.1:65095 192.168.1.100:162 UDP:snmp-trap

    etc.

    always 1 or 2 packets,

    and then...?

  8. #8
    Junior Member
    Join Date
    Nov 2004
    Posts
    5
    Oh yea, Linksys, BEFW11S4, and i haven't added anything to it

  9. #9
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    Check out this AO Thread. It sounds like the same issue.

    Go to this Linksys Support Section and choose the appropriate model/version number (the version number will appear near the serial/UPC number). Check to see if there are an new firmware updates and update accordingly. Then check if the problem persists. If it does, it might be similar to activity above. If not, then problem solved (means Linksys discovered it and patched it).
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •