-
November 28th, 2004, 05:19 AM
#1
Junior Member
LAN port scanning...i think
Hello all
Examine exhibit A, an excerpt from my Linxus router's outgoing Log Viewer
Date Time Src_IP Src_Port Dest_IP Dest_Port
11/24/2004 11:54:43 127.0.0.1 80 192.168.235.125 1038
11/24/2004 11:54:43 127.0.0.1 80 192.168.45.252 1641
11/24/2004 11:54:43 127.0.0.1 80 192.168.111.252 1477
11/24/2004 11:54:43 127.0.0.1 80 192.168.176.124 1312
It will keep doing this forever as long as my computer is allowed access to the network. It stops whenever my computer is removed from the network. There are only 3 computers on the network.
I know 127.0.0.1 is a local host, but is it my computer or the router? And i know the dest_ports are potential LAN IP's. (This is "advice" that i have received from other boards). Can anyone suggest what might be causing this, and what i can do to stop it. McAfee came up empty.
Please ask for any clarificaion you might find helpful
Thank you thank you
Stewie
-
November 28th, 2004, 05:25 AM
#2
Possibly a worm?
Run a second opinion AV-
http://housecall.trendmicro.com
-
November 28th, 2004, 05:57 AM
#3
Junior Member
Nope, I am worm-free
Thank you
-
November 28th, 2004, 07:06 AM
#4
Those are all non-routable IPs, so they are on your side of the router. However, the ports indicate that you may have a Blaster variant running. Check that you don't have an unsecured copy of MSSQL or MSDE running.
-
November 28th, 2004, 04:34 PM
#5
Junior Member
I'm not sure what those programs are, but the task manager did not show either of those processes, and nothing came up when i searched my hard drive for them. Is there some other way i could find out?
-
November 28th, 2004, 04:42 PM
#6
Uh.. this stuff is coming from the router.
an excerpt from my Linxus router's outgoing Log Viewer
Code:
Date Time Src_IP Src_Port Dest_IP Dest_Port
11/24/2004 11:54:43 127.0.0.1 80 192.168.235.125 1038
So wouldn't it be possible it's a spoofed packet from the router? And you do mean Linksys right? not Linux? Which router specifically, version and what firmware update? You may want to fire up a packet sniffer and verify that those packets are indeed happening.
-
November 28th, 2004, 05:18 PM
#7
Junior Member
So the packet sniffer sniffed the following
11:02:57.533 127.0.0.1:80 192.168.43.181.1910 TCP:http
11:02:57.533 192.168.1.1:65094 192.168.1.100:162 UDP:snmp-trap
11:02:57.543 127.0.0.1:90 192.168.108.181:1514 TCP:http
11:02:57.543 192.168.1.1:65095 192.168.1.100:162 UDP:snmp-trap
etc.
always 1 or 2 packets,
and then...?
-
November 28th, 2004, 05:20 PM
#8
Junior Member
Oh yea, Linksys, BEFW11S4, and i haven't added anything to it
-
November 28th, 2004, 05:27 PM
#9
Check out this AO Thread. It sounds like the same issue.
Go to this Linksys Support Section and choose the appropriate model/version number (the version number will appear near the serial/UPC number). Check to see if there are an new firmware updates and update accordingly. Then check if the problem persists. If it does, it might be similar to activity above. If not, then problem solved (means Linksys discovered it and patched it).
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|