Page 1 of 2 12 LastLast
Results 1 to 10 of 16

Thread: Repeated requests at port 10169

  1. #1
    Senior Member hesperus's Avatar
    Join Date
    Jan 2005
    Posts
    416

    Repeated requests at port 10169

    I have been hanging around antionline for a while trying to learn a little about computer security and how to apply it to my own box but I am new to this, so please bear with me

    My ISP using rotating IPs and I have been monitoring the requests the receive in my ZoneAlarm log. Usually they appear to be more or less random background noise or requests associated with P2P programs but occassionally I will receive repeated access attemps from the same source or from a few different sources on the same port, even though the port doesn't seem to be associated with anything in particular. Here is the latest :

    Source :67.163.93.18:xxxx hsd1.il.comcast.net (Australia)
    TCP protocol
    Destination : port 10169 (shows up as unassociated in Shield's Up)

    I receive upwards of one attempt every minute.

    I have been playing with Ethereal but am lead to believe that it can't sniff packets outside a firewall and I am reluctant to disable it to see what this might be.

    My question is : what is this intruder up to ? What was the last person with this IP up to ? How can I find these things out ?

    DSL line, Win Xp, Zone Alarm

    Thanks

  2. #2
    AO Senior Cow-beller
    Moderator
    zencoder's Avatar
    Join Date
    Dec 2004
    Location
    Mountain standard tribe.
    Posts
    1,177
    Some basic googling shows that no-one else (at least with a high google page ranking) has much clue what that port is commonly used for either...so it's probably NOT commonly used for much. (P.S. good basic reference for TCP/UDP port numbers/application reference http://www.iana.org/assignments/port-numbers )

    I know that there was a version of Ethereal released by Check Point that was supposed to work through their Secure Client host-firewall; of course it didn't work for me, YMMV.

    I would suggest using a Live CD to boot the computer and run Ethereal from there, if you're concerned about connecting your PC without a local firewall.

    You could also go do some research on different host firewalls and Ethereal, and see if one of them will work but allow ethereal to catch all traffic; I doubt it, but it's entirely possible. I think a Live CD (google for Knoppix or Live CD) is your best bet.
    "Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
    Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
    "...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

  3. #3
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    Not sure what that port was used for. Not sure why someone would even scan for that.
    Ist that the only port they were probing?

    A quick look over at incidents.org doen'st show much activity...
    Well... thats compared to something like bittorrent or 139

    Port 10169
    http://isc.sans.org/port_details.php...ays=70&Redraw=
    Port 6881
    http://isc.sans.org/port_details.php...ays=70&Redraw=
    Port 139
    http://isc.sans.org/port_details.php...ays=70&Redraw=

    However, you will notice that the source and destination reports for 10169 are pretty equal.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  4. #4
    Senior Member hesperus's Avatar
    Join Date
    Jan 2005
    Posts
    416
    In the process of downloading Knoppix.

    Yes, that is the only port. Also receiving hits at the same port from 141.158.167.37 cap.east.verizon.net (Virginia), less frequently though.

    IPs seem to hang around for a few days on my ISP so hopefully I can work my way through Knoppix tomorrow http://images.antionline.com/images/smilies/frown.gif
    frown.

    Any suggestions for getting a quick connection to the internet for a first time user of Knoppix appreciated.

  5. #5
    Senior Member IKnowNot's Avatar
    Join Date
    Jan 2003
    Posts
    792
    I'm curious about a few things here.

    1) where did you get the IP info from ( Australia and Virginia )
    What about N.J. and Pa. ??

    2) What programs are running when this happens?

    3) More important, what ports are open? ( you know you could try something like FPort to see what ports are being used )

    Just because the firewall is blocking the incoming port doesn't mean it is closed. It only appears closed from the outside looking in.
    " And maddest of all, to see life as it is and not as it should be" --Miguel Cervantes

  6. #6
    Senior Member hesperus's Avatar
    Join Date
    Jan 2005
    Posts
    416
    1. The IP info came from AntiOnline IP finder.

    2. Nothing out of the oridinary running (as per Hijack This). The only thing changed is my IP.

    3. Fport shows nothing running on that port.

  7. #7
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    If nothing is running on that port then set the router to forward it to your internal address, fire up Ethereal and make yourself a capture. No harm can come becasue the port is closed.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  8. #8
    AO Senior Cow-beller
    Moderator
    zencoder's Avatar
    Join Date
    Dec 2004
    Location
    Mountain standard tribe.
    Posts
    1,177
    Tiger, (s)he doesn't seem to have a router, its a Zonealarm FW. And I think they concerne with bringing down ZA is not specifically with this probe, but the general nastiness one is exposed to when surfing 'naked'.

    Haha, a new phrase! "Surf Naked", I like it!
    "Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
    Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
    "...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

  9. #9
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    That's what happens when you post at 5:37am.....

    ZoneAlarm still lets you open the port though doesn't it?
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  10. #10
    AO Senior Cow-beller
    Moderator
    zencoder's Avatar
    Join Date
    Dec 2004
    Location
    Mountain standard tribe.
    Posts
    1,177
    Not a clue. Personally (and no offense hesperus), I think it's pretty delinquent to use only a host based firewall, and I've not been a user of Zone Alarm for over 3-4 years, so I don't know what it is capable of. I would *THINK* it is pretty robust, seeing as how Check Point recently bought them and are integrating a lot of their soutions with ZA.

    But you know what happens when we start thinking...similar to what happens when we ASSUME something.
    "Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
    Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
    "...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •