Results 1 to 10 of 10

Thread: port 1512

  1. #1
    BANNED
    Join Date
    Nov 2003
    Location
    San Diego
    Posts
    724

    port 1512

    my firewall log is looking like this since this morning and its like that every 2-3 secs anyone have any idea what might be going on?


    2004-02-02 11:09:39 DROP TCP 80.61.3.154 68.11.255.80 47638 1512 48 S 3123468245 0 16384 - - -
    2004-02-02 11:09:41 DROP TCP 200.50.120.29 68.11.255.80 4327 1512 48 S 1242557604 0 64800 - - -
    2004-02-02 11:09:41 DROP TCP 68.39.39.115 68.11.255.80 4604 1512 48 S 1984756111 0 64240 - - -
    2004-02-02 11:09:44 DROP TCP 24.84.113.203 68.11.255.80 4431 1512 48 S 145587155 0 8192 - - -
    2004-02-02 11:09:44 DROP TCP 68.39.39.115 68.11.255.80 4604 1512 48 S 1984756111 0 64240 - - -
    2004-02-02 11:09:45 DROP TCP 80.61.3.154 68.11.255.80 47638 1512 48 S 3123468245 0 16384 - - -

  2. #2
    Yes, that's my CC number! 576869746568617's Avatar
    Join Date
    Dec 2003
    Location
    Earth
    Posts
    397
    WINS - Windows Internet Name Service

    That's the legitimate service that uses that port. Could also be a trojan, but I don't know of one that uses that port by default. Do you have any udp trffic to the same port?

    run "netstat -ano" or Fport from www. foundstone.com and see what process is using it.
    Windows 9x: n. A collection of 32 bit extensions and a graphical shell for a 16 bit patch to an 8 bit operating system originally coded for a 4 bit microprocessor. Written by a 2 bit company that can\'t stand 1 bit of competition.


  3. #3
    HeadShot Master N1nja Cybr1d's Avatar
    Join Date
    Jul 2003
    Location
    Boston, MA
    Posts
    1,840
    check for spyware that is trying to dial home also .

  4. #4
    BANNED
    Join Date
    Nov 2003
    Location
    San Diego
    Posts
    724
    thanks for the help but i didnt really figure anything out.
    ran netstat and fport neither even show 1512 as in use but its still showin up every 3-4 secs on my log
    also ran spybot before i went to work.
    When death sleeps it dreams of you...

  5. #5
    Senior Member
    Join Date
    Aug 2003
    Posts
    1,018
    Just for my clarification....netstat and fport run inside the firewall right? So if his firewall is dropping the attempt...nothing would show up?

    If the attempt was coming from inside...the ip would be the same?

    Still having my morning coffee, so muh brain cells are not firing in unison yet...

  6. #6
    Yes, that's my CC number! 576869746568617's Avatar
    Join Date
    Dec 2003
    Location
    Earth
    Posts
    397
    Well, no netstat and fport will still run, because it's looking at connections that have been already made and listening ports on the local machine. Port 1512 shouldn't have been running on the computer (unless it was a WINS server) and that's what I wanted to see.

    I'm not worried about the firewall right now...it appears to be doing its job because the packets aren't making it through the firewall (see firewall logs).

    What I wanted to know was: Is there a connection being made on any other port by a destination IP that matches the IPs in the firewall logs? If so, we need to find out who that IP is.
    Windows 9x: n. A collection of 32 bit extensions and a graphical shell for a 16 bit patch to an 8 bit operating system originally coded for a 4 bit microprocessor. Written by a 2 bit company that can\'t stand 1 bit of competition.


  7. #7
    Senior Member
    Join Date
    Jan 2004
    Posts
    124
    MuertO
    How about more details about your box... OS, firewall, tipe of internet connection???

    Interesting is that you have more than one IP address inbound on same port. 576869746568617, what do you think? what could made all those IP addreses to try to connect on his computer?

    [edit]
    Ha, how couldn't I think of that
    576869746568617 is probably right. But there are other options too...
    Here at work I have small LAN connected to internet with NAT. NAT is then connected to ISP with cisko wirelless. My firewall picks broatcasts from other users on same network segment. All customers that use wirelless acces have fixed IPs.
    Ikalo
    ------
    Make your knowledge your deadliest weapon.

  8. #8
    Yes, that's my CC number! 576869746568617's Avatar
    Join Date
    Dec 2003
    Location
    Earth
    Posts
    397
    The only obvious thing I can think of is a trojan that may have been broadcasting on that IP from that port.............

    [LIGHTBULB]Hey, wait....maybe the problem is not your network......it might be the IP![/LIGHTBULB]

    You firewall uses NAT, right.....so the only public IP you have is the firewall, right......

    Is the public IP your firewall uses dynamic? Could be currently using an IP that was previously used by another system with a vulnerability on that port. Try renewing the IP and see if the packets stop.
    Windows 9x: n. A collection of 32 bit extensions and a graphical shell for a 16 bit patch to an 8 bit operating system originally coded for a 4 bit microprocessor. Written by a 2 bit company that can\'t stand 1 bit of competition.


  9. #9
    Junior Member
    Join Date
    Feb 2004
    Posts
    2
    This log looks like SRC DST SPRT DPRT LEN FLAGS SEQ and RSS MSS maybe?

    source ip/dest ip/source port/dest port/length/flags/sequence

    It looks suspicious because there are two identical packets (eg: same socket non-unique sequence numbers). This seems to indicate manual packet fabrication as in a spoofed synflood, note the S in what I assume is the flags section.

    It would be useful to see the rest of the log and note the repetition of specific IPs and ports.

    Actually, on second thought it may simply be the TCP stack on the clientside assuming a dropped packet due to nonresponse, but this does not explain why your machine is now receiving this traffic.

  10. #10
    BANNED
    Join Date
    Nov 2003
    Location
    San Diego
    Posts
    724
    windows xp professional, I'm using the built in firewall right now because I reformatted a week ago and havent installed mcafee.
    I have a cable modem through cox. I'm usually using a linksys wireless router that my computer connects to with a cable but, my roomate moved out and took my router so i gotta go get it back from him. I have a tablet pc, a laptop, and 2 pdas that connect through the router wirelessly usually but none of them are online right now or have been in the last week.

    I'm gona go run a remote av scan right now.
    When death sleeps it dreams of you...

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •