Are you guys willing to help me with this possible security issue?

I'll be the first to admit I am no security guru.


My connection is currently fully active sending and receiving. I haven't figure out what is happening.

Check it out. This is my netstat - n results:

Active Connections

Proto Local Address Foreign Address State
TCP 192.168.0.102:1032 207.46.106.177:1863 ESTABLISHED
TCP 192.168.0.102:1050 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1053 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1055 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1056 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1058 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1059 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1061 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1063 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1066 192.168.0.100:139 TIME_WAIT
TCP 192.168.0.102:1069 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1071 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1073 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1075 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1077 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1081 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1082 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1085 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1086 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1087 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1090 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1091 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1092 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1096 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1097 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1098 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1100 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1101 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1102 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1106 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1109 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1110 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1112 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1114 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1116 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1118 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1120 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1122 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1124 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1126 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1128 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1130 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1132 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1134 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1136 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1138 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1142 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1144 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1146 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1148 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1150 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1152 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1154 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1156 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1158 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1161 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1163 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1165 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1167 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1170 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1190 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1196 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1211 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1225 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1232 192.168.0.1:80 TIME_WAIT
TCP 192.168.0.102:1238 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1249 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1251 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1262 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1275 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1277 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1279 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1281 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1283 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1285 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1287 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1289 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1291 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1293 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1295 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1297 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1299 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1301 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1303 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1305 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1307 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1309 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1311 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1313 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1315 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1317 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1319 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1321 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1323 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1325 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1327 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1329 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1331 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1333 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1335 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1337 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1339 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1341 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1343 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1345 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1347 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1349 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1351 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1353 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1355 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1357 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1359 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1362 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1364 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1366 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1368 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1370 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1372 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1374 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1376 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1378 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:1379 192.168.0.1:5678 ESTABLISHED
TCP 192.168.0.102:2690 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:10021 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:19928 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:34885 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:46249 192.168.0.1:5678 TIME_WAIT


This is my router log:


Feb/25/2004 00:42:14
Sending one E-mail Subject: Manual
Feb/25/2004 00:32:42
SYN Flood Attack Detect Packet Dropped
Feb/25/2004 00:32:41
SYN Flood Attack Detect Packet Dropped
Feb/25/2004 00:32:40
SYN Flood Attack Detect Packet Dropped
Feb/25/2004 00:32:39
SYN Flood Attack Detect Packet Dropped
Feb/25/2004 00:32:38
SYN Flood Attack Detect Packet Dropped
Feb/25/2004 00:32:37
SYN Flood Attack Detect Packet Dropped
Feb/25/2004 00:32:36
SYN Flood Attack Detect Packet Dropped
Feb/25/2004 00:32:34
SYN Flood Attack Detect Packet Dropped
Feb/25/2004 00:32:33
SYN Flood Attack Detect Packet Dropped
Feb/25/2004 00:32:32
SYN Flood Attack Detect Packet Dropped
Feb/25/2004 00:32:31
SYN Flood Attack Detect Packet Dropped
Feb/25/2004 00:32:30
SYN Flood Attack Detect Packet Dropped
Feb/25/2004 00:32:29
SYN Flood Attack Detect Packet Dropped
Feb/25/2004 00:32:28
SYN Flood Attack Detect Packet Dropped
Feb/25/2004 00:32:27
SYN Flood Attack Detect Packet Dropped
Feb/25/2004 00:32:26
SYN Flood Attack Detect Packet Dropped
Feb/25/2004 00:32:25
SYN Flood Attack Detect Packet Dropped
Feb/25/2004 00:32:23
SYN Flood Attack Detect Packet Dropped
Feb/25/2004 00:32:22
SYN Flood Attack Detect Packet Dropped
Feb/25/2004 00:32:21
SYN Flood Attack Detect Packet Dropped
Feb/25/2004 00:32:20
SYN Flood Attack Detect Packet Dropped
Feb/25/2004 00:32:19
SYN Flood Attack Detect Packet Dropped
Feb/25/2004 00:32:18
SYN Flood Attack Detect Packet Dropped
Feb/25/2004 00:32:17
SYN Flood Attack Detect Packet Dropped
Feb/25/2004 00:32:16
SYN Flood Attack Detect Packet Dropped
Feb/25/2004 00:32:15
SYN Flood Attack Detect Packet Dropped
Feb/25/2004 00:32:14
SYN Flood Attack Detect Packet Dropped
Feb/25/2004 00:32:12
SYN Flood Attack Detect Packet Dropped
Feb/25/2004 00:32:11
SYN Flood Attack Detect Packet Dropped
Feb/25/2004 00:32:10
SYN Flood Attack Detect Packet Dropped
Feb/25/2004 00:32:09
SYN Flood Attack Detect Packet Dropped
Feb/25/2004 00:32:08
SYN Flood Attack Detect Packet Dropped
Feb/25/2004 00:32:07
SYN Flood Attack Detect Packet Dropped
Feb/25/2004 00:32:06
SYN Flood Attack Detect Packet Dropped
Feb/25/2004 00:32:05
SYN Flood Attack Detect Packet Dropped
Feb/25/2004 00:32:04
SYN Flood Attack Detect Packet Dropped
Feb/25/2004 00:32:03
SYN Flood Attack Detect Packet Dropped
Feb/25/2004 00:32:01
SYN Flood Attack Detect Packet Dropped
Feb/25/2004 00:32:00
SYN Flood Attack Detect Packet Dropped
Feb/25/2004 00:31:59
SYN Flood Attack Detect Packet Dropped
Feb/25/2004 00:31:58
SYN Flood Attack Detect Packet Dropped
Feb/25/2004 00:31:57
SYN Flood Attack Detect Packet Dropped
Feb/25/2004 00:31:56
SYN Flood Attack Detect Packet Dropped
Feb/25/2004 00:31:55
SYN Flood Attack Detect Packet Dropped
Feb/25/2004 00:31:54
SYN Flood Attack Detect Packet Dropped
Feb/25/2004 00:31:53
SYN Flood Attack Detect Packet Dropped
Feb/25/2004 00:31:52
SYN Flood Attack Detect Packet Dropped
Feb/25/2004 00:31:50
SYN Flood Attack Detect Packet Dropped
Feb/25/2004 00:31:49
SYN Flood Attack Detect Packet Dropped
Feb/25/2004 00:31:48
SYN Flood Attack Detect Packet Dropped
Feb/25/2004 00:31:47
SYN Flood Attack Detect Packet Dropped
Feb/25/2004 00:31:46
SYN Flood Attack Detect Packet Dropped
Feb/25/2004 00:31:45
SYN Flood Attack Detect Packet Dropped
Feb/25/2004 00:31:44
SYN Flood Attack Detect Packet Dropped
Feb/25/2004 00:31:43
SYN Flood Attack Detect Packet Dropped
Feb/25/2004 00:31:42
SYN Flood Attack Detect Packet Dropped
Feb/25/2004 00:31:41
SYN Flood Attack Detect Packet Dropped
Feb/25/2004 00:31:39
SYN Flood Attack Detect Packet Dropped
Feb/25/2004 00:31:38
SYN Flood Attack Detect Packet Dropped
Feb/24/2004 23:07:02
SMTP: send mail succeed
Feb/24/2004 23:07:00
Sending one E-mail Subject: Manual





I dont get it?

 

Now my connection is idle again.


New netstat:


Active Connections

Proto Local Address Foreign Address State
TCP 192.168.0.102:2272 207.46.107.21:1863 ESTABLISHED
TCP 192.168.0.102:3073 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:11056 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:11312 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:36075 192.168.0.1:5678 TIME_WAIT
TCP 192.168.0.102:45818 192.168.0.1:5678 TIME_WAIT

My router log is empty.


I dont understand what is happening.

 

Ok, I figured out part of it.


Vmware was opening port 5678 and was going crazy for some reason.

I'm guessing its for the virtual NAt stuff.

Not sure what was up with the router log though.

 

I lied. Netstat is going crazy again after reboot, when I turned off the vmware services.


Ugh, what a headache.

 

I'm no net/security guru, but SYN Flood Attack and hits every second sound like somebody is knocking at your door... HARD. Keep all the doors bolted.

 

Ok, Universal Plug and Play HAS to be responsible for the rest.

This seems to happen mostly on boot, then it dies down and stops after a bit.

The connection goes quiet, and all of the connections close. I used packetmon to sniff the packets and they have upnp and ssdp written all over them.

As for the Syn attacks, I can't think of anything I did to set off the router log like that.

Maybe someone trying to access my UT 2k4 server that isnt up right now, *cough*

 

In which case at least it's not a malicious attack.

 

uh... that.... uh... would be me, but I swear, it was an accident... and I only did it twice!

and... uh... I might have pinged it a couple times too.... ya.........

btw, all the 192.168.0.XXX ip's are local IP's so it might be something on your network.

 

the thing that gets me is that it's coming from your internal 102 addy to your gateway and it connected successfully twice.

I would start watching netstat using activeports application on what ever machine has the last octet of 102.

Activeports can be found on MG.

 

UPNP was part of a security alert some time ago. There are some components of UPnP you can disable if you don't do remote printing or share drives across the net. Don't have the specifics, but will check.

 

Yeah I was only worried about the syn packets being a security issue. *Points finger*

Couldnt figure out what all the internal conenctions were un til I used packetmon.

 

102 is my machine. Yeah I'll look at it some more, and let you guys know if I find out anything different from what I suspect.

 

Still?

I know Steve Gibson made a stink about it (like he does most things, raw sockets anyone? )

I thought it was fixed in Sp1...