Computer Security Gurus: Quick ?

[sh4dowf4lcon]

From time to time I run "netstat commands" netstat -a (active connections) netstat -n(numerical port order or something) a few others, but anyway I keep finding strange IP and such. Usually just a standard xx.xxx.xx.xxx IP but not today.

I have been getting a few funny ones today:

gso56-152-203.triad.rr.com port:3531
lwby-199-224-85-64.ppp.lwby.epix.net port4163
lwby-199-224-85-64.ppp.lwby.epix.net port4164
ip-64-202-167-124.secureserver.net http established

I usually find IP numbers here, not all this other stuff. I went ahead and configured firewall to block those computers since I have no clue who they are.

Any feedback?

 

[Razorguns]

use zonealarm to block out any port #'s besides the usual norm.

in my router i have pretty much EVERYTHING blocked out. No reason to have all those port's just "lyin' around...".

 

[onerepmaximum]

http://www.arin.net/whois/index.html

 

[Dial_tone]

port 3531 is P2P, like shareaza, gnutella, etc

 

[digger]

Is this supposed to be a server? What services are you supposed to be providing? What steps have you taken so that you expose only those services?

netstat -n says "Don't try to resolve the names, just show the numeric address." By default you're going to look up their "reverse DNS" names. You feeling bored or are you having a problem?

 

[sh4dowf4lcon]

Is this supposed to be a server? What services are you supposed to be providing? What steps have you taken so that you expose only those services?

netstat -n says "Don't try to resolve the names, just show the numeric address." By default you're going to look up their "reverse DNS" names. You feeling bored or are you having a problem?

Sorry for the delay, I was eating lunch. I just noticed my ISDN was running slow. Usually 128K of course, but today it was acting like a 28k dial up. So I checked the netstat stuff and found those weird computers I was not used to seeing.

Anyway, I did turn Kazza on earlier looking for something, so that explains the use of 3531. I have already turned it off, but what about those computers using 4163 & 4164?

Digger, this is not a server. I have noticed internet working faster since I blocked those other computers with my firewall. I just thought it was weird how they displayed, I see what you mean about "reverse dns names". I was expecting an ip and got that other stuff, so I was confused.

Thanks

 

[Code]

netstat is a rather simple tool that will not provide a complete picture.

What you wanna run is something like tcpdump. Or better yet, just figure out the services you need and must provide and use iptables to block the rest.

 

[Dial_tone]

tcpdump? For God's sakes don't scare the poor lad.

 

[sh4dowf4lcon]

DT, I know what TCPdump is. Just cause you are a respectable Aggie, doesnt mean you are not still an Aggie. Stop pretending to be proud about it. lol

 

[digger]

4163 and 4164 don't have "well known" services assigned to them. The question is what port on YOUR machine they were talking to. Takes two to tango. Your tool should tell you what port number on the local machine answered.

A little knowledge is a dangerous thing, though. We often get complaints from a Goober With a Firewall (GWF) who parrots back whatever his dime-store software tells him. "I'm being attacked by your nameserver!" (He queried a domain name), or "I'm being attacked by your web server!" (He requested a web page).

 

[Code]

If you don't like the output from tcpdump, go get ethereal or something.

 

[sh4dowf4lcon]

Digger, I already closed the command prompt and the computers aren't talking anymore. I think it was 1918 & 1929 on my side, but not 100% sure. I think I have ethereal around somewhere, I'll play with it and make better notes on the port numbers next time I suspect "funny stuff". Thanks guys.

 

[Dial_tone]

They were probably random ports that the p2p software used. I think bittorrent uses 6881-6889 or so but some of them can use whatever is unassigned and open.