Re: Am I being hacked?

From: Copelandia Cyanescens (synesthesia_at_ix02x67invalid.net)
Date: 08/26/04 

Date: Thu, 26 Aug 2004 10:57:48 +0000

Brian wrote...

>> So, if there's nothing listening on a port, and there's nothing making
>> outbound requests, then there's really not too much to worry about.
>>
> If there is nothing listening on port 1103, what service is it that sent the
> ICMP responses?

If your firewall is letting the incoming packets through, probably the
OS itself. Which might explain why ipnat.sys is involved. That's the
"standard and polite" way to respond when nothing is listening...
typically an ICMP Destination Unreachable Port Unreachable packet.

> Why six responses (3 blocked) and all on different outgoing ports?

You may be getting incoming pings on other ports and not know it.
There's all manner shape and form of pings. The standard is an ICMP Echo
Request, but it's not at all unusual to see ACK or SYN requests used to
establish the state of a specific IP:PORT. There's also timestamp and
netmask requests. Sometimes you'll even see combinations of several
types of pings. I'd almost bet my last dollar that your firewall doesn't
catch everything, and especially things like ACK packets to port 80. To
which any typical system not running a web server would reply "not
listening". ;)

Some of the things you've related seem a little odd, but not so strange
they'd cause too much concern. The thing you should realize is that
these are not "connections". They're requests for connections, and your
machine probably telling the world no. There's really no harm in that,
although the ultra paranoid tend to want "stealth", or absolutely no
reply at all. 

-- 
Scrubbing floors and emptying bedpans has as much dignity as the
Presidency.
                                                -- Richard Nixon

Relevant Pages

  • Re: Web Chaining - Ausgehender Port für SSL
    ... den isa, weil du ihre browserkonfigurationen angepasst hast. ... somit schickt dein isa die requests an den squid und bittet jenen ... auseinandernimmt und je nach Aufbau an den entsprechenden Port ... Also bekommt der upstream-Proxy das nur auf die entsprechenden Ports ...
    (microsoft.public.de.german.isaserver)
  • Re: ARP question
    ... UDP port 1026, ... As far as I know ARP requests are only made in LANs and it's impossible ... I got 1871 ARP requests, 1870 were from the Cable company, and one was ...
    (Fedora)
  • Host configuration problem?
    ... I have recently set up a server running FreeBSD 6 to host a test web ... memory usage, CPU never dips below 80%ish idle and memory stays pretty ... Apache 2.2.0.6 that serves static content and forwards dynamic requests ... should be established on the same localhost port. ...
    (comp.unix.bsd.freebsd.misc)
  • Re: PPC MSMQ Help!
    ... I believe that Active Sync is the culprit here in blocking requests. ... Here is a snippet about how to allow AS to forward port requests. ... connections being generated from your desktop machine itself, ...
    (microsoft.public.pocketpc.developer)
  • Re: Web Chaining - Ausgehender Port für SSL
    ... isa, weil du ihre browserkonfigurationen angepasst hast. ... somit schickt dein isa die requests an den squid und bittet jenen wiederum ... dass der ISA auf Port 80 ein HTTP-Connect an den Squid stellt.. ... Also bekommt der upstream-Proxy das nur auf die entsprechenden Ports ...
    (microsoft.public.de.german.isaserver)