koma3504
Advocate
Premium
join:2004-06-22
North Richland Hills, TX
2 edits | Sbc-Port-Scan-By-DNS-Server
Udp-Scan |
Computer froze so i go look at modem/router and low and behold Sbc scanned me.
What could cause this.
Note the time is off as i just flashed it with the newest firmware for the unit.
Edit:
I have Spi statefull packet inspection enabled with dead reckoning enabled also.
--
† Koma †
If YOu Don't Think It's Possable!! It's Acually A Reality!! The best way to predict the future is to invent it. Alan Kay
ku^uipo_keleneka ® |
|
koma3504
Advocate
Premium
join:2004-06-22
North Richland Hills, TX
1 edit | Re: Sbc-Port-Scan
Udp-Scan2 |
Edit:
System Log Message counts:
Low 0, Medium 0, High 54, Alerts 18, Lost 0, Total 72 |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
 ·AT&T U-Verse
 ·AT&T Midwest
| reply to koma3504
Re: Sbc-Port-Scan-By-DNS-Server
If you do a DNS lookup, then your system makes a query with a random source port (say port 2910). If you repeat the lookup, it is likely to use the next port (2911).
Your logs just look to me as if they are from replies to 10 successive DNS queries from your system.
Maybe it is something else, but this looks like the simplest possible explanation. |
|
koma3504
Advocate
Premium
join:2004-06-22
North Richland Hills, TX
1 edit | 77 times ???
the secind pic is that after i rebooted the router.
and all i did was go to the router page.
The first time it happened it locked up Moms computer.
Fresh install WindowsxpSp2 This is a new system.
and for some reason the windows firewall was disabled after.
Thanks for the reply |
|
DaSneaky1D
one wall to block them all
Premium,MVM
join:2001-03-29
The Lou
 ·Charter Pipeline
| reply to koma3504
SBC isn't doing anything malicious. Those are their DNS and DNS caching servers:
Non-authoritative answer:
8.1.164.151.in-addr.arpa name = dns1.rcsntx.sbcglobal.net.
Non-authoritative answer:
105.30.164.151.in-addr.arpa name = dnscache2.rcsntx.sbcglobal.net.
--
:: my trivial ramblings :: |
|
koma3504
Advocate
Premium
join:2004-06-22
North Richland Hills, TX | OK explain how come this isnt a every day thing as you can see fro mthe screen shots. so are you saying that my router is logging incorrect ip ????? |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL | You might want to look at this thread
»DNS port scan
which reports something a little similar. |
|
DaSneaky1D
one wall to block them all
Premium,MVM
join:2001-03-29
The Lou
·Charter Pipeline
| reply to koma3504
No, I would be more apt to think something on that pc is doing a lot of look ups when it's turned on.
DNS queries are UDP based. Do you have a way to see what the source port is? When a DNS look up takes place, your pc will pick whatever available port outgoing, but heads towards UDP port 53. When the server returns the query result, it will return it through the same port the pc originally used...hence your pc seeing it as an incoming "probe".
--
:: my trivial ramblings :: |
|
koma3504
Advocate
Premium
join:2004-06-22
North Richland Hills, TX | reply to nwrickert
Thanks but neither one of those situation existed. |
|
koma3504
Advocate
Premium
join:2004-06-22
North Richland Hills, TX
1 edit | reply to DaSneaky1D
said by DaSneaky1D  :No, I would be more apt to think something on that pc is doing a lot of look ups when it's turned on. DNS queries are UDP based. Do you have a way to see what the source port is? When a DNS look up takes place, your pc will pick whatever available port outgoing, but heads towards UDP port 53. When the server returns the query result, it will return it through the same port the pc originally used...hence your pc seeing it as an incoming "probe". Acually i had just rebooted the computer and i was the one behind the computer and that is not what I was doing i was transfering files from one harddrive to another one.
only place i went after the reboot of computer and the caymen router was the caymen GUI
Thanks Again
--
† Koma †
If YOu Don't Think It's Possable!! It's Acually A Reality!! The best way to predict the future is to invent it. Alan Kay
ku^uipo_keleneka ® |
|
DaSneaky1D
one wall to block them all
Premium,MVM
join:2001-03-29
The Lou
·Charter Pipeline
| You could have something else doing DNS look ups without your knowing.
What programs start up when the PC boots? Is it a manufacturer PC that has "help" software that checks home on boot? MSN messenger?
--
:: my trivial ramblings :: |
|
koma3504
Advocate
Premium
join:2004-06-22
North Richland Hills, TX
1 edit | Umm this is a fresh install of windows XphomeSp2.
Custom built amd 3000+ with a gig of dualchannel memore with a abit motherboard and a demon 580 watt power supply.
Start up programs include
Zone Alarm the stable one
Trend Micro Internet security.
Spybot Search and destroy.
Spywareblaster.
Winpatrol.
And as i stated above i have dead reckoning enabled aswell as well as Statefull packet inspection.
Thanks agian
Edit just got done doing about 30 nslookups that wont replicate it any other suggestions.
Will be most welcome
Ive also had hijack this run on start up it dont find any thing either.
--
† Koma †
If YOu Don't Think It's Possable!! It's Acually A Reality!! The best way to predict the future is to invent it. Alan Kay
ku^uipo_keleneka ® |
|
removed
Crisis Management Squad
Premium,VIP
join:2002-02-08
Houston, TX
clubs: | reply to koma3504
Highly recommended reading.
»You pinged me you dog |
|
koma3504
Advocate
Premium
join:2004-06-22
North Richland Hills, TX
| Umm i re read that i had read that some time back.
The ip there is for net access.
The ones im shoing is for DNS and wow i can't get it to replicate and hasn't happen since the last screen shot above at 3:24:06 pm CST
--
† Koma †If YOu Don't Think It's Possable!! It's Acually A Reality!! The best way to predict the future is to invent it. Alan Kay
ku^uipo_keleneka ® |
|
removed
Crisis Management Squad
Premium,VIP
join:2002-02-08
Houston, TX
clubs:
| You may have read it, but I don't think you understood the point. This is common Internet "background noise". Ignore it.
People reading their router/firewall logs are wasting their time. Usually it leads to stupid emails like the ones in the link above, but sometimes it gets to be downright nuts: »http://69.50.169.23/
Like I said - just ignore it!
--
AIM | B | irc.removed.us - #dslr | Give me a ring: 718-606-4100 |
|
koma3504
Advocate
Premium
join:2004-06-22
North Richland Hills, TX
1 edit | ok then why did it lock up my moms computer???
and from the dns servers.
On 77 ports ??? |
|
removed
Crisis Management Squad
Premium,VIP
join:2002-02-08
Houston, TX
clubs: | What proof do you have that this locked it up? Check Event Viewer and do standard troubleshooting. A few pings that hit the modem aren't going to do anything to computers on the network... |
|
koma3504
Advocate
Premium
join:2004-06-22
North Richland Hills, TX
1 edit | why else would a new computer fresh install lockup
umm i unhooked the ethernet cable computer unfroze
so i go ok plug it back in well i ended up having to to kill it at the power switch i immedently logged on to the recovery console and ran chkdsk /r |
|
removed
Crisis Management Squad
Premium,VIP
join:2002-02-08
Houston, TX
clubs: | Because even fresh installs can fail from time to time. You're way too quick to blame this on the DSL.
Seriously ... not everything here is a conspiracy.  |
|
koma3504
Advocate
Premium
join:2004-06-22
North Richland Hills, TX
| said by removed :Because even fresh installs can fail from time to time. You're way too quick to blame this on the DSL. Seriously ... not everything here is a conspiracy. I dint say it was.
it works flawslesly other wise and why hasnt it happen since the port scans ???
you know with statefull packet inspection enabled
Whats the chances of this being a scan from Sbc
Scanning a dynamic account to make sure there not running a web server.
Yes i have been told That Sbc does this BY somone that called me back from NOC at sbc
--
† Koma †If YOu Don't Think It's Possable!! It's Acually A Reality!! The best way to predict the future is to invent it. Alan Kay
ku^uipo_keleneka ® |
|
