Let me see if I have this right... Someone was connecting from
209.61.157.131 source ports 3132 and 3133 through your router to your
wife's 98 box on destination port 80. I'm assuming you got the ports
information from zonealarm, right? ZA didn't complain, and just let
that traffic in on a supposedly unused port? That doesn't sound like a
very good situation to me...
I have a few questions:
You didn't happen to capture any of the packets with tcpdump or ethereal
or anything, did you?
What kind of hardware/software is your router?
Are you running any sort of real firewall?
Have you checked ZA's application database to see if anything is
registered with it to use port 80? Also, what level of protection is it
set for?
I would seriously suggest changing your setup to block this sort of
traffic. Before you do that though, I'd set up tcpdump to capture all
incoming port 80 packets (maybe _all_ non-normal traffic if you have the
space), so you can see what this person is doing with your machine. In
any case, one of the basic rules of security is if you even _suspect_
the box has been compromised, reinstall the OS and firewall it before
you connect it to the network.
-Ken
On Sat, 2002-04-20 at 00:49, Bill wrote:
> My router lights looked like a science fiction computer just before I left
> for work yesterday afternoon, but a quick check of the logs didn't turn up
> anything scary. I bounced every one of the servers I am running and nothing
> changed so I went off to work. When I got home a half hour ago, the same
> situation was still occuring.
>
> This time I saw the ip address 209.61.157.231 coming in on port 3132 / 3133
> and being responded to via http off my wifes Win 98 machine (running Zone
> Alarm). So I checked that address out with nmap and almost instantly the wild
> lights on the router immediately went silent. Whois says the IP address is
> owned by a bloke in Sault Ste. Marie, ON.
>
> To the best of my knowledge, my wifes machine does not have any form of HTTP
> installed.
>
>
> Any thoughts on this would be welcomed.
>
> Bill
This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 20:19:53 EDT