Tilted Forum Project Discussion Community - View Single Post

bacon_masta · 06-20-2004, 02:16 PM

windows xp pro
1 ghz p3
256 megs ram

the pc i'm attempting to turn into a web server has been recieving all sorts of communications that i dub "suspicious" for lack of a better term. sygate personal firewall pro isn't logging any suspicious activity, and the communications aren't going through, but when i checked my router log for unsolicited inbound communications, this is what i found

Date Time Src Src_Port Dest Dest_Port
06/20/2004 16:36:33 24.176.185.60 2276 192.168.2.101 3127
06/20/2004 16:42:17 81.225.170.214 2560 192.168.2.101 1025
06/20/2004 16:53:45 216.208.81.148 4745 192.168.2.101 1025
06/20/2004 16:53:45 216.208.81.148 4746 192.168.2.101 5000
06/20/2004 16:54:29 61.138.203.37 3059 0.0.0.0 21
06/20/2004 17:10:05 218.187.184.147 3464 192.168.2.101 9898
06/20/2004 17:15:54 211.161.56.62 3841 192.168.2.101 9898
06/20/2004 17:21:55 65.34.158.245 4090 192.168.2.101 2745
06/20/2004 17:24:17 64.231.91.150 3411 192.168.2.101 5554
06/20/2004 17:24:17 64.231.91.150 3673 192.168.2.101 9898
06/20/2004 17:24:48 81.40.210.131 3530 192.168.2.101 9898
06/20/2004 17:40:41 82.48.151.31 1353 0.0.0.0 21
06/20/2004 17:44:08 81.65.249.143 3398 192.168.2.101 5554
06/20/2004 17:44:08 81.65.249.143 3656 192.168.2.101 9898
06/20/2004 17:46:22 64.7.245.230 666 192.168.2.101 1026
06/20/2004 17:46:22 64.7.245.230 666 192.168.2.101 1027
06/20/2004 18:03:53 65.204.145.20 4860 192.168.2.101 5554
06/20/2004 18:03:54 65.204.145.20 1133 192.168.2.101 9898

i looked up most of the destination ports on the list, and almost all of them are used in various trojans. i'm not too clear on what all these communications mean, but i'm wondering why so many different ip's are attempting to access trojan-related ports on my pc. could it be some sort of automated drone attack initiated by a single malicious user? my other suspicion was that maybe the pc has already been "acquired" as a drone by a malicious user, and this person is sharing the information with others? i really appreciate any advice

EDIT sorry about the readability of the log, i spaced everything into columns, but when i posted the site automatically changed it

06-20-2004, 02:16 PM	#1 (permalink)
bacon_masta Psycho Location: i live in the state of denial	i think i've got a serious problem... windows xp pro 1 ghz p3 256 megs ram the pc i'm attempting to turn into a web server has been recieving all sorts of communications that i dub "suspicious" for lack of a better term. sygate personal firewall pro isn't logging any suspicious activity, and the communications aren't going through, but when i checked my router log for unsolicited inbound communications, this is what i found Date Time Src Src_Port Dest Dest_Port 06/20/2004 16:36:33 24.176.185.60 2276 192.168.2.101 3127 06/20/2004 16:42:17 81.225.170.214 2560 192.168.2.101 1025 06/20/2004 16:53:45 216.208.81.148 4745 192.168.2.101 1025 06/20/2004 16:53:45 216.208.81.148 4746 192.168.2.101 5000 06/20/2004 16:54:29 61.138.203.37 3059 0.0.0.0 21 06/20/2004 17:10:05 218.187.184.147 3464 192.168.2.101 9898 06/20/2004 17:15:54 211.161.56.62 3841 192.168.2.101 9898 06/20/2004 17:21:55 65.34.158.245 4090 192.168.2.101 2745 06/20/2004 17:24:17 64.231.91.150 3411 192.168.2.101 5554 06/20/2004 17:24:17 64.231.91.150 3673 192.168.2.101 9898 06/20/2004 17:24:48 81.40.210.131 3530 192.168.2.101 9898 06/20/2004 17:40:41 82.48.151.31 1353 0.0.0.0 21 06/20/2004 17:44:08 81.65.249.143 3398 192.168.2.101 5554 06/20/2004 17:44:08 81.65.249.143 3656 192.168.2.101 9898 06/20/2004 17:46:22 64.7.245.230 666 192.168.2.101 1026 06/20/2004 17:46:22 64.7.245.230 666 192.168.2.101 1027 06/20/2004 18:03:53 65.204.145.20 4860 192.168.2.101 5554 06/20/2004 18:03:54 65.204.145.20 1133 192.168.2.101 9898 i looked up most of the destination ports on the list, and almost all of them are used in various trojans. i'm not too clear on what all these communications mean, but i'm wondering why so many different ip's are attempting to access trojan-related ports on my pc. could it be some sort of automated drone attack initiated by a single malicious user? my other suspicion was that maybe the pc has already been "acquired" as a drone by a malicious user, and this person is sharing the information with others? i really appreciate any advice EDIT sorry about the readability of the log, i spaced everything into columns, but when i posted the site automatically changed it Last edited by bacon_masta; 06-20-2004 at 02:21 PM..