bacon_masta

windows xp pro
1 ghz p3
256 megs ram

the pc i'm attempting to turn into a web server has been recieving all sorts of communications that i dub "suspicious" for lack of a better term. sygate personal firewall pro isn't logging any suspicious activity, and the communications aren't going through, but when i checked my router log for unsolicited inbound communications, this is what i found

Date Time Src Src_Port Dest Dest_Port
06/20/2004 16:36:33 24.176.185.60 2276 192.168.2.101 3127
06/20/2004 16:42:17 81.225.170.214 2560 192.168.2.101 1025
06/20/2004 16:53:45 216.208.81.148 4745 192.168.2.101 1025
06/20/2004 16:53:45 216.208.81.148 4746 192.168.2.101 5000
06/20/2004 16:54:29 61.138.203.37 3059 0.0.0.0 21
06/20/2004 17:10:05 218.187.184.147 3464 192.168.2.101 9898
06/20/2004 17:15:54 211.161.56.62 3841 192.168.2.101 9898
06/20/2004 17:21:55 65.34.158.245 4090 192.168.2.101 2745
06/20/2004 17:24:17 64.231.91.150 3411 192.168.2.101 5554
06/20/2004 17:24:17 64.231.91.150 3673 192.168.2.101 9898
06/20/2004 17:24:48 81.40.210.131 3530 192.168.2.101 9898
06/20/2004 17:40:41 82.48.151.31 1353 0.0.0.0 21
06/20/2004 17:44:08 81.65.249.143 3398 192.168.2.101 5554
06/20/2004 17:44:08 81.65.249.143 3656 192.168.2.101 9898
06/20/2004 17:46:22 64.7.245.230 666 192.168.2.101 1026
06/20/2004 17:46:22 64.7.245.230 666 192.168.2.101 1027
06/20/2004 18:03:53 65.204.145.20 4860 192.168.2.101 5554
06/20/2004 18:03:54 65.204.145.20 1133 192.168.2.101 9898

i looked up most of the destination ports on the list, and almost all of them are used in various trojans. i'm not too clear on what all these communications mean, but i'm wondering why so many different ip's are attempting to access trojan-related ports on my pc. could it be some sort of automated drone attack initiated by a single malicious user? my other suspicion was that maybe the pc has already been "acquired" as a drone by a malicious user, and this person is sharing the information with others? i really appreciate any advice

EDIT sorry about the readability of the log, i spaced everything into columns, but when i posted the site automatically changed it

cliche

How's the port forwarding on your router set up? You should make sure it only forwards the necessary incoming ports (traditionally only 80 unless you want games, FTP etc). Sometimes you find people using the 'DMZ' option which can be a worry as it exposes your computer to the full brunt of the internet (so need a good firewall!). It looks from your log that it might be trying to forward these random packets to your computer (if it's 192.168.2.101) - these should ideally be dropped at the router level and not allowed anywhere near your server.

Similarly, check your firewall and make sure it's only allowing incoming connections on the ports you want. I don't know anything about sygate but there should be details in there somewhere.

Lastly, look at the ports you do have open and make sure the servers on those ports are as up to date as possible. I assume, again, you have at least port 80 open through both the router and your firewall - make sure that the apache/IIS/whatever behind it is fully patched.

If all the above is OK, you should be fine. There are plenty of script kiddies out there who'll have a play with a server when it appears - mostly they seem to be looking for vulnerabilities to mess with your computer - either taking advantage of a trojan you happen to have on your computer, or weaknesses in the servers running on the ports you have open (you'll probably see some funny http log entries too)... don't worry, but keep up to date!

__________________
I can't understand why people are frightened of new ideas. I'm frightened of the old ones. -- John Cage (1912 - 1992)

bacon_masta

thanks for the reassurance...guess i should drop the dmz hosting and go with packet forwarding. got ports 21 and 80 forwarded right now. everything's up to date, and avg and mcafree both said there's no infection. really appreciate the help cliche.