|
|
|
|||||||
 |
|
|
Thread Tools | Search this Thread | Display Modes |
|
#1
07-17-2003, 11:25 AM
|
|||
|
|
|||
|
.... but I've just been looking at my firewall log file (Windows XP Home Edition V5.1 + Service Pack 1) and noticed that I have several groups of 'dropped packets' from 217.39.173.231. 'Whois' tells me this is a BT Public Internet Service address - my ISP is NTL and I'm connected via NTL cable. So why would a BT server somewhere be wanting to talk to my PC in such a manner that the Firewall disallows it? (You can probably tell I have just slightly less knowledge than is required to be dangerous ... !) 
|
|
#2
07-17-2003, 11:54 AM
|
|||
|
|
|||
Re: This may be a daft question ...
Mike Faithfull said this... > ... but I've just been looking at my firewall log file (Windows XP Home > Edition V5.1 + Service Pack 1) and noticed that I have several groups of > 'dropped packets' from 217.39.173.231. 'Whois' tells me this is a BT > Public Internet Service address - my ISP is NTL and I'm connected via > NTL cable. So why would a BT server somewhere be wanting to talk to my > PC in such a manner that the Firewall disallows it? (You can probably > tell I have just slightly less knowledge than is required to be > dangerous ... !) > > Hi Mike. What sort of firewall are you running? Is it possible to give any further information from the log such as local and remote port numbers? It could be malicious or it may just be background noise, it's impossible to tell without more detailed info. -- º~ dªv¡d ~º
|
|
#3
07-17-2003, 02:04 PM
|
|||
|
|
|||
|
Re: This may be a daft question ...
"Groove" <(E-Mail Removed)> wrote in message news:Xns93BB83CDBDB22d4v1d@62.253.162.114... > Mike Faithfull said this... > > ... but I've just been looking at my firewall log file (Windows XP Home > > Edition V5.1 + Service Pack 1) and noticed that I have several groups of > > 'dropped packets' from 217.39.173.231. > > > Hi Mike. What sort of firewall are you running? Is it possible to give any > further information from the log such as local and remote port numbers? > It could be malicious or it may just be background noise, it's impossible > to tell without more detailed info. It's the one built in to XP. It produces a log file called pfirewall.log that captures certain events. Here's an entry ... DROP TCP 217.39.173.231 213.104.104.35 4619 1433 48 S 1858592789 0 16384 According to the headings, the data represents: action, protocol, source IP, destination IP, source port, destination port, size, tcpflags, tcpsyn, tcpack, tcpwin I have had similar entries (dropped packets, I mean, I don't know about the other numbers) from strange places like Poland, Slovenia and Japan.
|
|
#4
07-17-2003, 05:10 PM
|
|||
|
|
|||
|
Re: This may be a daft question ...
Mike Faithfull said this... > DROP TCP 217.39.173.231 213.104.104.35 4619 1433 48 S 1858592789 0 16384 > action, protocol, source IP, destination IP, source port, destination > port, size, tcpflags, tcpsyn, tcpack, tcpwin > > I have had similar entries (dropped packets, I mean, I don't know about > the other numbers) from strange places like Poland, Slovenia and Japan. > If I read this correctly, this is something tapping at your port 1433. IIRC there was a worm a while back that used this port. However, the dropped packet is good, your firewall is not allowing access, Hopefully there are wiser heads than mine that can add to this thread, but in the meantime I would recommend you look at a "proper" firewall for your system. The xp built-in firewall is very limited in function. -- º~ dªv¡d ~º
|
|
#5
07-17-2003, 10:11 PM
|
|||
|
|
|||
|
Re: This may be a daft question ...
In article <v1yRa.13391$(E-Mail Removed)>, (E-Mail Removed) says... > "Groove" <(E-Mail Removed)> wrote in message > news:Xns93BB83CDBDB22d4v1d@62.253.162.114... > > Mike Faithfull said this... > > > ... but I've just been looking at my firewall log file (Windows XP Home > > > Edition V5.1 + Service Pack 1) and noticed that I have several groups of > > > 'dropped packets' from 217.39.173.231. > > > > > > Hi Mike. What sort of firewall are you running? Is it possible to give any > > further information from the log such as local and remote port numbers? > > It could be malicious or it may just be background noise, it's impossible > > to tell without more detailed info. > > It's the one built in to XP. It produces a log file called pfirewall.log > that captures certain events. Here's an entry ... > > DROP TCP 217.39.173.231 213.104.104.35 4619 1433 48 S 1858592789 0 16384 Port 1433 is used by MS SQL Server, so if you're not running that you needn't worry anyway. It's quite likely that a BTOpenworld customer (unknowingly) has a worm that is trying to exploit a known vulnerability in MS SQL Server. > I have had similar entries (dropped packets, I mean, I don't know about the > other numbers) from strange places like Poland, Slovenia and Japan. > You will see dropped packets whenever something "outside" attempts to initiate a connection to your machine - any time the firewall thinks that the packets it receives aren't part of an exchange that you initiated. They are a result of worms, hackers, badly configured networks, buggy software ... if they're not getting in you don't need to worry about them too much.
|
Linear Mode
