Results 1 to 4 of 4

Thread: Log File entry

  1. #1
    jeparham Guest

    Default Log File entry

    Starting around the 5th of September, I have around 100 entries in my log file that indicate
    something is trying to connect to an address in Japan.
    The information provided is as follows:-----------(The time is all hours of the day... )Protocol:
    UDP
    Source IP: 192.168.1.101Destination IP:
    61.200.196.249:138Direction:
    OutgoingAction:
    BlockedCount:
    (Varies, anywhere from 1 to 6)Source DNS:
    SlaveDestination DNS: KD061200196249.ppp.prin.ne.jp-----------
    All of the outgoing attempts are to that specific IP address.
    This is on a business PC, and upstream of ZoneAlarm are multiple hardware firewalls, so I am not concerned about the outgoing attempts being successful.
    What I am concerned about is what exactly is trying to connect to that address.
    Nothing has been installed on the PC in question.
    A quick Google returned little results, most of them in Japanese,
    so I am at somewhat of a loss to explain it.
    Has anyone heard of anything trying to connect to that address before?







    Operating System:
    Windows XP Pro
    Software Version:
    6.5
    Product Name:
    ZoneAlarm Anti-Spyware


    Message Edited by jeparham on 10-07-2008 09:30 AM

  2. #2
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: Log File entry


    <blockquote><hr>jeparham wrote:
    Starting around the 5th of September, I have around 100 entries in my log file that indicate
    something is trying to connect to an address in Japan.
    The information provided is as follows:-----------(The time is all hours of the day... )Protocol:
    UDP
    Source IP: 192.168.1.101Destination IP:
    61.200.196.249:138Direction:
    OutgoingAction:
    BlockedCount:
    (Varies, anywhere from 1 to 6)Source DNS:
    SlaveDestination DNS: KD061200196249.ppp.prin.ne.jp-----------
    All of the outgoing attempts are to that specific IP address.
    This is on a business PC, and upstream of ZoneAlarm are multiple hardware firewalls, so I am not concerned about the outgoing attempts being successful.
    What I am concerned about is what exactly is trying to connect to that address.
    Nothing has been installed on the PC in question.
    A quick Google returned little results, most of them in Japanese,
    so I am at somewhat of a loss to explain it.
    Has anyone heard of anything trying to connect to that address before?







    Operating System:
    Windows XP Pro
    Software Version:
    6.5
    Product Name:
    ZoneAlarm Anti-Spyware


    Message Edited by jeparham on 10-07-2008 09:30 AM
    <hr></blockquote>


    I did a work arround and instead of using the IP involved, I looked at the AS string - AS2516.

    Robtex.com is usually a good source for this type of tracing:

    http://www.robtex.com/as/as2516.html

    It is a whosis, pretty associated peer graph determined by BGP (border gateway protocol), listing of the sub domains and hosts, etc.

    Also cidr-report yielded a small whosis information about this AS...

    http://www.cidr-report.org/cgi-bin/a...iew=2.0#AS2516


    Okay the port involved (not your local port but the remote port of 138) is of some concern along with the fact there are these calling out attempts.

    http://www.grc.com/port_137.htm

    [yes it says port 137, but the same info applies to port 138.]

    Or why the windows/application is even attempting these connection attempts.... maybe a troyan/rootkit is hiding somewhere ..... or maybe there is a connection somewhere using this port using the window services/daemons.

    If the hardware firewalls are stopping this as you say, then the network admin must have checked the logs at some time and noticed the connection attempts.

    Oldsod.
    Best regards.
    oldsod

  3. #3
    svasko Guest

    Default Re: Log File entry

    Wow, that sounds familiar to me as well. I know that number of 192.168.0.101 goes to private IP's with HughesNet which is a satellite provider.
    On September 5th I got a Trojan that hit my system called Trojan Horse Startpage.czaMy AVG actually caught it and placed it in my virus vault where it shouldn't have been able to do a thing.


    Here's what Internic has for that IP: http://ws.arin.net/whois/?queryinput=192.168.1.101
    <pre>OrgName: Internet Assigned Numbers Authority OrgID: IANAAddress: 4676 Admiralty Way, Suite 330City: Marina del ReyStateProv: CAPostalCode: 90292-6695Country: USNetRange: 192.168.0.0 - 192.168.255.255 CIDR: 192.168.0.0/16 NetName: IANA-CBLK1NetHandle: NET-192-168-0-0-1Parent: NET-192-0-0-0-0NetType: IANA Special UseNameServer: BLACKHOLE-1.IANA.ORGNameServer: BLACKHOLE-2.IANA.ORGComment: This block is reserved for special purposes.Comment: Please see RFC 1918 for additional information.Comment: http://www.arin.net/reference/rfc/rfc1918.txtRegDate: 1994-03-15Updated: 2007-11-27OrgAbuseHandle: IANA-IP-ARINOrgAbuseName: Internet Corporation for Assigned Names and Number OrgAbusePhone: +1-310-301-5820OrgAbuseEmail: abuse@iana.orgOrgTechHandle: IANA-IP-ARINOrgTechName: Internet Corporation for Assigned Names and Number OrgTechPhone: +1-310-301-5820OrgTechEmail: abuse@iana.org</pre><pre>
    </pre><pre>I have ZoneAlarm blocking ports 135-139 myself since those are likely hacker ports. Thanks for those other IP check places. I can sure use them myself as I like to find </pre><pre>out where things originate from.</pre><pre>
    </pre><pre>Dragonfire54\Steve</pre><pre>
    </pre>

  4. #4
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: Log File entry


    <blockquote><hr>svasko wrote:
    Wow, that sounds familiar to me as well. I know that number of 192.168.0.101 goes to private IP's with HughesNet which is a satellite provider.
    On September 5th I got a Trojan that hit my system called Trojan Horse Startpage.czaMy AVG actually caught it and placed it in my virus vault where it shouldn't have been able to do a thing.


    Here's what Internic has for that IP: http://ws.arin.net/whois/?queryinput=192.168.1.101
    <pre>OrgName: Internet Assigned Numbers Authority
    OrgID: IANA
    Address: 4676 Admiralty Way, Suite 330
    City: Marina del Rey
    StateProv: CA
    PostalCode: 90292-6695
    Country: US

    NetRange: 192.168.0.0 - 192.168.255.255
    CIDR: 192.168.0.0/16
    NetName: IANA-CBLK1
    NetHandle: NET-192-168-0-0-1
    Parent: NET-192-0-0-0-0
    NetType: IANA Special Use
    NameServer: BLACKHOLE-1.IANA.ORG
    NameServer: BLACKHOLE-2.IANA.ORG
    Comment: This block is reserved for special purposes.
    Comment: Please see RFC 1918 for additional information.
    Comment: http://www.arin.net/reference/rfc/rfc1918.txt
    RegDate: 1994-03-15
    Updated: 2007-11-27

    OrgAbuseHandle: IANA-IP-ARIN
    OrgAbuseName: Internet Corporation for Assigned Names and Number
    OrgAbusePhone: +1-310-301-5820
    OrgAbuseEmail: abuse@iana.org

    OrgTechHandle: IANA-IP-ARIN
    OrgTechName: Internet Corporation for Assigned Names and Number
    OrgTechPhone: +1-310-301-5820
    OrgTechEmail: abuse@iana.org</pre><pre>
    </pre><pre>I have ZoneAlarm blocking ports 135-139 myself since those are likely hacker ports. Thanks for those other IP check places. I can sure use them myself as I like to find </pre><pre>out where things originate from.</pre><pre>
    </pre><pre>Dragonfire54\Steve

    </pre><pre>
    </pre>
    <hr></blockquote>


    You should not be concerned about the private IPs as these are not public IPs.
    The 192.168.x.x is not directly assigned from your provider, but it is from your own nat enabled modem or nat router of your own lan. Without either one of these, your computer would recieve a public IP, instead of the private IP.
    This is why you see a private IP for you own dhcp server and for your computer.

    Oldsod.
    Best regards.
    oldsod

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •