Results 1 to 4 of 4

Thread: Sporadic incoming TCP (flag S) when on public wireless network

  1. #1
    riceorony Guest

    Default Sporadic incoming TCP (flag S) when on public wireless network

    Hello all,

    I get sporadic connection attempts to my computer when on a public wireless network (I have now switched over to wired network).

    e.g. from ports 1529, 3399, 3400-3404, 3398, 3441, 3476, 3477 on the "attacking computer" to my ports 515, 9100, 2191, 80, 443, 81, 139, 80, 445, 139. This only happened once and ZA-ISS blocked all attempts.

    After checking what most of my ports are (being either for file/printer sharing, NETBIOS session, internet server, etc.) is this a malicious attack? Or is this probably a malware (worm) infected computer on the network trying to scan through to other potential unprotected computers?

    I posted a similar question previously because I was getting a few attempts (1 to 3 times) onto ports 80 and 445 each day for the past week when on the public wireless network.

    ZA reports that the Source DNS is coming from my schools public wireless network.

    netstat -anob shows all ports closed (except 445 which windows leaves open always)
    HiJack This! and other malware/antivirus scans all show up clean.
    Using ZA-FF for browsing too, so I am doubting a back-door trojan as of now. (but could be?)



    Operating System:
    Windows XP Pro
    Software Version:
    8.0
    Product Name:
    ZoneAlarm Internet Security Suite

    Message Edited by riceorony on 11-17-2008 09:10 AM

  2. #2
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: Sporadic incoming TCP (flag S) when on public wireless network

    TCP Flag S = SYN = http://www.pccitizen.com/threewayhandshake.htm= port connection attempts trying to be initiated. (usually harmless but could be a simple port scan and a small possibility of an actual attack.

    Ports involved (your local ports not the remote ports, as ports from the 1-5000 remote ports are usual whereas higher ports would of a more concern)= http://www.iana.org/assignments/port-numbers

    If it was a malicious "attack" you should note the IP of the source of the ports attempts.
    If the source of the port attempts was from the public wifi's printer/scanner or the gateway/dhcp server or from one their usual network devices, then no.
    If the port attempts were from some other user of the public wifi, then maybe a yes (the individual maybe doing innocently the port connection attempts and not realize it - his/her laptop may not be properly secured).

    Port connection attempts do not make an attack.
    The ports useage you mention and the printer ports are normally used for legitimate reasons. Besides attacks.
    Most networked devices want to connect not to specific port(s), but to the IPs of the network.
    Once your IP is seen (by broadcasts and pings and arp) by the other deives, those other devices naturally will want to connect to you and they can only do so with the ports they are associated with.

    Want to see real intrusions and port scans and possbile attempts? Just connect the computer directly to the modem and set the ZA firewall to log all.
    Watch the logs grow huge in size very fast. Or just set the router to log all connection (incoming) and keep checking those logs - the remote IPs will be from everywhere and many ports will be seen as attempted.
    Many of us (myself included) sit our computers behind a hardware firewall and never see the external traffic passing by and attempting to connect (a lot of it is just internet noise such as connection attmepts that are innocent and legitimate and devices looking for other devices) - but going online with no hardware firewall or sit in a public wifi do see a lot of traffic and noise.

    Getting numerous attacks on http (80) and https (445) in a public wifi network is almost meaningless. These ports could be open in the hardware gateway/router and any public address could be trying to do some sort of connection attempts. Not from a hacker, but perhaps from the previous owner of the private IP assigned to you by the public router.
    That previous owner's could have previous connection attempts from the sites he/she just visited and these could be attempting to re-establish the former user's connections.
    Could a hacker from a public IP attack the user behind a gateway with open ports? Yes but not really worth the effort - no doubt any user in a public network would have some sort of firewall in place any ways - which would stop the connection attempts. Even window's firewall would do this job perfectly (keep ports closed and fully stealthed) and keep out the unwanted.
    Oh and if t is a printer trying http connection attempts, then this too is normal, not just the usual/unusual used printer ports.

    ZA reports this is the source of the wireless network - yes but what IP(s) are involved? The knowledge of the IPs used in the attempts is important - it could be just their printer trying to say Hi.

    Netstat says ports 445 is open.
    If it just show listening, then this is not an open port.
    Want to see exactly if the port is open?
    When at home connect the laptop directly to the home wired computer - and scan the laptop's ports from the desktop. Without a software firewall enabled in the laptop.
    Or connect directly to the internet with the laptop and use no firewall and immediately go to shieldsup and do a port scan. Any port not open will show in the results as closed and none should show as stealthed.
    (my laptop passes with all ports closed - and yes closed ports not stealthed and just as secure as closed and stealthed but with a lot of those extra port coonection attempts which will get dropped anyways since nothing is there to respond)

    Neither HJT or ZAFF really are involved in this.
    Port connection attempts and browser infections from web sites are two completely different subjects or ideas. This two do not neccessarily meet.

    Oldsod.

    Message Edited by Oldsod on 11-17-2008 06:24 PM
    Best regards.
    oldsod

  3. #3
    riceorony Guest

    Default Re: Sporadic incoming TCP (flag S) when on public wireless network

    Oh Oldsod,

    You are truly a gem of a friend

    How much do you and your fellow Guru's charge per hour of service? :-)

    Cheers!

    More cats!

    http://tinypic.com/view.php?pic=2w5qed2&s=4

    Message Edited by riceorony on 11-17-2008 08:57 PM

  4. #4
    Join Date
    Dec 2005
    Posts
    9,056

    Default Re: Sporadic incoming TCP (flag S) when on public wireless network

    <blockquote><hr>riceorony wrote:
    Oh Oldsod,

    You are truly a gem of a friend

    How much do you and your fellow Guru's charge per hour of service? :-)

    Cheers!

    More cats!

    http://tinypic.com/view.php?pic=2w5qed2&s=4

    Message Edited by riceorony on 11-17-2008 08:57 PM
    <hr></blockquote>
    It is free of any fee or charge if you study these two links:

    http://www.interhack.net/pubs/fwfaq/...00000000000000

    http://www.linuxsecurity.com/resourc...wall-seen.html

    and double the usual fee if you forget to understand that these are intended for web servers facing the internet and are not implied for the home users as ourselves.
    Almost everything described above does not apply to a home user; but to be armed with the requirements and security needs of the web site/server (and very often the host server) does help a home user to be knowledgeable and understand things properly (and may be prepared).


    There is a big difference between the web site/server/enterprise network. and home users. Although a home user may actually see some of the descriptions from the above links, it would be very seldom and not a persistant event or anything that would really last long.
    Most attacks (almost every attack) coming from the internet aimed at a home computer simply is not worth the time nor the effort fo any hacker. The money of any kind is always with the server/web sites - these are the main targets of any attacks for money to get in and steal or control.

    Unless you made a powerful enemy in some discussion/private or closed forum/chat/irc network and they did happen to know your IP to specifically attack you, you would not see any real specific attacks aimed directly at you.
    Yes there are many ports scans and IP checks coming and going from the internet (and at public wifis), but really these have no real effect on any online user with either a software or hardware firewall enabled worth it's pinch of salt.

    There is a DOS attack - which is effectly useless to a home user and this to occur is very rare for the average home user. If using a dynamic IP as with dialup or sometimes with DSL, just immediately change your IP. That simple.
    If using a cable connections (very often statically assigned for long periods of time), just call up your provider and get a change of your assigned IP.
    Once set up with a new and different IP, the attacker has lost you and no longer can see/find you.
    Servers and web sites are not so fortunate in this type of situation as they often stay with the same IP for longer periods - once they get a DOS attack, it does unfortuantely hurt them (they usually stay with the same IP for day(s) or longer depending on the TTL for the DNS and the arrangement for their assigned IPs.

    http://en.wikipedia.org/wiki/Time_to_live\

    and read this one too:

    http://en.wikipedia.org/wiki/DDoS

    but again realise this is intended for internet servers and not for the average home user.

    It is easy to get the IP and information about the IP of a web site/server (owner and their legal name(s), address, fax number, phone number, admin, the involved host server (if any), companies involved, etc), but it is still almost impossible to find anything out from a home user's IP - the providers do not hand this information out to anybody.
    Knowing a home user's IP is useless if trying to find out any information about that user. At best you could see the town/state/country of that user and find out the actual name of the provider, but nothing else.
    Even at a forum like this, where the IP is recorded (all connected sites know your IP), it is still useless as far as going to find out any information about you.
    Nothing - not even your email address is given out (forum registration does require a valid email address, but that by itself is still useless to launch an attack and the forum is trusted and respected not to mistreat your email address). If some ***** did get a home user's mail address, the worst that can happen is a lot of incoming spam with maybe nasty attachments (which anyways should be automatically deleted without opening).

    The best internet/computer practises for the average home user at any time is use an antivirus and a firewall (or two if one is a hardware firewall such as a router or NAT modem) and always practise "safe hex".




    <center left>Oldsod.<center right>

    Message Edited by Oldsod on 11-18-2008 03:59 AM
    Best regards.
    oldsod

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •