Page 3 of 3 FirstFirst 123
Results 21 to 28 of 28

Thread: Are Earthlink DNS servers "safe" (re: KB951748 issue) or need to switch to OpenDNS?

  1. #21
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: Here is my log...

    Okay lets get this organized.

    FIRST all of the unwanted connections are blocked.
    This is good.
    SECOND - dialup peoples always see tons of junk trying to connect.
    This is the way life for a dialup user is and can this not be changed.
    OTOH, every one of the internet file/web site servers see the junk you are showing in your logs and tons more of junk. That is the way of life for the internet file/web servers and this can not be changed.

    First entry - somebody or something trying to a connection attempt to a proxy port.
    Disregard the remote or source port and concentrate on the destination or your local port.
    It's the local ports of your laptop where is the main concern is. Yup the source ports does gives some details, but IGNORE these please.
    Why is this somebody or something is trying?
    Because it could be just a server trying to establish connections that it needs or normally uses.
    How do I know it is a connection attempt?
    Because the TCP Flag is "S" which means it is a SYN. SYN means synchronize or an attempt to establish communications.
    Why is it a proxy port?
    Because it is 8118. And other proxy ports are 8000, 8008, 8118, 8080, 8088, 8188, 8888 and so forth - anything starting with 8 thousand and uses combinations of "8" are always proxy ports.
    First entry or the first IP appears again and again. The next entry for this 61.164.148.109 is trying to connect to your port 135. Another port AHA now the mystery starts to unravel.
    If this was a VPN or VNC connection attempt, the port 135 definitely will be involved for file and printer sharing and so forth. So maybe this is innocent after all and just some stupid server looking for it's usual connections.
    Okay we see the 61.164.148.109 again for the ports 9788 and 7212. These are listed as "Unassigned ports". Kind of makes this hard to figure out. But on the other hand these specific ports are not troyan ports, so quite possible legitimate connections attempts.

    http://www.pccitizen.com/threewayhandshake.htm

    http://www.iana.org/assignments/port-numbers

    http://www.simovits.com/trojans/trojans.html

    Okay lets do a quick look at the 61.0.0.0.0- 61.255.255.255 or also known by the CIDR for this as 61/24.

    http://www.iana.org/assignments/ipv4-address-space/

    Yup it is as you said. APNIC

    What is APNIC?
    That is the registry of domains that fall under it's control. In this case it is the Asia and Pacific region.
    What does the APNIC stand for?
    Asia-Pacific Network Information Centre
    Want to see it?
    http://www.apnic.net/search/index.html
    What do they do?
    They are part of the main core of dns server that are located through out the planet.Many are North American, some in europe and asia and in latin amercia. Just look at the list linked above and look at the different registries. The US registry is ARIN or American Registry for Internet Numbers.
    Not hard to check for the whosis.

    What do IP belong to?
    ASN 4134 for www.ns.chinanet.cn.net (ns means name server or a dns server).
    But this is a provider or network in Hong Knong. Still no distinct url. part of China Telecom

    http://www.sitestory.net/-ns.chinane...008-04-28.html

    http://www.robtex.com/as/as4134.html

    http://www.robtex.com/asmacro/as-hktpeer.html

    http://www.robtex.com/route/61.164.64.0-18.html

    http://www.robtex.com/as/as4134/bgp.html

    Why are the routes and the peers important?
    Because this is the way this network connects to the internet and the internet connects to it.
    Also if the other parts of the network/internet are too busy and cannot handle the work load, then the extra can be routed through the peers and the routes.

    Okay first entry is finished.
    Olsod.
    Best regards.
    oldsod

  2. #22
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: Here is my log...

    Second and third and fourth are from the provider.
    No big deal, the tcp to your ports 139 and 445 are normal even though these are netBIOS ports. No big deal either. Does not matter if you dialup or cable or dsl, the provider will ping and check on the connections and it's cutomers.
    Occassionally for network maintenance and clientile control.

    ICMP Type 8 is "ping". Better known as Echo Request. Actually a request to get an answer type of ping. Normally your computer should reply with ICMP Type 0 or Echo Reply.
    Normal chatter and often demanded by some providers.
    But the ZA in it's default and for the free will only allow outgoing icmp type 8 and always block icmp type 8 incoming. Thus you laptop will not reply, although maybe needed by the provider. In a sense it does not matter - you will connect or reconnect to the provider's dhcp servers with the usual UDP and outgoing ping anyways, so it will keep your laptop connected and the provider will not drop your connection.

    Oldsod.
    Best regards.
    oldsod

  3. #23
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: Here is my log...

    5th through to the 8th.
    Some dweeb or server trying to connect to the MS ports (1024-1030) by UDP.
    Nice the ZA keeps dropping the unwanted connections.

    Oldsod.
    Best regards.
    oldsod

  4. #24
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: Here is my log...

    The two in the end is the shaw network.
    Notorious for sweeping the entire internet.
    Not needed and rather bothersome.
    Kind of a pain in the backside to be honest.
    Quite typical to be seen on a dialup user's firewall log.
    Seen this junk in my router's logs too (on cable) until I put a hardware firewall in front of the routers (I use two for double NAT, instead of just one like most people).

    Oldsod.
    Best regards.
    oldsod

  5. #25
    bloomcounty Guest

    Default Thanks, Oldsod! So then all that was "okay/safe"?

    Thanks for all the info, Oldsod!

    So does your analysis then mean that I'm "okay/safe" and none of those entries are anything to worry about?

    And there are no settings or anything on my laptop that I need to change or anything?

    Just want to make sure I'm good to go... Thanks again!

  6. #26
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: Thanks, Oldsod! So then all that was "okay/safe"?

    You are safe and have no fears.
    All is okay.

    "FIRST all of the unwanted connections are blocked.
    This is good.
    SECOND - dialup peoples always see tons of junk trying to connect.
    This is the way life for a dialup user is and can this not be changed."

    You are not under attack or experiencing some oriental conspiracy for some internet attack.
    You just get to see some of the usual junk travelling around on the internet that people behind the hardware firewalls/routers never get to witness.

    You are "good to go"!
    No changes needed.

    Oldsod.
    Best regards.
    oldsod

  7. #27
    bloomcounty Guest

    Default Re: Thanks, Oldsod! So then all that was "okay/safe"?

    Cool! Thanks, as always, Oldsod! (Just got back from a road trip, so I just saw your response...)


  8. #28
    Join Date
    Dec 2005
    Posts
    9,057

    Default Re: Thanks, Oldsod! So then all that was "okay/safe"?

    You are welcome Mr BloomCounty.

    Oldsod.
    Best regards.
    oldsod

Page 3 of 3 FirstFirst 123

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •