Q about LAN IP

[Poprivet]

Hi,

3 PCs on my home LAN, a Westell Versalink 327W gateway:

All working fine - shares fine - using 192. ... .43 a DELL dual Xeon/win2k,
45 my laptop with XP Home, and desktop on 46 with XP Pro, all completely up
to date and to the best of my ability malware free.

My firewall (ZoneAlarm) is picking up incoming (network side) requests for
192.168.1.47, various ports, usually in the xx,xxx area. Right now I'm only
telling it to Deny and not setting a rule permanently so I can see how many
times it happens or if there's a pattern to them. So far, nothing. It
occurs at various time, no pattern to time or apps running.
I don't see anything odd being sent out either; have accounted for all,
which is rather short list as we don't surf to many locations. Lots of LAN
connectivity between machines though, and each uses my desktop for printing
(printer not connected to LAN, only the desktop computer). Lots of emailing
of course.

I DO have, and use, wireless with WEP I think it's called? The "easy" to
use one, at any rate <g>. The 45 connection is wireless and the only one on
wireless. Others are wired.

We are rural; closest neighbor is abut 300 yards, then 1,000 yards on other
side. Wide open road, no cars, little traffic, etc., so I'm guessing it's
pretty surely not someone roaming for connections.
GRC.com testing shows me to be "stealth" in all respects, FWIW, not a lot
I know, but better than wide open.

I was wondering if anyone had any ideas how/why I might be getting the ...
47 access attempt? I only know enough to be dangerous, so don't neglect
that fact that it might be something I did to myself without realizing it.

TIA,

Pop`

 

[Poprivet]

PS -

I forgot; they usually come in three's. I just received a triplet of ports
for 3212, 3216, and 3226. Makes no sense, but ... .

 

[naza]

OK. Two possiblties either someones connected to your network via the
internet and i loggin everything. Or something maybe a little more
possible. Some has crack your WEP key. WEP is not that strong and there
are programs with the right equipement that can crack it. And by
equipment were only talking stuff that costs £7 and can be brought off
the internet and even ebay. most likly someone was doing a bit of war
driving. they passed your house with thier high gain antenna and they
saw you had WEP. Living in the countryside in open space means that
your siginal would have got furhter than you think. They migh have say
out side your house and you say that a lot of data is transmitted
across your network, so in a matter of hours they would have been able
to crack your key. Then using high gain antenna which for £40 you can
get(does up to 17km). they went home or sold your WEP key to someone
who is using it and your network. And they are connected and that is
why you are seeing the new IP address. my solution is this change your
WEP key. Make it something long. the longest that your router will
take. Normal the two lengths for WEP are 5 letter and 13 letters (i
think). if the IP address goes than it was a wireless hacker. Then use
WPA-PSK if it is avaliable on your router. it is a hell lot more secure
and not so easy to crack. Even if you can it take a lot longer. IF not
still change to WPA-PSK but if not use the MAC address filtering and
change your WEP key often.

 

[Paul Johnson]

Hi,

3 PCs on my home LAN, a Westell Versalink 327W gateway:

All working fine - shares fine - using 192.

192.0.0.0/8 (that is, subnetmask 255.0.0.0) is probably wrong and I don't
believe you're actually using network 192 for this reason. Did you mean
192.168 or 192.168.xxx?

... .43 a DELL dual
Xeon/win2k, 45 my laptop with XP Home, and desktop on 46 with XP Pro, all
completely up to date and to the best of my ability malware free.

My firewall (ZoneAlarm) is picking up incoming (network side) requests for
192.168.1.47, various ports, usually in the xx,xxx area. Right now I'm
only telling it to Deny and not setting a rule permanently so I can see
how many times it happens or if there's a pattern to them. So far,
nothing. It occurs at various time, no pattern to time or apps running.

If 192.168.1.0/24 (that is, subnetmask 255.255.255.0) is your network, then
192.168.1.47 is a computer on your LAN (or WLAN if you don't have the
computer that has that IP and you haven't secured your WLAN appropriately).
Be aware that Zonealarm false alarms in most situations and I suspect
that's the case here. Personal firewalls are snake oil, use a real router
to do real firewalling on the edge of your network like the pros do instead
if you're not already doing so (and if you are, what do you think you're
going to gain by filtering packets that will never reach it because of the
router, or filtering packets coming from your LAN?).
http://samspade.org/d/firewalls.html

I DO have, and use, wireless with WEP I think it's called? The "easy" to
use one, at any rate <g>. The 45 connection is wireless and the only one
on wireless. Others are wired.

WEP is easy to crack, use MAC address filtering in addition to WEP. Then
they have to spoof your network card and crack your WEP to gain network
access.

We are rural; closest neighbor is abut 300 yards, then 1,000 yards on
other side. Wide open road, no cars, little traffic, etc., so I'm
guessing it's pretty surely not someone roaming for connections.

You would be amazed how far you can pitch a signal with good aim and an old
Primestar dish or a Pringle's can.

GRC.com testing shows me to be "stealth" in all respects, FWIW, not a
lot I know, but better than wide open.

Don't use grc.com, find a friend with a Linux box who is willing to give you
an account and learn how to use nmap instead. Tells you what ports are
open plus can do a lot of things that grc.com can't do, and doesn't try to
use scare tactics into buying snake oil.

 

[Paul Johnson]

PS -

I forgot; they usually come in three's. I just received a triplet of
ports
for 3212, 3216, and 3226. Makes no sense, but ... .

TCP or UDP? Have you tried googling for those ports to see what you can
find first? (hint: try searching for 3212/tcp or 3212/udp, repeat for each
port/proto combo you're curious about).

 

[Poprivet]

TCP or UDP? Have you tried googling for those ports to see what you
can find first? (hint: try searching for 3212/tcp or 3212/udp,
repeat for each port/proto combo you're curious about).

They're TCP/UDP ports, Instrument Sys, emc smartpackest,isi irp; Yes, I've
googled for them; nothing useful near's I could tell. I also have a text
list of all ports possible & uses but looked up just in case; they agree.

Pop`

 

[Poprivet]

AAARRRRRGGGGGGGHHHHHHHH! Thanks Nass! When I'm dumb, I'm REALLY dumb! I
looked at the modem logs earlier too and there's still nothing there, but
.... upon closer inspection, the danged logs were TURNED OFF! AND, so was
security! Annnnnddddd, I think I know why. Not too long ago I had a
problem and I did a hard, push-the-button reset on my modem, and then never
double-checked the settings! So I had no logs, not even errors, no
security, basically nothing protecting me except my ZA software firewall.
Port 47 is apparently the Remote Access port by default, and fortunately at
least, it was not enabled, only assigned.
A buddy set up a WAN filter on his machine and watched the "noise" and
there are thousands of scans going out looking for that port. So,
apparently I was catching them and fortunately so was ZA, so never responded
to anything, just as fortunately. I never did do things in a small way <g>.

Live & learn I guess! Now to go see if I can prove I'm right; there
shouldn't be anymore coming thru for ZA to catch now. There have been none
in the last few hours, so chances ae good ... .

Pop`

 

[Paul Johnson]

They're TCP/UDP ports, Instrument Sys, emc smartpackest,isi irp; Yes, I've
googled for them; nothing useful near's I could tell. I also have a text
list of all ports possible & uses but looked up just in case; they agree.

Is there an equivalent to netstat in Windows? If so, you might try piping
that through grep (does windows have workable pipes and grep, or is that
one of the justifications for Cygwin?) and find out what program is
listening on those ports if they're incoming packets.

 

[Poprivet]

Is there an equivalent to netstat in Windows? If so, you might try
piping that through grep (does windows have workable pipes and grep,
or is that one of the justifications for Cygwin?) and find out what
program is listening on those ports if they're incoming packets.

That's good advice, and yes, netstat exists along with pipes. Thanks.