Results 1 to 6 of 6
  1. #1
    Plutonium Lounger Leif's Avatar
    Join Date
    Dec 2000
    Location
    U.K.
    Posts
    14,010
    Thanks
    0
    Thanked 0 Times in 0 Posts

    NETGEAR *Security Alert*

    This morning, as has happened before, I got an obscure warning email from our Netgear modem/router, in this instance the text being:

    <hr><code>TCP Packet - Source:192.168.254.220,4754 Destination:208.50.223.240,8OTO=P - </code><hr>
    192.168.254.220 is the IP address for our mailserver.

    208.50.223.240 in Firefox brings up the simple 'Resolver' page (and nothing more) as below. Whois give an OrgNname of 'Global Crossing' in Phoenix.

    Anyone got any clues as to what might be going on?
    Attached Images Attached Images
    • File Type: gif x.gif (3.9 KB, 0 views)

  2. #2
    Plutonium Lounger
    Join Date
    Nov 2001
    Posts
    10,550
    Thanks
    0
    Thanked 7 Times in 7 Posts

    Re: NETGEAR *Security Alert*

    It is certainly very odd.

    I initially read Destination:208.50.223.240,8OTO=P -
    as being port 80 on 208.50.223.240, but that character is in fact letter O and not number 0.

    StuartR

  3. #3
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts

    Re: NETGEAR *Security Alert*

    I assume the other server made contact first. Does your router have any logs showing other packets exchanged with that host?

  4. #4
    Plutonium Lounger Leif's Avatar
    Join Date
    Dec 2000
    Location
    U.K.
    Posts
    14,010
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: NETGEAR *Security Alert*

    You are right, it is an O. And I don't follow what OTO=P- means either!

    They normally have a suffix like:
    <code>TCP Packet - Source:192.168.254.8,2294 Destination:213.123.85.208,80 - [BLOCK]</code>

    where I'm trying to stop tracking graphics in emails or something...

  5. #5
    Plutonium Lounger Leif's Avatar
    Join Date
    Dec 2000
    Location
    U.K.
    Posts
    14,010
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: NETGEAR *Security Alert*

    There are other (fairly regular) entries match that host, e.g.:
    <hr><code>Fri, 2008-11-14 18:27:30 - TCP Packet - Source:192.168.254.220,1470 Destination:208.50.223.240,80 - [Any(ALL) rule not match]</code><hr>
    I'm wondering if the original post I made was the result of some corrupted request <img src=/S/shrug.gif border=0 alt=shrug width=39 height=15>

    A quick Google on the IP address brings up a handful of results, including this - I am beginning to suspect it may be our mailserver checking spam blacklists.

  6. #6
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts

    Re: NETGEAR *Security Alert*

    I am familiar with some "bad sender" lists that accept requests via UDP to the DNS port. A TCP query to port 80 seems a little inefficient by comparison, but perhaps it's a free service. <img src=/S/grin.gif border=0 alt=grin width=15 height=15>

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •