Page 1 of 2 12 LastLast
Results 1 to 15 of 16
  1. #1
    2 Star Lounger
    Join Date
    Jan 2001
    Location
    Portland, Maine, USA
    Posts
    173
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Address from woodys hitting my firewall

    I'm curious about entries in my firewall log. The entry below is what I'm concerned with:

    2004-03-22 16:31:49 CLOSE TCP 192.170.80.100 69.39.79.68 3164 80

    I pinged the address 69.39.79.68 and it says that it's pinging "sandbox.woodyswatch.com"

    Can anyone explain to me why this entry would be in my firewall log at times that I don't have my browser open or have even accessed woodys lounge that day???

    Thanks,
    Don

  2. #2
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts

    Re: Address from woodys hitting my firewall

    Here's a wild guess: you subscribe to one of the Woody's Watch newsletters in HTML format, you have Outlook retrieve your mail automatically, and you use the Preview Pane. If the newsletter came in as the newest message and was displayed in the Preview Pane, Outlook would pull the images automatically, even if it was minimized or hidden behind other windows. Of course, this is just a wild guess.

    (I'm pretty sure that the content on the Lounge is almost entirely on wopr.com, not woodyswatch.com, since we changed servers.)

  3. #3
    2 Star Lounger
    Join Date
    Jan 2001
    Location
    Portland, Maine, USA
    Posts
    173
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Address from woodys hitting my firewall

    That's good thought but I don't subscribe to any newsletters at Woodys and didn't have any programs open at the time.
    Any other ideas anyone??

    Thanks,
    Don

  4. #4
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts

    Re: Address from woodys hitting my firewall

    Can you confirm the format of the data?

    <table border=1 bordercolor=red cellspacing=0 cellpadding=5><td>Date and Time</td><td>Action Taken ?</td><td>Protocol</td><td>Destination IP ?</td><td>Source IP ?</td><td>Destination Port ?</td><td>Source Port ?</td><td>2004-03-22 16:31:49</td><td>CLOSE</td><td>TCP</td><td>192.170.80.100</td><td>69.39.79.68</td><td>3164 {reg as IMPRS}</td><td>80 {HTTP}</td></table>
    I don't know why you would be receiving a connection on port 3164 (which IANA shows is registered for use by something called "imprs") unless you (1)

  5. #5
    5 Star Lounger
    Join Date
    Jan 2001
    Location
    Newark, New Jersey, USA
    Posts
    999
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Address from woodys hitting my firewall

    The lounge is on IP 66.93.85.138. I searched around google but I can't find what IMPRA is.. I'll see if I can find anything and let you know.
    Mike Wolfman
    Jack of all, Master of none
    Bow before me, for I am root.
    <IMG SRC=http://www.wopr.com/w3tfiles/112673-wolfsig.jpg>

  6. #6
    2 Star Lounger
    Join Date
    Jan 2001
    Location
    Portland, Maine, USA
    Posts
    173
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Address from woodys hitting my firewall

    Yes, that format is correct. I don't operate a service there and I haven't iniciated any connection using port 3164. I'm going to have to look into what that port is exactly used for.

    Thanks,
    Don

  7. #7
    2 Star Lounger
    Join Date
    Jan 2001
    Location
    Portland, Maine, USA
    Posts
    173
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Address from woodys hitting my firewall

    I too have been searching for exactly what impra is used for. Just so you know I also have these entries which point to the lounge ip in my log when I wasn't even using the system. You might know what these ports are and why I would be getting hit.

    2004-03-22 13:36:49 CLOSE TCP 192.170.80.100 66.93.85.138 3128 80 - - - - - - - -
    2004-03-22 13:36:49 CLOSE TCP 192.170.80.100 66.93.85.138 3127 80 - - - - - - - -
    2004-03-22 13:36:49 CLOSE TCP 192.170.80.100 66.93.85.138 3126 80

    Thanks!
    Don

  8. #8
    2 Star Lounger
    Join Date
    Jan 2001
    Location
    Portland, Maine, USA
    Posts
    173
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Address from woodys hitting my firewall

    I'm sorry the format is off a bit. All is right except in this order starting at IP: Source IP, Destination IP, Source Port, and Destination Port. If this helps any.

    Thanks!
    Don

  9. #9
    Super Moderator jscher2000's Avatar
    Join Date
    Feb 2001
    Location
    Silicon Valley, USA
    Posts
    23,112
    Thanks
    5
    Thanked 93 Times in 89 Posts

    Re: Address from woodys hitting my firewall

    Well, that changes everything: your computer is connecting to the woodyswatch site, not the other way around. I'm not sure what could cause that. Do you have any kind of synchronization set up in IE?

    You might want to run a spyware scanner, just in case.

    When initiating an outbound TCP connection, your computer chooses an available port number for temporary (or "ephemeral" use), so the specific Source Port number likely is not important.

  10. #10
    2 Star Lounger
    Join Date
    Jan 2001
    Location
    Portland, Maine, USA
    Posts
    173
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Address from woodys hitting my firewall

    Yes, I realize that now that you made me double check the format. I don't think I have any special synch setup in IE. I'm not even sure how you would set that up and what it would be good for? Also I run virus scans and spyware scans (spybot) all the time but I will run it again to be sure.

    Thanks!
    Don

  11. #11
    Platinum Lounger
    Join Date
    Dec 2000
    Location
    Hornsby Heights, New South Wales, Australia
    Posts
    3,822
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Address from woodys hitting my firewall

    The sandbox is used for 2 things:

    <UL><LI>It's an backup image server for Woodyswatch ezines, used only when the normal image server is down. It's nearly a year since that was the case.
    <LI>It's a file server for old message attachments of the lounge.[/list]However, that doesn't explain why your computer would try and connect to that box without you logging on yourself. Can I suggest you delete your temporary internet files and flush your firewall cache and reboot. What firewall are you using? Is your clock showing the right time?
    Cheers, Claude.

  12. #12
    2 Star Lounger
    Join Date
    Jan 2001
    Location
    Portland, Maine, USA
    Posts
    173
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Address from woodys hitting my firewall

    Thanks for the reply,

    I do delete all temporary internet files often. As far as flushing my firewall's cache, I'm not sure how I would do that, but will look into it. I'm using a hardware firewall integrated with my dlink DI-614+ wireless access point and I am also using the internet connection firewall included with Windows XP. Yes, my system time is correct.

    Don

  13. #13
    Platinum Lounger
    Join Date
    Dec 2000
    Location
    Hornsby Heights, New South Wales, Australia
    Posts
    3,822
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Address from woodys hitting my firewall

    Ok, the D-Link DI-614+ doesn't have a cache. Where did that log come from ? Presumably you've got your WEP settings secure so no stranger can access and use your system? Note that WEP is disabled by default on that model! Are you still getting connection requests to the sandbox ?
    Cheers, Claude.

  14. #14
    2 Star Lounger
    Join Date
    Jan 2001
    Location
    Portland, Maine, USA
    Posts
    173
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Address from woodys hitting my firewall

    Yes, I do have WEP enabled with 128 bit encryption so I don't think I have anything to worry about there. The log comes from the ICF (Internet connection firewall) that comes with Windows XP. I have it enabled on my LAN card on my pc that is behind the Dlink just for added protection but also so that I can have some kind of log that I can check to make sure there aren't any intrusion attempts. Besides checking the ICF log I don't know of any other way to check that no "outsiders" have been trying to gain access to my network. I wish that the DLink had some sort of log file for this reason.

    Anyway, I checked the log today and my system made no attempt to make a connection to either the lounge or the sandbox. I'll keep you posted if it continues. If you have any suggestions for me on how I can make sure that nobody is trying to access my LAN besides what I'm already doing, I'm all ears!!

    Thanks again,
    Don

  15. #15
    Platinum Lounger
    Join Date
    Dec 2000
    Location
    Hornsby Heights, New South Wales, Australia
    Posts
    3,822
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Address from woodys hitting my firewall

    D-Link does indeed have log files, you can even set your router to email you the logs. Log onto http://192.168.0.1 Click on the Status tab, then, on the left hand side, click on the Log button. You'll be amazed how many attempted attacks you get. My system is being probed once or twice per minute, 24 hours a day.
    Cheers, Claude.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •