Strange request from Svcs & Ctlr App for nonexistent IP

To interpret the alert.....

It's saying that IP:  192.168.7.175  (remote port 13568 <-- not important) wants to access

PORT 53 on your machine.

Port 53 is DNS.  Are you running a DNS server?  If not, and there's no reason any machine should be allowing other machines to look to your machine for DNS queries then you were ok to DENY access.

Not sure where that IP is coming from, spoofed maybe?  I kinda doubt it.  Are there any other devices in your configuration that may be "network aware" and is trying to contact a DNS servers.

If it continues, add the IP to your BLOCKED list in ZoneAlarm to prevent ANY access from that IP.

The ZA log says Svcs and Ctlr app wants to accept a connection from port 53 at two different IPs 192.168.7.170 and .175. One attempt was from port 13568. The destination IP and port are blank in the log. If whatever it is was doing a DNS query to my machine the destination would be shown as 192.168.0.101:53. Right?

See my other new comment about what is connected to the network.

Hi,
Please confirm what your DNS settings are. Go to a command prompt and type ipconfig /all
Check to see if the rogue addresses are there (dns or wins or gateway - whatever)
If nothing there then double check your dsl modem for open NAT's etc.

Having reread your notes it almost sounds as if you have an incorrect subnet mask  set up.

To help us please provide

ipconfig /all
route print

In fact analsying them my help you.
Cheers
Ian

Additional info:

I forgot to mention that I have a wireless access point connected at IP 192.168.0.50. I got to thinking that maybe someone was trying to connect via wireless from outside. I checked my AP configuration and it is configured to accept connections ONLY from the MAC address of my laptop. If someone tries to get in from outside they shouldn't be able to, and I wouldn't see anything in ZA about it, right?

To reiterate, there are only four physical devices on the local network, my desktop at 192.168.0.101, the router at 192.168.0.1, the laptop at 192.168.0.100, and the AP at 192.168.0.50.

The router does NAT so all normal traffic coming through appears to come from 192.168.0.1. How on earth would S & C get a connection attempt from an IP that doesn't physically exist in my system?

Does this output from ipconfig help any? I don't find anything in it that does.

Windows 2000 IP Configuration
      Host Name . . . . . . . . . . . . : hagatha
      Primary DNS Suffix  . . . . . . . :
      Node Type . . . . . . . . . . . . : Broadcast
      IP Routing Enabled. . . . . . . . : No
      WINS Proxy Enabled. . . . . . . . : No
      DNS Suffix Search List. . . . . . : [local network name deleted]

Ethernet adapter Local Area Connection:
      Connection-specific DNS Suffix  . : [local network name deleted]
      Description . . . . . . . . . . . : Realtek RTL8139/810X Family PCI Fast Ethernet NIC
      Physical Address. . . . . . . . . : 00-0D-61-07-A2-E6
      DHCP Enabled. . . . . . . . . . . : Yes
      Autoconfiguration Enabled . . . . : Yes
      IP Address. . . . . . . . . . . . : 192.168.0.101
      Subnet Mask . . . . . . . . . . . : 255.255.255.0
      Default Gateway . . . . . . . . . : 192.168.0.1
      DHCP Server . . . . . . . . . . . : 192.168.0.1
      DNS Servers . . . . . . . . . . . : 192.168.0.1
      Lease Obtained. . . . . . . . . . : Friday, March 26, 2004 8:05:42 AM
      Lease Expires . . . . . . . . . . : Friday, April 02, 2004 8:05:42 AM

Here's the output from route print.

============================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x1000003 ...00 0d 61 07 a2 e6 ...... Realtek 8139-series PCI NIC                                                      
============================================
Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
          0.0.0.0          0.0.0.0      192.168.0.1   192.168.0.101        1
        127.0.0.0        255.0.0.0        127.0.0.1       127.0.0.1        1
      192.168.0.0    255.255.255.0    192.168.0.101   192.168.0.101        1
    192.168.0.101  255.255.255.255        127.0.0.1       127.0.0.1        1
    192.168.0.255  255.255.255.255    192.168.0.101   192.168.0.101        1
        224.0.0.0        224.0.0.0    192.168.0.101   192.168.0.101        1
  255.255.255.255  255.255.255.255    192.168.0.101   192.168.0.101        1
Default Gateway:       192.168.0.1
===========================================================================
Persistent Routes:
  None

I can't check anything on the DSL modem because it is on the WAN side of the router which is not visible on the local network. When I do configurations on it I have to reconnect it directly to the computer.

As far as NAT holes in the router's firewall I don't think so. The only opening I can find is permission for the router to respond to pings. DMZ is off, and all preinstalled games rules are off. I have added no other firewall rules.

192.168 isn't routable, though in connection with other packets network recon tools like nmap sometimes send decoy packets usinc spoofed rfc1918 addresses. Your log doesn't state the size of the packet so it's difficult to say it there was a payload, but I don't think it's unusual to see traffic with private IP addresses.

chicagoan, Can you elaborate re: decoy packets and spoofed addresses. Are you saying those spoofed addresses come through unfazed and that's what my computer sees?

Possibly related - my router log shows a whole batch of "SYN Flood attack detects."

Hi,
Thanks for ipconfig and routes.
All looks ok.
I have a very similar setup and the only time I get Zone Alarm giving me an alert is if I have sent a request from my machine to a website ( or whatever ) and it is stopping the return.
This of course would mean your machine is sending stuff out you don't know about.
If you do a netstat -an it will show any open ports - please post.
Whenever something unusual is happening I do the following.

run netstat -an looking for unusual open ports
Run msconfig (or startupCPL) and uncheck everything - except stuff you have to have.
I use http://www.mlin.net/StartupCPL.shtml
Check IE settings and restore defaults. I always use blank for home page.
Start ie6 and reset security and advanced stuff to defaults - high security
With Zone Alarm or equivalent. Set to disable all traffic.
Disconnect from network - remove cable
Boot into safe mode - no networking
Do your virus scan
Do your adaware spybot etc
Zone alarm will alert you if PC is trying to communicate with the outside world. If so find out why.
KEY to all this is to be in SAFE mode / NETWORK unplugged.
Hope this helps
Do on each machine.

As mentioned I can replicate similar alerts on Zone Alarm by scanning my work ip addresses from outside.
The alerts are really no big deal in this case.
Finally, sometimes you have software on your machine that tries to connect to "mother ship". eg McAfee EPO constantly tries to connect to my work server - when I'm at home - and causes an alert.

Should you still believe that someone is trying to get in - disable all unnescessary services - most of them - see http://www.blackviper.com/WinXP/servicecfg.htm ( or http://www.blackviper.com) if not XP - are not required for simple internet use.
Cheers
Ian

Ian, it looks like the situation is as chicagoan described. My router log shows my IP address was under a SYN flood attack at least twice today. One component of those attacks is IP spoofing.

This attack and the ZA response has convinced me that a s/w firewall on the computer is still worthwhile having even when you're behind a router hardware firewall.

I ran netstat as you requested. The only IP addresses in the report are those of this machine, i.e., 0.0.0.0, 192.168.0.101, and 127.0.0.1.

I'm going with chicagoan's answer. Thanks for your feedback.

Mac

chicagoan,
After reviewing the CERT advisory and reading the documentation on the nmap web site it looks like this is what I saw today.

This experience has convinced me a s/w firewall has value, even in the presence of a router f/w. I hate to think what might have happened if I had blindly clicked on Yes when the alert came up because the request was supposedly coming from inside my trusted local network.

The question is:
How are these packets getting past your perimeter?

I'm certainly not expert in networking so maybe I misunderstand what the NMAP documentation is saying. I got the impression that somehow or other by packet splitting and other techniques NMAP can send packets into a private network that present themselves as coming from within the network.

Do I read too much into what the documentation discusses? If you haven't read it lately take a look. Maybe you or someone else can decipher and explain what must have actually happened.

http://www.insecure.org/nmap/data/nmap_manpage.html

I did have the router set to respond to pings. I've changed that so that should lessen the chance of being seen as a candidate for attack.

Part of what I thought was the answer has evaporated. I finally realized the SYN flood attack entries in my router log were from the GRC Shield's Up test I ran.

The log entries during the time of the strange IP visit are now gone. So, the source of the mysterious IP addresses remains elusive, unless it was from an NMAP probe that the router firewall didn't log.