And why every time I come to the Cafe My fire wall goes nuts?


A computer in your Banned IP list at pre005.lifemedien.de has attempted to access TCP port xxxx on your computer.
and keeps trying on many ports.....



thanks

---

What port number is it trying to attach too?

---

----- Rom
BOINC Development Team, U.C. Berkeley
My Blog

> And why every time I come to the Cafe My fire wall goes nuts?
>
>
> A computer in your Banned IP list at pre005.lifemedien.de has attempted to
> access TCP port xxxx on your computer.
> and keeps trying on many ports.....
>
>
>
> thanks
>--------------------------------
i checked my firewall and saw pre005.lifemedien.de listed in the traffic log when i back traced www.hcs-tuning.de 194.97.107.175 it read as if it were going for port 0.

---

PROUD TO BE TFFE!

> What port number is it trying to attach too?
>
>
All of them
S. Port 80
D. Ports
1229
1228
1208
1197
1229
1228
1226
1169
1143
1109
4861

I can go on and on
Rom

Thanks
and theres more besides this one....

---

> And why every time I come to the Cafe My fire wall goes nuts?
>
>
> A computer in your Banned IP list at pre005.lifemedien.de has attempted to
> access TCP port xxxx on your computer.
> and keeps trying on many ports.....
>
>
>
> thanks
>

I refreshed my screen and this is one of the messages i get
A computer in your Banned IP list at pre005.lifemedien.de has attempted to access TCP port 1502 on your computer.
TCP port 1502 is commonly used by the "Shiva" service or program.

Then another one is

A computer in your Banned IP list at pre005.lifemedien.de has attempted to access TCP port 1510 on your computer.

TCP port 1510 is commonly used by the "Midland Valley Exploration Ltd. Lic. Man." service or program.

---

Does it happen off the homepage?

Is it only some of the threads, or all of them?

---

----- Rom
BOINC Development Team, U.C. Berkeley
My Blog

It's not me. I'd have used :1043 .o0(Who doesn't?)

[b]>[/b][i]nslookup pre005.lifemedien.de[/i]
Name:   pre005.lifemedien.de
Address: 194.97.107.175

[b]>[/b][i]nslookup 194.97.107.175[/i]
Non-authoritative answer:
175.107.97.194.in-addr.arpa     name = pre005.lifemedien.de.

Authoritative answers can be found from:
107.97.194.in-addr.arpa nameserver = dns.mcbone.net.
107.97.194.in-addr.arpa nameserver = wayne.mcbone.net.
107.97.194.in-addr.arpa nameserver = center-n.mcbone.net.
dns.mcbone.net  internet address = 194.97.3.2
wayne.mcbone.net        internet address = 62.104.198.72
center-n.mcbone.net     internet address = 194.97.3.4

Hitting up lifemedien.de shows a web hosting site. Vas ist der gamen?

---

I'm going to guess that it's probably a boinc stats image on a server which is taking to long for your firewall program.

Myself, I have images turned off.

Each time your pc makes a request, it opens up a new temporary listening port that your webbrowser uses to get an image.

When you surf, you open up several concurrent connections at once when viewing a page with many images on it.
Browsers turn off the listen port after getting a proper response or when they time out.
I can see how a stats server could bet overloaded on a large thread, such as the 'babe of the day thread' when there's a hundred statistic sigs.

You can open up a command line, and type netstat or netstat -n to see what ports your pc opens up.

> I'm going to guess that it's probably a boinc stats image on a server which is
> taking to long for your firewall program.
>
> Myself, I have images turned off.
>
> Each time your pc makes a request, it opens up a new temporary listening port
> that your webbrowser uses to get an image.
>
> When you surf, you open up several concurrent connections at once when viewing
> a page with many images on it.
> Browsers turn off the listen port after getting a proper response or when they
> time out.
> I can see how a stats server could bet overloaded on a large thread, such as
> the 'babe of the day thread' when there's a hundred statistic sigs.
>
> You can open up a command line, and type netstat or netstat -n
> to see what ports your pc opens up.

Typically a browser uses a pull model where the request is opened up on a port but the web server’s response is sent back through that existing connection.

An http server should not attempt to establish a connection with your machine through normal use; it looks to me as though an image request is triggering a port scan of some kind, possible worm infection type activity.

---

----- Rom
BOINC Development Team, U.C. Berkeley
My Blog

I'm going to guess that it's probably a boinc stats image on a server which is taking to long for your firewall program.

I've sniffed through the most heavily transited pages in the Café with all images and sigs turned on - pre005.lifemedien.de nor 194.97.107.175 showed up. I checked my ipfw log. Just the usual NetBIOS BS... I guess that it's just a zombie looking for an easy host in the pool.

I gave it to Agnes / she got it from Jim...

---

Edit: update.
my firewall show's it's misfit's sig.

here's the contents of a packet from pre005.lifemedien.de

0000: 00 80 C8 B4 8E C2 00 40 : 2B 62 78 83 08 00 45 00 | .......@+bx...E.
0010: 02 A5 C2 B9 40 00 40 06 : 86 7C C0 A8 00 64 C2 61 | ....@.@..|...d.a
0020: 6B AF 06 2E 00 50 79 9C : 0E E0 D0 FA D4 05 50 18 | k....Py.......P.
0030: FA F0 42 39 00 00 47 45 : 54 20 2F 6E 65 69 6C 2F | ..B9..GET /neil/
0040: 6D 69 72 72 6F 72 5F 78 : 6D 6C 2E 70 68 70 3F 62 | mirror_xml.php?b
0050: 67 3D 30 30 30 30 30 30 : 26 62 6F 72 64 65 72 3D | g=000000&border=
0060: 30 30 30 30 30 30 26 74 : 65 78 74 3D 30 30 66 66 | 000000&text=00ff
0070: 30 30 26 75 73 65 5F 62 : 6F 72 64 65 72 3D 30 26 | 00&use_border=0&
0080: 63 72 65 64 69 74 3D 34 : 35 32 39 34 2E 34 33 26 | credit=45294.43&
0090: 61 76 67 43 72 65 64 69 : 74 3D 33 34 2E 31 32 26 | avgCredit=34.12&
00A0: 6E 61 6D 65 3D 4D 69 73 : 66 69 74 26 63 6F 75 6E | name=Misfit&coun
00B0: 74 72 79 3D 55 6E 69 74 : 65 64 25 32 30 53 74 61 | try=United%20Sta
00C0: 74 65 73 26 72 65 67 3D : 32 31 73 74 25 32 30 4A | tes&reg=21st%20J
00D0: 75 6E 25 32 30 32 30 30 : 31 25 32 30 32 31 3A 31 | un%202001%2021:1
00E0: 33 3A 32 35 26 74 65 61 : 6D 4E 61 6D 65 3D 42 4F | 3:25&teamName=BO
00F0: 49 4E 43 2B 53 79 6E 65 : 72 67 79 26 6D 4E 6F 3D | INC+Synergy&mNo=
0100: 36 26 62 67 5F 69 6D 61 : 67 65 3D 68 74 74 70 3A | 6&bg_image=http:
0110: 2F 2F 69 6D 67 2E 70 68 : 6F 74 6F 62 75 63 6B 65 | //img.photobucke
0120: 74 2E 63 6F 6D 2F 61 6C : 62 75 6D 73 2F 76 33 33 | t.com/albums/v33
0130: 30 2F 73 65 74 69 77 65 : 62 2F 6E 65 62 75 6C 61 | 0/setiweb/nebula
0140: 2E 6A 70 67 26 69 6D 61 : 67 65 5F 74 79 70 65 3D | .jpg&image_type=
0150: 33 26 74 72 61 6E 73 3D : 6F 66 66 26 74 65 61 6D | 3&trans=off&team
0160: 3D 6F 6E 26 74 65 61 6D : 52 61 6E 6B 3D 31 30 26 | =on&teamRank=10&
0170: 72 61 6E 6B 3D 35 38 32 : 31 26 72 66 3D 30 26 70 | rank=5821&rf=0&p
0180: 72 6A 3D 31 26 75 70 64 : 61 74 65 64 3D 33 30 2F | rj=1&updated=30/
0190: 30 33 2F 30 35 20 48 54 : 54 50 2F 31 2E 31 0D 0A | 03/05 HTTP/1.1..
01A0: 41 63 63 65 70 74 3A 20 : 2A 2F 2A 0D 0A 52 65 66 | Accept: */*..Ref
01B0: 65 72 65 72 3A 20 68 74 : 74 70 3A 2F 2F 73 65 74 | erer: http://set
01C0: 69 77 65 62 2E 73 73 6C : 2E 62 65 72 6B 65 6C 65 | iweb.ssl.berkele
01D0: 79 2E 65 64 75 2F 66 6F : 72 75 6D 5F 74 68 72 65 | y.edu/forum_thre
01E0: 61 64 2E 70 68 70 3F 69 : 64 3D 35 31 39 35 0D 0A | ad.php?id=5195..
01F0: 41 63 63 65 70 74 2D 4C : 61 6E 67 75 61 67 65 3A | Accept-Language:
0200: 20 65 6E 2D 63 61 0D 0A : 41 63 63 65 70 74 2D 45 | en-ca..Accept-E
0210: 6E 63 6F 64 69 6E 67 3A : 20 67 7A 69 70 2C 20 64 | ncoding: gzip, d
0220: 65 66 6C 61 74 65 0D 0A : 55 73 65 72 2D 41 67 65 | eflate..User-Age
0230: 6E 74 3A 20 4D 6F 7A 69 : 6C 6C 61 2F 34 2E 30 20 | nt: Mozilla/4.0
0240: 28 63 6F 6D 70 61 74 69 : 62 6C 65 3B 20 4D 53 49 | (compatible; MSI
0250: 45 20 36 2E 30 3B 20 57 : 69 6E 64 6F 77 73 20 4E | E 6.0; Windows N
0260: 54 20 35 2E 31 3B 20 53 : 56 31 3B 20 2E 4E 45 54 | T 5.1; SV1; .NET
0270: 20 43 4C 52 20 31 2E 31 : 2E 34 33 32 32 29 0D 0A | CLR 1.1.4322)..
0280: 43 6F 6E 6E 65 63 74 69 : 6F 6E 3A 20 4B 65 65 70 | Connection: Keep
0290: 2D 41 6C 69 76 65 0D 0A : 48 6F 73 74 3A 20 77 77 | -Alive..Host: ww
02A0: 77 2E 68 63 73 2D 74 75 : 6E 69 6E 67 2E 64 65 0D | w.hcs-tuning.de.
02B0: 0A 0D 0A : | ...




> An http server should not attempt to establish a connection with your machine
> through normal use; it looks to me as though an image request is triggering a
> port scan of some kind, possible worm infection type activity.

The longer the thread, the more images there are.
I really doubt it's a port scan. I'm sticking with the 'guy loaded some images in his sig' theory.

This is from viewing The Mission on Mars status thread in the science folder.

TCP testbox:1445 klaatu.ssl.berkeley.edu:http ESTABLISHED
TCP testbox:1446 klaatu.ssl.berkeley.edu:http ESTABLISHED
TCP testbox:1447 klaatu.ssl.berkeley.edu:http ESTABLISHED
TCP testbox:1448 klaatu.ssl.berkeley.edu:http ESTABLISHED
TCP testbox:1449 klaatu.ssl.berkeley.edu:http ESTABLISHED
TCP testbox:1451 klaatu.ssl.berkeley.edu:http ESTABLISHED
TCP testbox:1452 klaatu.ssl.berkeley.edu:http ESTABLISHED
TCP testbox:1454 beavis.dts-online.net:http ESTABLISHED
TCP testbox:1456 beavis.dts-online.net:http ESTABLISHED
TCP testbox:1457 beavis.dts-online.net:http ESTABLISHED
TCP testbox:1459 unknown.Level3.net:http ESTABLISHED
TCP testbox:1464 beavis.dts-online.net:http ESTABLISHED
TCP testbox:1465 user-11218np.dsl.mindspring.com:8018 ESTABLISHE
D
TCP testbox:1466 pre005.lifemedien.de:http ESTABLISHED
TCP testbox:1468 unknown219.9.157.204.defenderhosting.com:http E
STABLISHED

Sorry, but all I'm seeing here

http://www.hcs-tuning.de/neil/mirror_xml.php?blahblahblah
http://boinc.mundayweb.com/seti2/stats.php?blahblahblah
http://setiweb.ssl.berkeley.edu/forum_thread.php?blahblahblah
http://setiweb.ssl.berkeley.edu/blahblahblah
http://setiweb.ssl.berkeley.edu/user_profile/images/blahblahblah, and
http://www.boincsynergy.com/images/stats/blahblahblah

I don't think it's a SIG.

In the Missions on Mars thread you mentioned, all I found out of the ordinary was one darrenc.dyndns.org:8018 . I think it's a boinc.mundayweb.com stats mirror - It was trying to load Sir Uli's SIG.

[Addendum] I've also gotten traffic from 66.32.162.249:8018 hitting up my NetBIOS and "Leet" ports. Anyone on MindSpring DSL, fess up.

---

If you visit mundaysweb, http://www.boinc.mundayweb.com/ you'll know that people donate the use of mirrors to help him out.

If you resolve the IP addy of www.hcs-tuning.de
You'll see that it's hosted by lifemedien.de

http://www.network-tools.com/default.asp?prog=trace&Netnic=whois.arin.net&host=www.hcs-tuning.de

And the moral of the story is Don't Dare Debug at 4AM while Drinking Decaf.

I owe you a +1 (my RAC is too low!).

---

> And the moral of the story is Don't Dare Debug at 4AM while Drinking
> Decaf.
>
> I owe you a +1 (my RAC is too low!).
>

OK, What are your suggestions other than turning off images?



A computer in your Banned IP list at pre005.lifemedien.de has attempted to access TCP port 2819 on your computer.
TCP port 2819 is commonly used by the "FC Fault Notification" service or program.

---

>
> OK, What are your suggestions other than turning off images?




I turned off all images and the attacks stopped

Of course this sucks for me since I am Captain Avatar
and this is very bad for biz...... Not that I charge
money for my efforts!


....

---

>
> >
> > OK, What are your suggestions other than turning off images?
>
>
>
>
> I turned off all images and the attacks stopped
>
> Of course this sucks for me since I am Captain Avatar
> and this is very bad for biz...... Not that I charge
> money for my efforts!
>
>
> ....
>

I have contacted Neil Munday and informed him of the problem Timmy.. If you look at your firewall you'll probably see my domain there too. I am a Munday Web Mirror too

---

I'd rather speak my mind because it hurts too much to bite my tongue.

American Spirit BBQ Proudly Serving those that courageously defend freedom.

>>I turned off all images and the attacks stopped

I really doubt that your pc is being attacked.

I am sending you and Rom my Logs
so you can see whats happening.

I took a snapshot with graphics turned off
and I am clearing the logs and turning the graphics
back on and will send that also....

In a few min...

---

+ed you.

---