...

View Full Version : UDP Data/Packets & TCP Data



harlequin2k5
07-18-2006, 03:11 PM
I'm still quite new to this whole router thing...

I've recently been able to block one of our computers from accessing the internet so I know when that computer tries to go out to the web our security log lets me know that an HTTP connection was dropped with that specific IP address and what it's destination was (looks like its only windows trying to get its updates) - or if a computer attempts to access a blocked keyword - that's cool but there are other things in the security log that I don't understand


Mon, 07/17/2006 21:11:50 - TCP connection dropped - Source:67.78.75.227, 2782, WAN - Destination:67.78.185.42, 445, LAN - 'SMB'
Mon, 07/17/2006 21:15:20 - TCP connection dropped - Source:125.248.51.200, 6000, WAN - Destination:67.78.185.42, 7212, LAN - 'Suspicious TCP Data'
Mon, 07/17/2006 21:17:40 - UDP packet dropped - Source:204.16.208.112, 51572, WAN - Destination:67.78.185.42, 1026, LAN - 'Suspicious UDP Data'
Mon, 07/17/2006 21:19:04 - TCP connection dropped - Source:67.78.231.147, 2274, WAN - Destination:67.78.185.42, 445, LAN - 'SMB'
Mon, 07/17/2006 21:23:56 - TCP connection dropped - Source:67.78.165.112, 2387, WAN - Destination:67.78.185.42, 135, LAN - 'Suspicious TCP Data'
Mon, 07/17/2006 21:32:28 - TCP connection dropped - Source:67.78.228.197, 1138, WAN - Destination:67.78.185.42, 139, LAN - 'NetBIOS'
Mon, 07/17/2006 21:40:28 - UDP packet dropped - Source:216.107.36.62, 29150, WAN - Destination:67.78.185.42, 1026, LAN - 'Suspicious UDP Data'
Mon, 07/17/2006 21:46:22 - UDP packet dropped - Source:204.153.43.184, 31243, WAN - Destination:67.78.185.42, 1026, LAN - 'Suspicious UDP Data'
Mon, 07/17/2006 21:53:08 - TCP connection dropped - Source:67.78.75.227, 4544, WAN - Destination:67.78.185.42, 445, LAN - 'SMB'
Mon, 07/17/2006 22:00:20 - UDP packet dropped - Source:17.7.242.6, 31260, WAN - Destination:67.78.185.42, 1026, LAN - 'Suspicious UDP Data'
Mon, 07/17/2006 22:02:22 - UDP packet dropped - Source:204.16.208.119, 57338, WAN - Destination:67.78.185.42, 1026, LAN - 'Suspicious UDP Data'
Mon, 07/17/2006 22:03:32 - TCP connection dropped - Source:67.78.165.112, 1355, WAN - Destination:67.78.185.42, 135, LAN - 'Suspicious TCP Data'
I'm able to recognize our IP address on a few of these lines and I didn't know if I needed to worry about all these "suspicious" connections?

should I try and look up each of these ip's and see where they go? is it just normal traffic (we have 6 other computers hooked up) for others who are surfing or checking email?

I'm still kinda new to this and I keep telling my boss (who didn't want any of this stuff in the first place ;) ) that everything is fine and we're as safe as we're gonna be

any help is greatly appreciated :)

sage45
07-18-2006, 04:12 PM
What make and model router do you have?

-saige-

harlequin2k5
07-18-2006, 04:20 PM
netgear fs318v with personal firewall

paulq
07-18-2006, 06:58 PM
Port 445 - SMB (Server Message Block) protocol: used for file sharing and other things in Win2k\XP (Often used by port scanners for OS detection).

Mon, 07/17/2006 21:11:50 - TCP connection dropped - Source:67.78.75.227, 2782, WAN - Destination:67.78.185.42, 445, LAN - 'SMB'

Source is trying to connect to your TCP port 7212 ... from Korea.

Mon, 07/17/2006 21:15:20 - TCP connection dropped - Source:125.248.51.200, 6000, WAN - Destination:67.78.185.42, 7212, LAN - 'Suspicious TCP Data'

Source is trying to connect to your UDP port 1026 (http://www.linklogger.com/UDP1026.htm) from Wasilla, Alaska.

Mon, 07/17/2006 21:17:40 - UDP packet dropped - Source:204.16.208.112, 51572, WAN - Destination:67.78.185.42, 1026, LAN - 'Suspicious UDP Data'

Ports 135 and 139 are Microsoft Remote Procedure Call (RPC) service and Netbios Session Service respectively. Mostly open for backwards compatibility, I believe.

For more information check this (http://www.petri.co.il/what's_port_445_in_w2k_xp_2003.htm) site. On it they said the following:


If you are using a router as your Internet gateway then you will want to ensure that it does not allow inbound or outbound traffic via TCP ports 135-139.

Basically, it's probably all harmless, but if you're concerned, increase your firewall settings to white list only the ports you want to get through.



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum