Modem's Security Log shows Many Alerts

VaEsther · 20-Nov-2009, 10:25 AM #1

Good morning,

While exploring through my modem's information yesterday, I came across the Security Log with pages of information with Red Alerts for Incoming and Yellow Alerts for Outcoming traffic.

Although I was away from my home most of the afternoon and the computer was turned off, I returned to find more lines of Alert information for Incoming traffic( ?).

Will someone please explain what all this means. I ran several scans: MBAM, SAS, Eset on line and OneCare and found no maleware. Yet these Alerts has me somewhat anxious.

11/19/2009
01:09:20 Inbound RulesDropWANTCP Alert
11/19/2009
01:09:14 Inbound RulesDropWANTCP Alert
11/19/2009
01:09:11 Inbound RulesDropWANTCP Alert
11/19/2009
01:05:58 Inbound RulesDropWANTCP Alert
11/19/2009
01:05:23 Inbound RulesDropWANTCP Alert
11/19/2009
00:52:41 Inbound RulesDropWANTCP Alert
11/19/2009
00:39:42 Inbound RulesDropWANTCP Alert
11/19/2009
00:39:42 Inbound RulesDropWANTCP Alert
11/19/2009
00:33:48 Inbound RulesDropWANTCP Alert

Here are some of the Details:

11/19/2009
19:53:07 Inbound RulesDropWANTCP Alert
Source IP: 218.15.163.222
Destination IP: XXXXXXXX
Protocol: TCP
Source Port: 57345
Destination Port: 22
TCP Flags: 02 ( syn )

11/19/2009
19:41:52 Inbound RulesDropWANTCP Alert
Source IP: 17.250.248.93
Destination IP: XXXXXXXXXX
Protocol: TCP
Source Port: 80
Destination Port: 50031
TCP Flags: 04 ( rst )

11/19/2009
19:12:04 Inbound RulesDropWANTCP Alert
Source IP: 208.113.79.36
Destination IP: XXXXXXXXXX
Protocol: TCP
Source Port: 80
Destination Port: 50963
TCP Flags: 14 ( ack rst )
11/19/2009
19:02:58 Inbound RulesDropWANTCP Alert
Source IP: 17.250.248.93
Destination IP: XXXXXXXXXX
Protocol: TCP
Source Port: 80
Destination Port: 50942
TCP Flags: 04 ( rst )

11/19/2009
18:06:26 Inbound RulesDropWANTCP Aler
Source IP: 173.28.206.14
Destination IP: xxxxxxxxxx
Protocol: TCP
Source Port: 40142
Destination Port: 445
TCP Flags: 02 ( syn )

11/19/2009
18:06:23 Inbound RulesDropWANTCP Alert
Source IP: 173.28.206.14
Destination IP: XXXXXXXXXX
Protocol: TCP
Source Port: 40142
Destination Port: 445
TCP Flags: 02 ( syn )

Alert: TCP WAN Traffic to WAN IP

Below are Outbound Alerts for this morning:

11/20/2009
08:39:32Outbound RulesDrop Alert 11/20/2009
08:39:29Outbound RulesDrop Alert 11/20/2009
08:39:14Outbound RulesDrop Alert 11/20/2009
08:39:11Outbound RulesDrop Alert 11/20/2009
08:39:11Outbound RulesDrop Alert 11/20/2009
08:39:08Outbound RulesDrop Alert 11/20/2009
08:38:53Outbound RulesDrop Alert 11/20/2009
08:38:50Outbound RulesDrop Alert 11/20/2009
08:38:47Outbound RulesDrop Alert
All of the Outbound Details are the same:

Source IP:
Destination IP: 199.9.252.165
Protocol: TCP
Source Port: 50990
Destination Port 843
TCP Flags: 02 (syn)

Alert : Packet to be dropped unless Service enabled.

Thank you,

VaEsther

cwwozniak · 11:08 AM

The inbound alerts are most likely hackers sniffing through random blocks of IP addresses looking for vulnerable systems. The modem did not reply to their connection requests. This is just typical "Background noise" for Internet traffic and should not usually be of any concern. It might be worth investigating if you notice a long period of ongoing incoming connections being blocked from one particular IP address.

The blocked outbound request to "Destination IP: 199.9.252.165" has the 199.9.252.165 IP address resolving to chat4.justin.tv . I visited the site and it appears to offer video streaming. Does the date and time of the alerts (assuming the modem's clock and calendar are correctly set) match when you turned the computer on to check the logs? If so, do you have some Instant Messaging or streaming application starting up when you boot up the computer?

Edit: If you are sure that you do not have any known chat or streaming programs running at start-up, then you may want to post a Hijackthis log in our Malware removal & HJT Logs forum. They are busy in there and it may take a while to get a response from an authorized member .

VaEsther · 10:45 PM

Hello CW Wozniak,

Thank you for your assistance.

The Security logs have me quite anxious. I tried to Google the information but did not understand what I read. I checked the IPs and they are of websites I visit. I visit Justin.tv (which includes a chat feature while viewing a movie) quite regularly. However, the only programs I have listed to startup with the bootup in the msconfig is WinPatrol and OneCare.

The log also mentions dropped packets, is this something I should be concerned about?

Alert : Packet to be dropped unless Service enabled.

Again thank you for your assistance.

cwwozniak · 24-Nov-2009, 01:55 AM #4

If you look in the Services tab of MSCONFIG you may see a longer list of applications that run in the background but some may be trying to connect to the Internet. I am not familiar enough with Windows to know what they do or which ones can be closed without affecting the normal operation of the computer. As I suggested before, you may want to create a Hijack This log and post it along with a description of your concerns in this web site's Malware and Hijack This log analysis forum.

Are you using a Westel modem. From a tiny bit of reading on a different web site that I visit, the Westel modems seem to have many options for blocking or passing both incoming and outgoing traffic. The dropped packets warning may be telling you that the modem is not allowing certain data packets to pass through and it is just going to ignore it.

VaEsther · 24-Nov-2009, 06:35 PM #5

Hello CWWOZNIAK,

As per your suggestion, I submitted a HJT log to the security forum and I am waiting for their reply. Fortunately I use WinPatrol which has a HJT feature.

Thank you for looking further into this problem, since the information I found was above my level of understanding.

Yes, I do understand there are other programs running of my computer other than those in the startup of the msconfig.

Recently I began having difficulties connecting to websites and Justin.tv is one of the sites. I am also experiencing more tine-outs than usual due to an enability connecting to these websites. I wonder if those dropped packets have anything to do with this? FireFox is my default browser, and when I cannot connect with FF, I change to Internet Explorer or Chrome. Perhaps I should call my internet provider, ughh!

Too many times on the Justin.tv website, a movie would take some time to come through and when it did sometimes the chat would not appear. Also, it always take several attempts before connecting to AOL's webmail. I did not make the possible connection between the time-outs and the dropped packets until I read your last post.

Thank you for the information you provided, it certainly has been helpful. By the way, Robbie was one of my favorite characters when I was a child, although he was such a ham; always stealing the scenes (Alert! Alert!).

Have a joyful and blessed holiday.

VaEsther

Tag Cloud
access acer asus bios bsod computer crash desktop driver drivers error ethernet excel freeze gaming hard drive hardware hdmi internet laptop malware memory monitor motherboard netgear network printer problem ram registry router security server slow software sound trojan ubuntu 11.10 uninstall usb video virus vista wifi windows windows 7 windows 7 32 bit windows 7 64 bit windows xp wireless

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Search
Search for:

Find the solution to yourcomputer problem!

Find the solution to your
computer problem!