1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

pfirewall log showing TCP traffic from source ports in ascending order

Discussion in 'Virus & Other Malware Removal' started by bcbccoles, Mar 30, 2008.

Thread Status:
Not open for further replies.
  1. bcbccoles

    bcbccoles Thread Starter

    Joined:
    Mar 30, 2008
    Messages:
    2
    I am seeing outgoing traffic in my pfirewall log where the source port from my comptuer continues to go up/ascend with time, and all are going to destination port 80. What is odd is while the source ports are going up in order (in general, with what seems to be legitmate traffic in between), the actual destination IP's change -but all destination ports are to 80 in this case. The destination IP's are to legitmate sites, but the source port in pfirewall log isn't port 80.

    Sample below (notice the site is actuall the Techguy IP's!):

    2008-03-30 22:26:08 OPEN TCP 192.2.28.100 209.183.226.150 2780 80 - - - - - - - - -
    2008-03-30 22:26:08 CLOSE TCP 192.2.28.100 209.183.226.150 2778 80 - - - - - - - - -
    2008-03-30 22:26:08 OPEN TCP 192.2.28.100 74.125.45.166 2781 80 - - - - - - - - -
    2008-03-30 22:26:08 OPEN TCP 192.2.28.100 65.55.184.157 2782 80 - - - - - - - - -
    2008-03-30 22:26:08 CLOSE TCP 192.2.28.100 65.55.184.157 2782 80 - - - - - - - - -
    2008-03-30 22:26:08 OPEN TCP 192.2.28.100 74.125.45.99 2783 80 - - - - - - - - -
    2008-03-30 22:26:09 CLOSE TCP 192.2.28.100 209.183.226.150 2780 80 - - - - - - - - -
    2008-03-30 22:26:11 OPEN TCP 192.2.28.100 209.183.226.152 2784 80 - - - - - - - - -
    2008-03-30 22:26:13 CLOSE TCP 192.2.28.100 209.183.226.152 2784 80 - - - - - - - - -
    2008-03-30 22:26:13 OPEN TCP 192.2.28.100 209.183.226.150 2785 80 - - - - - - - - -
    2008-03-30 22:26:15 OPEN TCP 192.2.28.100 209.183.226.150 2786 80 - - - - - - - - -
    2008-03-30 22:26:15 CLOSE TCP 192.2.28.100 209.183.226.150 2785 80 - - - - - - - - -
    2008-03-30 22:26:15 OPEN TCP 192.2.28.100 209.183.226.152 2787 80 - - - - - - - - -
    2008-03-30 22:26:15 CLOSE TCP 192.2.28.100 209.183.226.150 2786 80 - - - - - - - - -
    2008-03-30 22:26:16 CLOSE TCP 192.2.28.100 209.183.226.152 2787 80 - - - - - - - - -
    2008-03-30 22:26:16 OPEN TCP 192.2.28.100 209.183.226.152 2788 80 - - - - - - - - -
    2008-03-30 22:26:16 OPEN TCP 192.2.28.100 209.183.226.153 2789 80 - - - - - - - - -
    2008-03-30 22:26:16 OPEN TCP 192.2.28.100 209.183.226.153 2790 80 - - - - - - - - -
    2008-03-30 22:26:16 CLOSE TCP 192.2.28.100 209.183.226.152 2788 80 - - - - - - - - -
    2008-03-30 22:26:17 OPEN TCP 192.2.28.100 209.183.226.152 2791 80 - - - - - - - - -
    2008-03-30 22:26:17 CLOSE TCP 192.2.28.100 209.183.226.152 2791 80 - - - - - - - - -
    2008-03-30 22:26:17 OPEN TCP 192.2.28.100 209.183.226.153 2792 80 - - - - - - - - -
    2008-03-30 22:26:17 OPEN TCP 192.2.28.100 209.183.226.153 2793 80 - - - - - - - - -
    2008-03-30 22:26:17 CLOSE TCP 192.2.28.100 209.183.226.153 2790 80 - - - - - - - - -
    2008-03-30 22:26:17 CLOSE TCP 192.2.28.100 209.183.226.153 2789 80 - - - - - - - - -
    2008-03-30 22:26:19 OPEN TCP 192.2.28.100 209.183.226.153 2794 80 - - - - - - - - -
    2008-03-30 22:26:19 OPEN TCP 192.2.28.100 209.183.226.153 2795 80 - - - - - - - - -
    2008-03-30 22:26:19 CLOSE TCP 192.2.28.100 209.183.226.153 2793 80 - - - - - - - - -

    I've attached:
    - hijack this log
    - pfirewall log (however removed several previous days to trim size of file)
    - process explorer log

    I've got both Norton Antivirus and Spyware Doctor running with latest updates.

    I did fine some trojans on my other computers which I believe started when I made the horrible mistake of testing one as a 'DMZ Host' on my Linksys router - I did not realize that opened it up to the internet until a day later (chalk up a 'lesson learned!').

    The increasing source ports to destination port 80 would seem like a possible HTTP tunneling, however, I don't understand why it would use legitmate desitnation IP's?

    I've exhausted anything I am capable of figuring out.

    Any help would be greatly appreciated. In the meantime, I continue to lock down and am about to purchase SW and HW firewalls, but with all port going out on 80 I am not sure what to block.

    I've tried searches on this forum and suspect the answer is probably here, but can't seem to find anything.
     

    Attached Files:

  2. bcbccoles

    bcbccoles Thread Starter

    Joined:
    Mar 30, 2008
    Messages:
    2
    Maybe this is normal for IE? I did a followup test. I cleared my pfirewall log. Then opened up an IE session. It appears that when opening an IE session, many packets are opened on UDP and TCP, all from my computer, and all with ascending ports? Is this normal? Then when you close, all of them get closed out a couple of seconds later.

    Here are the results:

    I opened up IE which defaults to Google, saw the following:

    2008-04-01 19:36:08 OPEN UDP 192.2.28.100 205.152.37.23 1029 53 - - - - - - - - -
    2008-04-01 19:36:08 OPEN TCP 192.2.28.100 74.125.47.99 2708 80 - - - - - - - - -
    2008-04-01 19:36:24 CLOSE TCP 192.2.28.100 74.125.47.99 2708 80 - - - - - - - - -


    Then opened TechGuys.com

    2008-04-01 19:37:52 CLOSE UDP 192.2.28.100 205.152.37.23 1029 53 - - - - - - - - -
    2008-04-01 19:37:59 OPEN UDP 192.2.28.100 205.152.37.23 1029 53 - - - - - - - - -
    2008-04-01 19:38:00 OPEN TCP 192.2.28.100 209.183.226.152 2709 80 - - - - - - - - -
    2008-04-01 19:38:01 OPEN TCP 192.2.28.100 209.183.226.153 2710 80 - - - - - - - - -
    2008-04-01 19:38:01 CLOSE TCP 192.2.28.100 209.183.226.152 2709 80 - - - - - - - - -
    2008-04-01 19:38:01 OPEN TCP 192.2.28.100 65.54.225.102 2711 443 - - - - - - - - -
    2008-04-01 19:38:03 OPEN TCP 192.2.28.100 209.183.226.153 2712 80 - - - - - - - - -
    2008-04-01 19:38:03 CLOSE TCP 192.2.28.100 209.183.226.153 2710 80 - - - - - - - - -
    2008-04-01 19:38:03 CLOSE TCP 192.2.28.100 65.54.225.102 2711 443 - - - - - - - - -
    2008-04-01 19:38:04 CLOSE TCP 192.2.28.100 209.183.226.153 2712 80 - - - - - - - - -
    2008-04-01 19:38:04 OPEN TCP 192.2.28.100 209.183.226.153 2713 80 - - - - - - - - -
    2008-04-01 19:38:04 OPEN TCP 192.2.28.100 209.183.226.153 2714 80 - - - - - - - - -
    2008-04-01 19:38:04 OPEN TCP 192.2.28.100 209.183.226.153 2715 80 - - - - - - - - -
    2008-04-01 19:38:04 CLOSE TCP 192.2.28.100 209.183.226.153 2713 80 - - - - - - - - -
    2008-04-01 19:38:04 OPEN TCP 192.2.28.100 209.183.226.153 2716 80 - - - - - - - - -
    2008-04-01 19:38:04 CLOSE TCP 192.2.28.100 209.183.226.153 2715 80 - - - - - - - - -
    2008-04-01 19:38:04 OPEN TCP 192.2.28.100 209.183.226.153 2717 80 - - - - - - - - -
    2008-04-01 19:38:05 CLOSE TCP 192.2.28.100 209.183.226.153 2714 80 - - - - - - - - -
    2008-04-01 19:38:05 OPEN TCP 192.2.28.100 209.183.226.150 2718 80 - - - - - - - - -
    2008-04-01 19:38:05 OPEN TCP 192.2.28.100 209.183.226.153 2719 80 - - - - - - - - -
    2008-04-01 19:38:05 CLOSE TCP 192.2.28.100 209.183.226.153 2716 80 - - - - - - - - -
    2008-04-01 19:38:05 OPEN TCP 192.2.28.100 209.183.226.153 2720 80 - - - - - - - - -
    2008-04-01 19:38:05 CLOSE TCP 192.2.28.100 209.183.226.153 2719 80 - - - - - - - - -
    2008-04-01 19:38:05 OPEN TCP 192.2.28.100 209.183.226.153 2721 80 - - - - - - - - -
    2008-04-01 19:38:05 OPEN TCP 192.2.28.100 209.183.226.153 2722 80 - - - - - - - - -
    2008-04-01 19:38:05 CLOSE TCP 192.2.28.100 209.183.226.153 2717 80 - - - - - - - - -
    2008-04-01 19:38:05 CLOSE TCP 192.2.28.100 209.183.226.153 2720 80 - - - - - - - - -
    2008-04-01 19:38:05 OPEN TCP 192.2.28.100 209.183.226.153 2723 80 - - - - - - - - -
    2008-04-01 19:38:05 OPEN TCP 192.2.28.100 209.183.226.153 2724 80 - - - - - - - - -
    2008-04-01 19:38:05 CLOSE TCP 192.2.28.100 209.183.226.153 2721 80 - - - - - - - - -
    2008-04-01 19:38:05 CLOSE TCP 192.2.28.100 209.183.226.153 2722 80 - - - - - - - - -
    2008-04-01 19:38:05 OPEN TCP 192.2.28.100 209.183.226.153 2725 80 - - - - - - - - -
    2008-04-01 19:38:05 CLOSE TCP 192.2.28.100 209.183.226.153 2723 80 - - - - - - - - -
    2008-04-01 19:38:05 CLOSE TCP 192.2.28.100 209.183.226.153 2724 80 - - - - - - - - -
    2008-04-01 19:38:05 CLOSE TCP 192.2.28.100 209.183.226.153 2725 80 - - - - - - - - -
    2008-04-01 19:38:06 CLOSE TCP 192.2.28.100 209.183.226.150 2718 80 - - - - - - - - -
    2008-04-01 19:38:06 OPEN TCP 192.2.28.100 209.183.226.150 2726 80 - - - - - - - - -
    2008-04-01 19:38:06 OPEN TCP 192.2.28.100 209.183.226.150 2727 80 - - - - - - - - -
    2008-04-01 19:38:06 CLOSE TCP 192.2.28.100 209.183.226.150 2726 80 - - - - - - - - -
    2008-04-01 19:38:06 OPEN TCP 192.2.28.100 209.183.226.153 2728 80 - - - - - - - - -
    2008-04-01 19:38:06 OPEN TCP 192.2.28.100 209.183.226.153 2729 80 - - - - - - - - -
    2008-04-01 19:38:06 OPEN TCP 192.2.28.100 209.183.226.150 2730 80 - - - - - - - - -
    2008-04-01 19:38:06 OPEN TCP 192.2.28.100 74.125.45.166 2731 80 - - - - - - - - -
    2008-04-01 19:38:06 CLOSE TCP 192.2.28.100 209.183.226.150 2727 80 - - - - - - - - -
    2008-04-01 19:38:06 OPEN TCP 192.2.28.100 209.183.226.150 2732 80 - - - - - - - - -
    2008-04-01 19:38:06 OPEN TCP 192.2.28.100 209.183.226.152 2733 80 - - - - - - - - -
    2008-04-01 19:38:06 CLOSE TCP 192.2.28.100 209.183.226.150 2730 80 - - - - - - - - -
    2008-04-01 19:38:06 OPEN TCP 192.2.28.100 209.183.226.152 2734 80 - - - - - - - - -
    2008-04-01 19:38:06 CLOSE TCP 192.2.28.100 209.183.226.152 2733 80 - - - - - - - - -
    2008-04-01 19:38:06 CLOSE TCP 192.2.28.100 209.183.226.152 2734 80 - - - - - - - - -
    2008-04-01 19:38:06 CLOSE TCP 192.2.28.100 209.183.226.150 2732 80 - - - - - - - - -
    2008-04-01 19:38:11 OPEN TCP 192.2.28.100 209.183.226.153 2743 80 - - - - - - - - -
    2008-04-01 19:38:11 OPEN TCP 192.2.28.100 209.183.226.153 2744 80 - - - - - - - - -
    2008-04-01 19:38:11 CLOSE TCP 192.2.28.100 209.183.226.153 2742 80 - - - - - - - - -
    2008-04-01 19:38:11 CLOSE TCP 192.2.28.100 209.183.226.153 2741 80 - - - - - - - - -
    2008-04-01 19:38:12 OPEN TCP 192.2.28.100 209.183.226.153 2745 80 - - - - - - - - -
    2008-04-01 19:38:12 OPEN TCP 192.2.28.100 209.183.226.153 2746 80 - - - - - - - - -
    2008-04-01 19:38:12 CLOSE TCP 192.2.28.100 209.183.226.153 2744 80 - - - - - - - - -
    2008-04-01 19:38:12 CLOSE TCP 192.2.28.100 209.183.226.153 2743 80 - - - - - - - - -
    2008-04-01 19:38:13 OPEN TCP 192.2.28.100 209.183.226.153 2747 80 - - - - - - - - -
    2008-04-01 19:38:13 CLOSE TCP 192.2.28.100 209.183.226.153 2746 80 - - - - - - - - -
    2008-04-01 19:38:13 OPEN TCP 192.2.28.100 209.183.226.153 2748 80 - - - - - - - - -
    2008-04-01 19:38:13 CLOSE TCP 192.2.28.100 209.183.226.153 2745 80 - - - - - - - - -
    2008-04-01 19:38:14 OPEN TCP 192.2.28.100 209.183.226.153 2749 80 - - - - - - - - -
    2008-04-01 19:38:14 OPEN TCP 192.2.28.100 209.183.226.153 2750 80 - - - - - - - - -
    2008-04-01 19:38:14 CLOSE TCP 192.2.28.100 209.183.226.153 2748 80 - - - - - - - - -
    2008-04-01 19:38:14 CLOSE TCP 192.2.28.100 209.183.226.153 2747 80 - - - - - - - - -
    2008-04-01 19:38:14 OPEN TCP 192.2.28.100 209.183.226.153 2751 80 - - - - - - - - -
    2008-04-01 19:38:14 CLOSE TCP 192.2.28.100 209.183.226.153 2750 80 - - - - - - - - -
    2008-04-01 19:38:15 OPEN TCP 192.2.28.100 209.183.226.153 2752 80 - - - - - - - - -
    2008-04-01 19:38:15 CLOSE TCP 192.2.28.100 209.183.226.153 2751 80 - - - - - - - - -
    2008-04-01 19:38:15 OPEN TCP 192.2.28.100 209.183.226.153 2753 80 - - - - - - - - -
    2008-04-01 19:38:15 CLOSE TCP 192.2.28.100 209.183.226.153 2752 80 - - - - - - - - -
    2008-04-01 19:38:15 OPEN TCP 192.2.28.100 209.183.226.153 2754 80 - - - - - - - - -
    2008-04-01 19:38:15 CLOSE TCP 192.2.28.100 209.183.226.153 2753 80 - - - - - - - - -
    2008-04-01 19:38:15 OPEN TCP 192.2.28.100 209.183.226.153 2755 80 - - - - - - - - -
    2008-04-01 19:38:15 CLOSE TCP 192.2.28.100 209.183.226.153 2754 80 - - - - - - - - -
    2008-04-01 19:38:15 OPEN TCP 192.2.28.100 209.183.226.153 2756 80 - - - - - - - - -
    2008-04-01 19:38:15 OPEN TCP 192.2.28.100 209.183.226.153 2757 80 - - - - - - - - -
    2008-04-01 19:38:15 OPEN TCP 192.2.28.100 209.183.226.153 2758 80 - - - - - - - - -
    2008-04-01 19:38:15 CLOSE TCP 192.2.28.100 209.183.226.153 2757 80 - - - - - - - - -
    2008-04-01 19:38:15 OPEN TCP 192.2.28.100 209.183.226.153 2759 80 - - - - - - - - -
    2008-04-01 19:38:15 CLOSE TCP 192.2.28.100 209.183.226.153 2758 80 - - - - - - - - -
    2008-04-01 19:38:16 CLOSE TCP 192.2.28.100 209.183.226.153 2759 80 - - - - - - - - -
    2008-04-01 19:38:16 OPEN TCP 192.2.28.100 209.183.226.152 2760 80 - - - - - - - - -
    2008-04-01 19:38:16 CLOSE TCP 192.2.28.100 209.183.226.153 2749 80 - - - - - - - - -
    2008-04-01 19:38:17 CLOSE TCP 192.2.28.100 209.183.226.152 2760 80 - - - - - - - - -
    2008-04-01 19:38:22 CLOSE TCP 192.2.28.100 74.125.45.99 2735 80 - - - - - - - - -
    2008-04-01 19:38:22 CLOSE TCP 192.2.28.100 74.125.45.166 2731 80 - - - - - - - - -
    2008-04-01 19:38:22 CLOSE TCP 192.2.28.100 74.125.45.166 2738 80 - - - - - - - - -
     
As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/698770

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice