If anyone can shed light on this I would greatly appreciate it. I will try to keep this as short as possible. Here is the situation:
(note: I am not running any services except an ftp site on port 2456)
I've been monitoring traffic on the wan interface of my router for packets destined for port 23,80,139,12345, etc - I am fairly new to networking and was just curious as to what kind of traffic I would be seeing. Over the course of 2 weeks I've noticed consistant traffic from an IP within my subnet.. I'd say about 20-30 hits a day destined for port 80. MOST of the traffic I've been seeing on the ports I've specified are destined for port 80. Now here's the issue: I thought maybe this IP was some infected website running scans on the network (the only traffic from this IP is on port 80 ... ALWAYS) so - just to see what was going on.. I popped the IP into a browser and nada. I then try ftp'ing to the IP and sure enough he's running an anonymous ftp. I log in an try to create a directory called please_leave_me_alone as I only want it to stop. Within *5* minutes, I see activity from his IP.. but here's the thing: It's destined for PORT 2456 - SOURCE PORT 80!?! Here is the syslog entry:
11-29-2001 20:10:14 Local1.Notice 192.168.0.1 router: IP[Src=63.193.186.xxx Dst=192.168.0.2 TCP spo=00080 dpo=02456]}S04>R01mF
11-29-2001 20:10:14 Local1.Notice 192.168.0.1 router: IP[Src=63.193.186.xxx Dst=192.168.0.2 TCP spo=00080 dpo=02456]}S04>R01mF
I don't think he ran a scan on my IP as I believe I would have seen activity on the other ports I specified.. I also don't understand how his SOURCE PORT was listed as 80 as almost always the source port is a number >1023.
Has anyone seen this before? Can anyone shed some light on this for me please? Thanks in advance for any input I recieve.
Rezzin
(note: I am not running any services except an ftp site on port 2456)
I've been monitoring traffic on the wan interface of my router for packets destined for port 23,80,139,12345, etc - I am fairly new to networking and was just curious as to what kind of traffic I would be seeing. Over the course of 2 weeks I've noticed consistant traffic from an IP within my subnet.. I'd say about 20-30 hits a day destined for port 80. MOST of the traffic I've been seeing on the ports I've specified are destined for port 80. Now here's the issue: I thought maybe this IP was some infected website running scans on the network (the only traffic from this IP is on port 80 ... ALWAYS) so - just to see what was going on.. I popped the IP into a browser and nada. I then try ftp'ing to the IP and sure enough he's running an anonymous ftp. I log in an try to create a directory called please_leave_me_alone as I only want it to stop. Within *5* minutes, I see activity from his IP.. but here's the thing: It's destined for PORT 2456 - SOURCE PORT 80!?! Here is the syslog entry:
11-29-2001 20:10:14 Local1.Notice 192.168.0.1 router: IP[Src=63.193.186.xxx Dst=192.168.0.2 TCP spo=00080 dpo=02456]}S04>R01mF
11-29-2001 20:10:14 Local1.Notice 192.168.0.1 router: IP[Src=63.193.186.xxx Dst=192.168.0.2 TCP spo=00080 dpo=02456]}S04>R01mF
I don't think he ran a scan on my IP as I believe I would have seen activity on the other ports I specified.. I also don't understand how his SOURCE PORT was listed as 80 as almost always the source port is a number >1023.
Has anyone seen this before? Can anyone shed some light on this for me please? Thanks in advance for any input I recieve.
Rezzin