radaronpaws
12-19-2005, 11:40 PM
I had a kernel panic tonight, no clue why really - any help in researching that would be appreciated - and in my system.log I see several messages like the following:
Stealth Mode connection attempt to TCP 192.168.x.xxx:60793 from 205.188.238.181:80
I also see in my previous log from system.0.log.gz that this same IP has tried stealth mode connections on another port (port 59320).
My first thought is to wonder how these attempts got past my linksys, my second thought is to wonder what the heck these are. The IP in question is in a netblock belonging to AOL.
Any thoughts on both the stealth mode attempt (and what stealth mode means) and also on debugging the kernel panic?
I'm not a computer or unix newbie but am still relatively new to OS X and have never learned anything about unix security or logging.
Thanks. :)
hayne
12-20-2005, 12:40 AM
As far as the kernel panic goes, you should try the standard troubleshooting suggestions:
http://www.apple.com/support/mac101/ (see the "My Mac needs help" section)
http://www.macosxhints.com/article.php?story=2004011205473937
http://forums.osxfaq.com/viewtopic.php?t=7269
http://www.thexlab.com/faqs/faqs.html
voldenuit
12-20-2005, 05:45 AM
For further details on the techniques the "enemy" uses, this site http://www.insecure.org/nmap/ might be an interesting read.
weltonch777
12-20-2005, 12:27 PM
205.188.238.181 is a portal to Time magazine (www.pathfinder.com) If you had visited this site, your firewall would have been temporarily "open" to requests from the port #'s you sent to it. What the heck it was trying to do connecting to your computer, though, I can't say.
Hal Itosis
12-20-2005, 03:15 PM
1. Enable 'Stealth Mode' (System Prefs -> Sharing -> Firewall -> Advanced...)
2. Open Console.app -> File -> Open Quickly... -> /var/log -> ipfw.log
3. Connect to the Internet.
4. Surf around and watch as the log file slowly grows with lines such as:
ipfw: Stealth Mode connection attempt to TCP 123.456.78.90:49841 from 123.456.78.90:80
:confused:
-HI-
voldenuit
12-20-2005, 04:32 PM
Not true, no direct relation.
enabling "Stealth Mode" simply alters the response to a certain type of ICMP packets (used by ping).
here's the corresponding ipfw rule:
20000 0 0 deny icmp from any to me in icmptypes 8
"Stealth Mode" if at all only helps against incredibly stupid attackers, anybody with a direct route to the host and half a brain will still be able to see the machine.
radaronpaws
12-20-2005, 04:32 PM
Thanks for the responses. I think all of these are in response to actions of my own.
Yes, I did visit Time's web site. There's one that maps out to Akamai which I think was an online software purchase.
That explains why these are showing up and aren't being blocked by my router (ie, they aren't "unsolicited" requests).
Thanks for the responses. And the links. The link to the x lab was particularly useful.
radaronpaws
12-20-2005, 04:34 PM
enabling "Stealth Mode" simply alters the response to a certain type of ICMP packets (used by ping).
Right.
Those shouldn't be getting to my mac anyway as my router blocks them (and testing shows it is actually doing so).
Thanks.
...If you had visited this site, your firewall would have been temporarily "open" to requests from the port #'s you sent to it. What the heck it was trying to do connecting to your computer, though, I can't say.
My guess is that the server was somewhat slow and took longer to send a reply than the firewall's state-keeping time.
radaronpaws
12-20-2005, 04:37 PM
My guess is that the server was somewhat slow and took longer to send a reply than the firewall's state-keeping time.
That would probably make sense - my router probably passed it seeing it as something I had requested, and the os x firewall decided to block it...
Hal Itosis
12-20-2005, 07:10 PM
Not true, no direct relation.
enabling "Stealth Mode" simply alters the response to a certain type of ICMP packets (used by ping).
here's the corresponding ipfw rule:
20000 0 0 deny icmp from any to me in icmptypes 8
"Stealth Mode" if at all only helps against incredibly stupid attackers, anybody with a direct route to the host and half a brain will still be able to see the machine.
I don't totally understand a) the technology, b) the problem, or c) your response.
All I was saying is my ipfw.log is full of the same messages as the OP submitted,
and that most certainly is "true". (I'm sure many here can duplicate my results).
:)
voldenuit
12-20-2005, 08:09 PM
Those entries will hit your ipfw.log regardless of the setting of the "Stealth Mode" option because that changes the response of your Mac to ping packets, something entirely unrelated.
Your reasoning is something along the lines "I have a glass of water and stirr it with a spoon. Afterwards, the water is wet."
Anyway, it looks like we found out what happened to radaronpaws.
TOP
