.

What are these stealth mode connection attempts and should I be concerned?

<<

macattack

Newbie
Newbie

Posts: 13

Joined: Tue Dec 28, 2010 9:31 am

Post Fri Dec 31, 2010 8:34 am

What are these stealth mode connection attempts and should I be concerned?

Apologies if this is the wrong forum to post this, it's my best guess.

I've setup my ipfw firewall on Mac Snow Leopard.  In checking my console logs, I continually get this message:

Stealth mode connection attempt to UDP 10.8.4.14:(port) from ip address

The ip addresses are almost always the following ones
178.47.171.97
216.131.95.20
71.146.211.156
128.194.77.181
87.221.235.25
70.109.191.180
72.23.181.106
174.103.147.143
217.149.5.169
209.59.255.39
210.242.195.50

I looked up these addresses with http://whois.domaintools.com/

Some interesting results:
178.47.171.97 Russian Federation Ojsc Uralsvyazinfor

216.131.95.20 United States South Lake Tahoe Reliablehosting.com - Network Services
(Interesting message afterwards)
Reverse IP:
1 website uses this address. (example: uktranssexual.com)

71.146.211.156 United States Sarah

128.194.77.181 United States College Station Texas A&m University

87.221.235.25 Spain Barcelona Jazztel Triple Play Services

70.109.191.180 United States South Londonderry Fairpoint Communications I

72.23.181.106 United States Meadville Armstrong Cable Service

174.103.147.143 United States Milford Road Runner Holdco Ll

217.149.5.169 Spain Filnet Serveis I Comunicacions

209.59.255.39 United States Charlotte Carolina Internet Ltd

210.242.195.50 Taiwan Taipei Nextlink Ltd

There are more but I guess it's not worth posting?

What's most interesting is 216.131.95.20.  There are many repeat occurrences of this.  Almost all repeat at some point in the log, but this one in particular is quite often.

What are these connection attempts and should I be concerned?
<<

macattack

Newbie
Newbie

Posts: 13

Joined: Tue Dec 28, 2010 9:31 am

Post Fri Dec 31, 2010 8:52 am

Re: What are these stealth mode connection attempts and should I be concerned?

I've also notice din my Little Snitch app firewall it reports this:

mDNSResponder connection to ns1.california.net
Which resolves to 216.131.95.20

A Google search for
"ns1.california.net" mDNSResponder
returns zero results.

What's going on?  Can anybody help?
Last edited by macattack on Fri Dec 31, 2010 8:54 am, edited 1 time in total.
<<

macattack

Newbie
Newbie

Posts: 13

Joined: Tue Dec 28, 2010 9:31 am

Post Fri Dec 31, 2010 9:10 am

Re: What are these stealth mode connection attempts and should I be concerned?

Not only that, but every time I click refresh page it shows it's connecting to ns1.california.net
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Fri Dec 31, 2010 11:13 am

Re: What are these stealth mode connection attempts and should I be concerned?

Sounds to me like ns1.california.net is a nameserver, and you're seeing DNS resolution for whatever is browsing and needs to resolve names to ip addressess.  Very likely normal traffic, there.
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

macattack

Newbie
Newbie

Posts: 13

Joined: Tue Dec 28, 2010 9:31 am

Post Sat Jan 01, 2011 5:15 am

Re: What are these stealth mode connection attempts and should I be concerned?

Thanks for the help.  It seems ok...but, what is this:

216.131.95.20 United States South Lake Tahoe Reliablehosting.com - Network Services
(Interesting message afterwards)
Reverse IP:
1 website uses this address. (example: uktranssexual.com)

Why does it say "1 website uses this address.."

Putting in this address in google turns up a LOT of porn sites:
ns1.california.net

Can I block this site, will it cause problems?
Or better yet, is there a way to make sure it's resolving names as opposed to accessing servers for a malicious intent?
<<

macattack

Newbie
Newbie

Posts: 13

Joined: Tue Dec 28, 2010 9:31 am

Post Sat Jan 01, 2011 5:19 am

Re: What are these stealth mode connection attempts and should I be concerned?

Also, why does it say "steal mode connection attempt?"

The fact that my internet accesses this IP and and has stealth mode attempts is very disturbing.
<<

macattack

Newbie
Newbie

Posts: 13

Joined: Tue Dec 28, 2010 9:31 am

Post Sat Jan 01, 2011 5:23 am

Re: What are these stealth mode connection attempts and should I be concerned?

Apologies...turns out it's the nameserver for my VPN service.

=)

Thanks again for your help (I'm still learning).
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Sat Jan 01, 2011 10:22 am

Re: What are these stealth mode connection attempts and should I be concerned?

No worries, macattack.  That's what we're all here for - knowledge share and learning.
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH

Return to Incident Response

Who is online

Users browsing this forum: No registered users and 0 guests

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software