Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

yankeefan24

macrumors 65816
Original poster
Dec 24, 2005
1,104
1
NYC
I enabled firewall logging earlier this month, with stealth mode. i just looked at the log and it shows that it blocks atempts that are coming in often really quickly. is this normal. as i am typing this, i got one that looks different than the rest. here are two samples

Jan 22 10:35:42 yankee-fan-24 ipfw: Stealth Mode connection attempt to TCP --.-.-.-:----- from 38.101.111.35:80

the unusual one

Jan 22 11:32:36 yankee-fan-24 ipfw: 35000 Deny UDP --.-.-.-:---- ---.---.---.---:---- in via en1

does this means someone is trying to hack me???
if its important to see my IP address PM me.
 
I doubt that anyone is trying to hack you. I "Whoised" the ip and it came back with:
OrgName: Performance Systems International Inc.
OrgID: PSI
Address: 1015 31st St NW
City: Washington
StateProv: DC
PostalCode: 20007
Country: US

NetRange: 38.0.0.0 - 38.255.255.255
CIDR: 38.0.0.0/8
NetName: PSINETA
NetHandle: NET-38-0-0-0-1
Parent:
NetType: Direct Allocation
NameServer: NS.PSI.NET
NameServer: NS2.PSI.NET
Comment: Reassignment information for this block can be found at
Comment: rwhois.cogentco.com 4321
RegDate: 1991-04-16
Updated: 2005-10-05

RTechHandle: PSI-NISC-ARIN
RTechName: IP Allocation
RTechPhone: +1-877-875-4311
RTechEmail: ipalloc@cogentco.com

OrgAbuseHandle: COGEN-ARIN
OrgAbuseName: Cogent Abuse
OrgAbusePhone: +1-877-875-4311
OrgAbuseEmail: abuse@cogentco.com

OrgNOCHandle: ZC108-ARIN
OrgNOCName: Cogent Communications
OrgNOCPhone: +1-877-875-4311
OrgNOCEmail: noc@cogentco.com

OrgTechHandle: IPALL-ARIN
OrgTechName: IP Allocation
OrgTechPhone: +1-877-875-4311
OrgTechEmail: ipalloc@cogentco.com


The address uses port 80 which is the official port used for browsing internet.
The ip address is that of a website, i assume.
Correct me if i am wrong.
 
ldenman said:
I doubt that anyone is trying to hack you. I "Whoised" the ip and it came back with:
OrgName: Performance Systems International Inc.
OrgID: PSI
Address: 1015 31st St NW
City: Washington
StateProv: DC
PostalCode: 20007
Country: US

NetRange: 38.0.0.0 - 38.255.255.255
CIDR: 38.0.0.0/8
NetName: PSINETA
NetHandle: NET-38-0-0-0-1
Parent:
NetType: Direct Allocation
NameServer: NS.PSI.NET
NameServer: NS2.PSI.NET
Comment: Reassignment information for this block can be found at
Comment: rwhois.cogentco.com 4321
RegDate: 1991-04-16
Updated: 2005-10-05

RTechHandle: PSI-NISC-ARIN
RTechName: IP Allocation
RTechPhone: +1-877-875-4311
RTechEmail: ipalloc@cogentco.com

OrgAbuseHandle: COGEN-ARIN
OrgAbuseName: Cogent Abuse
OrgAbusePhone: +1-877-875-4311
OrgAbuseEmail: abuse@cogentco.com

OrgNOCHandle: ZC108-ARIN
OrgNOCName: Cogent Communications
OrgNOCPhone: +1-877-875-4311
OrgNOCEmail: noc@cogentco.com

OrgTechHandle: IPALL-ARIN
OrgTechName: IP Allocation
OrgTechPhone: +1-877-875-4311
OrgTechEmail: ipalloc@cogentco.com


The address uses port 80 which is the official port used for browsing internet.
The ip address is that of a website, i assume.
Correct me if i am wrong.


I believe it's Apple's time server.Used to syncronize the clock.
 
thanx. now that i think about it it might be apple time server. the only important thing i have on my computer are chat transcripts, and i know a guy who is really good at hacking so…. how did you get that IP info???

EDIT; This is the second IP address on the unusual new alert. 239.255.255.250:1900
Another EDIT: I was just on iChat and this guy i blocked is unblocked now. this is the same guy whos good at hacking. he uses adium, not ichat, if thats at all relevent.
 
i simply opened the terminal and typed:

whois 38.101.111.35:80

edit:
i doubt the other one is a hacker, either.
 
ldenman said:
i simply opened the terminal and typed:

whois 38.101.111.35:80

thanx. when i did this on the second IP this is what i got.

OrgName: Internet Assigned Numbers Authority
OrgID: IANA
Address: 4676 Admiralty Way, Suite 330
City: Marina del Rey
StateProv: CA
PostalCode: 90292-6695
Country: US

NetRange: 224.0.0.0 - 239.255.255.255
CIDR: 224.0.0.0/4
NetName: MCAST-NET
NetHandle: NET-224-0-0-0-1
Parent:
NetType: IANA Special Use
NameServer: FLAG.EP.NET
NameServer: STRUL.STUPI.SE
NameServer: NS.ISI.EDU
NameServer: NIC.NEAR.NET
Comment: This block is reserved for special purposes.
Comment: Please see RFC 3171 for additional information.
Comment:
RegDate: 1991-05-22
Updated: 2002-09-16

OrgAbuseHandle: IANA-IP-ARIN
OrgAbuseName: Internet Corporation for Assigned Names and Number
OrgAbusePhone: +1-310-301-5820
OrgAbuseEmail: abuse@iana.org

OrgTechHandle: IANA-IP-ARIN
OrgTechName: Internet Corporation for Assigned Names and Number
OrgTechPhone: +1-310-301-5820
OrgTechEmail: abuse@iana.org

does that mean anything.
 
yankeefan24 said:
thanx. when i did this on the second IP this is what i got.

OrgName: Internet Assigned Numbers Authority
OrgID: IANA
Address: 4676 Admiralty Way, Suite 330
City: Marina del Rey
StateProv: CA
PostalCode: 90292-6695
Country: US

NetRange: 224.0.0.0 - 239.255.255.255
CIDR: 224.0.0.0/4
NetName: MCAST-NET
NetHandle: NET-224-0-0-0-1
Parent:
NetType: IANA Special Use
NameServer: FLAG.EP.NET
NameServer: STRUL.STUPI.SE
NameServer: NS.ISI.EDU
NameServer: NIC.NEAR.NET
Comment: This block is reserved for special purposes.
Comment: Please see RFC 3171 for additional information.
Comment:
RegDate: 1991-05-22
Updated: 2002-09-16

OrgAbuseHandle: IANA-IP-ARIN
OrgAbuseName: Internet Corporation for Assigned Names and Number
OrgAbusePhone: +1-310-301-5820
OrgAbuseEmail: abuse@iana.org

OrgTechHandle: IANA-IP-ARIN
OrgTechName: Internet Corporation for Assigned Names and Number
OrgTechPhone: +1-310-301-5820
OrgTechEmail: abuse@iana.org

does that mean anything.


Yes..it means it's used for lan's and/or your firewire IEEE 1394.
you're too paranoid man :)
 
i guess this only applies to windows boxes:
MS Universal Plug and Play (UPnP) 1900, 5000, 2869?
1900, 5000, 2869? Port 1900 is IANA registered by Microsoft for SSDP (Simple Service Discovery Protocol). Port 5000 is also registered, but not by Microsoft, and not for this service I don't think. Microsoft Security Bulletins: MS01-054, MS01-059. NIPC Advisory 01-030.2, SecurityFocus. Also see the Remote Access Trojan FAQ about port 5000. About 2869 (which is IANA registered as MS ICSLAP), Microsoft says starting with Windows XP SP2, SSDP event notification service will rely on TCP port 2869. Currently this is only a speculative risk.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.