My laptop is behind two routers, is it being hacked?

Folks,

First: I have some good techie skills with 10+ years with Unix - I'm not
saying I'm a security buff, but I do have some skills that in this area.

Now...

My network is (for a reason) setup as follows:

1 laptop on 192.168.254.199, using a WIFI gateway to
1 WIFI router on 192.168.254.1 which has a gateway to
1 non-WIFI router on 192.168.1.1 to my ISP cable modem

This setup is a long story - Basically, there is a PC connected to the
older non-WIFI based router - I'll be taking my WIFI router with me
soon and I wanted to ensure if something stopped, it wasn't because
ofsome change I did - With this setup, I can walk with my WIFI router
without disturbing PCs on the older router.

Note: My laptop has Win XP SP2 with firewall - and the firewall has the
'no exceptions' box ticked.

With this setup, I would expect my windoze firewall to show only entries
from a 192.168 based network - but this is not the case. I see some
entries that are my ISPs DNS service but the following entries I do not
recognise:

2005-03-02 00:36:11 DROP TCP 66.230.129.189 192.168.254.199 80 1436 44
SA 1787799818 4034378041 32768 - - - RECEIVE
2005-03-02 00:36:11 DROP TCP 66.230.129.189 192.168.254.199 80 1437 44
SA 3924875484 4186321551 32768 - - - RECEIVE
2005-03-02 00:36:11 DROP TCP 66.230.129.189 192.168.254.199 80 1438 44
SA 813143652 1475627543 32768 - - - RECEIVE
2005-03-02 00:36:11 DROP TCP 66.230.129.189 192.168.254.199 80 1439 44
SA 1308803915 884387706 32768 - - - RECEIVE

I note that the connection has dropped (which is good) but I cannot
understand how it came in the first place - its source is 66.230.129.189
which is not an IP used by my ISP (I'm in Vancouver Canada, I believe
the 66.230.129.189 IP is in the US, perhaps NY).

Am I reading this correctly? Am I being hacked via wifi by someone
spoofing their IP?

Interestingly, my laptop crashed about the same time as these entries
appeared in my log file.

All help, via the newsgrouop for all to learn will be greatly appreciated,

Randell D.

Randell D.

Randell D. wrote:
> 2005-03-02 00:36:11 DROP TCP 66.230.129.189 192.168.254.199 80 1436 44
> SA 1787799818 4034378041 32768 - - - RECEIVE
>...
>
> I note that the connection has dropped (which is good) but I cannot
> understand how it came in the first place - its source is 66.230.129.189
> which is not an IP used by my ISP (I'm in Vancouver Canada, I believe
> the 66.230.129.189 IP is in the US, perhaps NY).
>
> Am I reading this correctly? Am I being hacked via wifi by someone
> spoofing their IP?

No. You received some TCP packets from 66.230.129.189 port 80. I would
say you were browsing to this host (I don't know which host name it
could be). If the connection has aborted for whatever reason (maybe your
upcoming crash or something on that web site...) there may still some
packets coming in from that server that are dropped because the state of
the connection in the firewall is already closed. Nothing is accepted on
closed connections...

Wifi hacking is very unlikely, I think. If you have problems, it may be
some virus/worm/trojan that tried to connect there. But it could be as
well just because your computer had some severe problems and had network
problems...

Gerald

Gerald Vogt

Gerald Vogt wrote:
> Randell D. wrote:
>
>> 2005-03-02 00:36:11 DROP TCP 66.230.129.189 192.168.254.199 80 1436 44
>> SA 1787799818 4034378041 32768 - - - RECEIVE
>
> >...
>
>>
>> I note that the connection has dropped (which is good) but I cannot
>> understand how it came in the first place - its source is
>> 66.230.129.189 which is not an IP used by my ISP (I'm in Vancouver
>> Canada, I believe the 66.230.129.189 IP is in the US, perhaps NY).
>>
>> Am I reading this correctly? Am I being hacked via wifi by someone
>> spoofing their IP?
>
>
> No. You received some TCP packets from 66.230.129.189 port 80. I would
> say you were browsing to this host (I don't know which host name it
> could be). If the connection has aborted for whatever reason (maybe your
> upcoming crash or something on that web site...) there may still some
> packets coming in from that server that are dropped because the state of
> the connection in the firewall is already closed. Nothing is accepted on
> closed connections...
>
> Wifi hacking is very unlikely, I think. If you have problems, it may be
> some virus/worm/trojan that tried to connect there. But it could be as
> well just because your computer had some severe problems and had network
> problems...
>
> Gerald

Thanks for that!

randell d.

Randell D.

On Wed, 02 Mar 2005 21:20:40 +0900, Gerald Vogt <>
wrote:

> I note that the connection has dropped (which is good) but I cannot
>> understand how it came in the first place - its source is 66.230.129.189
>> which is not an IP used by my ISP (I'm in Vancouver Canada, I believe
>> the 66.230.129.189 IP is in the US, perhaps NY).
>>
>> Am I reading this correctly? Am I being hacked via wifi by someone
>> spoofing their IP?
>
>No. You received some TCP packets from 66.230.129.189 port 80. I would
>say you were browsing to this host (I don't know which host name it
>could be). If the connection has aborted for whatever reason (maybe your
>upcoming crash or something on that web site...) there may still some
>packets coming in from that server that are dropped because the state of
>the connection in the firewall is already closed. Nothing is accepted on
>closed connections...
#############################
That IP address belcongs to ISPrime.com which is in NY at 25 Broadway,
NYC.
www.isprime.com
I used to work in that building before dot coms were popular .
Anyway, if you think that there is still a possibility of a hack
attempt, you could send those logs to
donnie

donnie