My laptop is behind two routers, is it being hacked?

Discussion in 'Computer Security' started by Randell D., Mar 2, 2005.

  1. Randell D.

    Randell D. Guest

    Folks,

    First: I have some good techie skills with 10+ years with Unix - I'm not
    saying I'm a security buff, but I do have some skills that in this area.

    Now...

    My network is (for a reason) setup as follows:

    1 laptop on 192.168.254.199, using a WIFI gateway to
    1 WIFI router on 192.168.254.1 which has a gateway to
    1 non-WIFI router on 192.168.1.1 to my ISP cable modem

    This setup is a long story - Basically, there is a PC connected to the
    older non-WIFI based router - I'll be taking my WIFI router with me
    soon and I wanted to ensure if something stopped, it wasn't because
    ofsome change I did - With this setup, I can walk with my WIFI router
    without disturbing PCs on the older router.

    Note: My laptop has Win XP SP2 with firewall - and the firewall has the
    'no exceptions' box ticked.

    With this setup, I would expect my windoze firewall to show only entries
    from a 192.168 based network - but this is not the case. I see some
    entries that are my ISPs DNS service but the following entries I do not
    recognise:

    2005-03-02 00:36:11 DROP TCP 66.230.129.189 192.168.254.199 80 1436 44
    SA 1787799818 4034378041 32768 - - - RECEIVE
    2005-03-02 00:36:11 DROP TCP 66.230.129.189 192.168.254.199 80 1437 44
    SA 3924875484 4186321551 32768 - - - RECEIVE
    2005-03-02 00:36:11 DROP TCP 66.230.129.189 192.168.254.199 80 1438 44
    SA 813143652 1475627543 32768 - - - RECEIVE
    2005-03-02 00:36:11 DROP TCP 66.230.129.189 192.168.254.199 80 1439 44
    SA 1308803915 884387706 32768 - - - RECEIVE

    I note that the connection has dropped (which is good) but I cannot
    understand how it came in the first place - its source is 66.230.129.189
    which is not an IP used by my ISP (I'm in Vancouver Canada, I believe
    the 66.230.129.189 IP is in the US, perhaps NY).

    Am I reading this correctly? Am I being hacked via wifi by someone
    spoofing their IP?

    Interestingly, my laptop crashed about the same time as these entries
    appeared in my log file.

    All help, via the newsgrouop for all to learn will be greatly appreciated,

    Randell D.
    Randell D., Mar 2, 2005
    #1
    1. Advertising

  2. Randell D.

    Gerald Vogt Guest

    Randell D. wrote:
    > 2005-03-02 00:36:11 DROP TCP 66.230.129.189 192.168.254.199 80 1436 44
    > SA 1787799818 4034378041 32768 - - - RECEIVE
    >...
    >
    > I note that the connection has dropped (which is good) but I cannot
    > understand how it came in the first place - its source is 66.230.129.189
    > which is not an IP used by my ISP (I'm in Vancouver Canada, I believe
    > the 66.230.129.189 IP is in the US, perhaps NY).
    >
    > Am I reading this correctly? Am I being hacked via wifi by someone
    > spoofing their IP?


    No. You received some TCP packets from 66.230.129.189 port 80. I would
    say you were browsing to this host (I don't know which host name it
    could be). If the connection has aborted for whatever reason (maybe your
    upcoming crash or something on that web site...) there may still some
    packets coming in from that server that are dropped because the state of
    the connection in the firewall is already closed. Nothing is accepted on
    closed connections...

    Wifi hacking is very unlikely, I think. If you have problems, it may be
    some virus/worm/trojan that tried to connect there. But it could be as
    well just because your computer had some severe problems and had network
    problems...

    Gerald
    Gerald Vogt, Mar 2, 2005
    #2
    1. Advertising

  3. Randell D.

    Randell D. Guest

    Gerald Vogt wrote:
    > Randell D. wrote:
    >
    >> 2005-03-02 00:36:11 DROP TCP 66.230.129.189 192.168.254.199 80 1436 44
    >> SA 1787799818 4034378041 32768 - - - RECEIVE

    >
    > >...

    >
    >>
    >> I note that the connection has dropped (which is good) but I cannot
    >> understand how it came in the first place - its source is
    >> 66.230.129.189 which is not an IP used by my ISP (I'm in Vancouver
    >> Canada, I believe the 66.230.129.189 IP is in the US, perhaps NY).
    >>
    >> Am I reading this correctly? Am I being hacked via wifi by someone
    >> spoofing their IP?

    >
    >
    > No. You received some TCP packets from 66.230.129.189 port 80. I would
    > say you were browsing to this host (I don't know which host name it
    > could be). If the connection has aborted for whatever reason (maybe your
    > upcoming crash or something on that web site...) there may still some
    > packets coming in from that server that are dropped because the state of
    > the connection in the firewall is already closed. Nothing is accepted on
    > closed connections...
    >
    > Wifi hacking is very unlikely, I think. If you have problems, it may be
    > some virus/worm/trojan that tried to connect there. But it could be as
    > well just because your computer had some severe problems and had network
    > problems...
    >
    > Gerald


    Thanks for that!

    randell d.
    Randell D., Mar 2, 2005
    #3
  4. Randell D.

    donnie Guest

    On Wed, 02 Mar 2005 21:20:40 +0900, Gerald Vogt <>
    wrote:

    > I note that the connection has dropped (which is good) but I cannot
    >> understand how it came in the first place - its source is 66.230.129.189
    >> which is not an IP used by my ISP (I'm in Vancouver Canada, I believe
    >> the 66.230.129.189 IP is in the US, perhaps NY).
    >>
    >> Am I reading this correctly? Am I being hacked via wifi by someone
    >> spoofing their IP?

    >
    >No. You received some TCP packets from 66.230.129.189 port 80. I would
    >say you were browsing to this host (I don't know which host name it
    >could be). If the connection has aborted for whatever reason (maybe your
    >upcoming crash or something on that web site...) there may still some
    >packets coming in from that server that are dropped because the state of
    >the connection in the firewall is already closed. Nothing is accepted on
    >closed connections...

    #############################
    That IP address belcongs to ISPrime.com which is in NY at 25 Broadway,
    NYC.
    www.isprime.com
    I used to work in that building before dot coms were popular .
    Anyway, if you think that there is still a possibility of a hack
    attempt, you could send those logs to
    donnie
    donnie, Mar 3, 2005
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Blackmesa8

    i keep being hacked

    Blackmesa8, May 3, 2004, in forum: Computer Support
    Replies:
    4
    Views:
    722
    Toolman Tim
    May 3, 2004
  2. jake tradz

    NAT router being hacked ?

    jake tradz, Jun 19, 2004, in forum: Computer Support
    Replies:
    3
    Views:
    5,343
    Shane Matthews
    Jun 19, 2004
  3. Tracker

    Re: Am I being watched/hacked?

    Tracker, Aug 6, 2003, in forum: Computer Security
    Replies:
    2
    Views:
    1,726
    Chuck
    Aug 8, 2003
  4. Tracker

    Re: Am I being watched/hacked?

    Tracker, Aug 6, 2003, in forum: Computer Security
    Replies:
    1
    Views:
    1,698
    Jaleco
    Aug 7, 2003
  5. Ronald Smyth

    Am I being hacked? Remote cd access

    Ronald Smyth, Dec 1, 2003, in forum: Computer Security
    Replies:
    5
    Views:
    642
    Thund3rstruck
    Dec 2, 2003
Loading...

Share This Page