have you noticed any weird firewall log messages since installing snow leopard? i keep seeing requests for ports 53(dns), 548(AFP), 88(Kerberos), 80(WWW) from weird ip addresses … strange thing is logs only started showing up since 29th, after installing snow leopard … i’m still not sure how any traffic would get through 2 routers (both with firewalls) and make it to my laptop which is also firewalled.
ok, so is it just me, snow leopard, comcast or am i really being hacked?
9/14/09 1:01:42 PM Firewall[57] Stealth Mode connection attempt to UDP 192.168.1.130:59043 from 87.98.164.164:53
9/14/09 1:01:42 PM Firewall[57] Stealth Mode connection attempt to UDP 192.168.1.130:57020 from 64.34.177.159:53
9/14/09 1:01:42 PM Firewall[57] Stealth Mode connection attempt to UDP 192.168.1.130:54377 from 72.32.93.189:53
^^ keep seeing shit like that in the console log ever since SL , mostly when i’m web browsing
port 53 is dns, but why is it hitting random ports on my laptop?
this has been bugging me now for a while
also how is any traffic making it through 2 firewall/routers subnets? it was a bitch even getting p2p forwarding to my pc without configing both routers … so i don’t see how anything can make it through unless i tell it.
ok i would love not to worry but i get so much log spam from that thing … just opening a link i get all this traffic?
9/14/09 1:10:38 PM Firewall[57] Stealth Mode connection attempt to UDP 192.168.1.130:58002 from 69.63.176.8:53
9/14/09 1:10:39 PM Firewall[57] Stealth Mode connection attempt to UDP 192.168.1.130:56387 from 72.21.80.6:53
9/14/09 1:10:40 PM Firewall[57] Stealth Mode connection attempt to UDP 192.168.1.130:64337 from 67.72.21.11:53
9/14/09 1:10:49 PM Firewall[57] Stealth Mode connection attempt to UDP 192.168.1.130:53978 from 72.233.69.14:53
9/14/09 1:10:50 PM Firewall[57] Stealth Mode connection attempt to UDP 192.168.1.130:56028 from 199.249.112.1:53
9/14/09 1:10:50 PM Firewall[57] Stealth Mode connection attempt to UDP 192.168.1.130:52652 from 72.233.69.14:53
9/14/09 1:10:50 PM Firewall[57] Stealth Mode connection attempt to UDP 192.168.1.130:50300 from 192.42.93.30:53
9/14/09 1:10:50 PM Firewall[57] Stealth Mode connection attempt to UDP 192.168.1.130:50300 from 192.42.93.30:53
9/14/09 1:10:50 PM Firewall[57] Stealth Mode connection attempt to UDP 192.168.1.130:51259 from 192.35.51.30:53
9/14/09 1:10:50 PM Firewall[57] Stealth Mode connection attempt to UDP 192.168.1.130:51259 from 192.35.51.30:53
9/14/09 1:10:50 PM Firewall[57] Stealth Mode connection attempt to UDP 192.168.1.130:55869 from 192.42.93.30:53
9/14/09 1:10:51 PM Firewall[57] Stealth Mode connection attempt to UDP 192.168.1.130:51135 from 91.194.75.162:53
9/14/09 1:10:51 PM Firewall[57] Stealth Mode connection attempt to UDP 192.168.1.130:51259 from 192.42.93.30:53
9/14/09 1:10:51 PM Firewall[57] Stealth Mode connection attempt to UDP 192.168.1.130:61256 from 192.41.162.30:53
9/14/09 1:10:51 PM Firewall[57] Stealth Mode connection attempt to UDP 192.168.1.130:63180 from 192.26.92.30:53
9/14/09 1:10:51 PM Firewall[57] Stealth Mode connection attempt to UDP 192.168.1.130:52961 from 204.74.108.253:53
9/14/09 1:10:51 PM Firewall[57] Stealth Mode connection attempt to UDP 192.168.1.130:55880 from 62.189.48.1:53
9/14/09 1:10:51 PM Firewall[57] Stealth Mode connection attempt to UDP 192.168.1.130:55880 from 62.189.48.1:53
9/14/09 1:10:51 PM Firewall[57] Stealth Mode connection attempt to UDP 192.168.1.130:57952 from 192.35.51.30:53
9/14/09 1:10:52 PM Firewall[57] Stealth Mode connection attempt to UDP 192.168.1.130:57226 from 64.182.102.188:53
9/14/09 1:10:52 PM Firewall[57] Stealth Mode connection attempt to UDP 192.168.1.130:61042 from 192.41.162.30:53
9/14/09 1:10:52 PM Firewall[57] Stealth Mode connection attempt to UDP 192.168.1.130:55298 from 192.220.125.10:53
9/14/09 1:10:52 PM Firewall[57] Stealth Mode connection attempt to UDP 192.168.1.130:55915 from 192.33.14.30:53
9/14/09 1:10:52 PM Firewall[57] Stealth Mode connection attempt to UDP 192.168.1.130:55915 from 192.33.14.30:53
9/14/09 1:10:52 PM Firewall[57] Stealth Mode connection attempt to UDP 192.168.1.130:54666 from 76.74.159.137:53
9/14/09 1:10:52 PM Firewall[57] Stealth Mode connection attempt to UDP 192.168.1.130:57169 from 64.207.128.18:53
9/14/09 1:10:52 PM Firewall[57] Stealth Mode connection attempt to UDP 192.168.1.130:60405 from 64.207.128.18:53
that’s a bit much for opening 1 url
its almost like a distributed port scanner dns service or something
some of those ip’s are private too which makes even less sense
just what the hell is going on here?
Update: ok i’ve disabled UPnP on my router and some of the log messages have dropped. also switched the main router to use OpenDNS. but i’m still seeing a few weird stealth mode requests ….
9/14/09 2:44:21 PM Firewall[57] Stealth Mode connection attempt to TCP 192.168.1.130:50576 from 208.69.38.150:443
9/14/09 2:44:24 PM Firewall[57] Stealth Mode connection attempt to TCP 192.168.1.130:50576 from 208.69.38.150:443
9/14/09 2:44:30 PM Firewall[57] Stealth Mode connection attempt to TCP 192.168.1.130:50576 from 208.69.38.150:443
9/14/09 2:44:42 PM Firewall[57] Stealth Mode connection attempt to TCP 192.168.1.130:50576 from 208.69.38.150:443
...
9/14/09 2:45:06 PM Firewall[57] Stealth Mode connection attempt to TCP 192.168.1.130:50576 from 208.69.38.150:443
9/14/09 2:45:54 PM Firewall[57] Stealth Mode connection attempt to TCP 192.168.1.130:50576 from 208.69.38.150:443
9/14/09 2:49:41 PM Firewall[57] Stealth Mode connection attempt to TCP 192.168.1.130:50664 from 76.74.255.125:80
9/14/09 2:49:45 PM Firewall[57] Stealth Mode connection attempt to TCP 192.168.1.130:50664 from 76.74.255.125:80
9/14/09 2:49:51 PM Firewall[57] Stealth Mode connection attempt to TCP 192.168.1.130:50664 from 76.74.255.125:80
...
9/14/09 2:50:03 PM Firewall[57] Stealth Mode connection attempt to TCP 192.168.1.130:50664 from 76.74.255.125:80
...
9/14/09 2:50:27 PM Firewall[57] Stealth Mode connection attempt to TCP 192.168.1.130:50664 from 76.74.255.125:80
...
9/14/09 2:51:15 PM Firewall[57] Stealth Mode connection attempt to TCP 192.168.1.130:50664 from 76.74.255.125:80
WTF? i really don’t get it …
Update 2: i’m also seeing requests using IPv6 …
9/14/09 4:32:21 PM Firewall[57] Stealth Mode connection attempt to TCP ::219:e3ff:fe03:c6f0:52506 from ::21c:b3ff:feb1:4459:548
...
9/14/09 4:32:34 PM Firewall[57] Stealth Mode connection attempt to TCP fe80:6::219:e3ff:fe03:c6f0:52488 from fe80:6::21b:63ff:fef5:
...
9/14/09 4:32:34 PM Firewall[57] Stealth Mode connection attempt to TCP fe80:6::219:e3ff:fe03:c6f0:52495 from fe80:6::21b:63ff:fef5:
9/14/09 4:32:53 PM Firewall[57] Stealth Mode connection attempt to TCP fe80:6::219:e3ff:fe03:c6f0:52505 from fe80:6::21c:b3ff:feb1:
9/14/09 4:32:53 PM Firewall[57] Stealth Mode connection attempt to TCP ::219:e3ff:fe03:c6f0:52506 from ::21c:b3ff:feb1:4459:548
3 Comments
Hi,
I hate to say this but MEE TOO. Only in my case those are random hits every once in a while. Im running 10.6.1 on a NEW MBP (as of this afternoon, fresh outta the box as it were).
If you run across anything please post it here.
Thanks.
Miles.
Ok, I can report this is happening to me too: running OS X 10.6 in a MacBook Pro (unibody). The hardware actually doesn’t matter for this.
I have noticed, however that seeing the logs at /var/log/appfirewall.log, I have incoming requests by UDP from my DNS servers, to me… by port 53 (DNS requests). I have anothers requests by TCP from not-known IPs ports 80 and 443 (HTTP, HTTPS). But you are right….. at first look, this seems like we are being hacked, but I don’t think so….. Not sure what have changed in Snow Leopard’s ipfw.
For an attempt to answer these kind of issues see:
“Am I being hacked?? HAVE I been hacked?”,
http://discussions.apple.com/thread.jspa?threadID=1481932
For an example ipfw ruleset you may want to check out and see if it helps try:
http://codesnippets.joyent.com/posts/show/1267