linksys wrt54g router seems to leak.

Have a question or want to start a discussion? Post it! No Registration Necessary.  Now with pictures!

Threaded View
This can probably be considered a newbie kind of question.

I have a linksys wrt54g broadband router (firmware version 3.03.6).
Right ow, I have wireless disabled because I don't need it.

I have firewall protection enabled. My knowledge about this is
limited, but my impression is that enabling the firewall prevents
unsolicited internet traffic from getting past the router into my home
network.

I also have McAFee Personal Firewall Plus (v 7.1) running on this PC.
The firewall log tells me that McAFee is blocking occasional
connection attempts.

----------------------------------------------------------------------
Here are a some recent samples:

-- A computer at ichart1.finance.vip.re4.yahoo.com  has attempted an
unsolicited connection to TCP port 1862 on your computer.
TCP port 1862 is commonly used by the "techra-server" service or
program.

-- A computer at bs1b1.ads.vip.re2.yahoo.com  has attempted an
unsolicited connection to TCP port 1859 on your computer.

--A computer at dl00053.lunarpages.com  has attempted an unsolicited
connection to TCP port 1790 on your computer.
TCP port 1790 is commonly used by the "Narrative Media Streaming
Protocol" service or program.

--A computer at IP Address 64.95.25.214  has attempted an unsolicited
connection to TCP port 2925 on your computer.
TCP port 2925 is commonly used by the "Firewall Redundancy Protocol"
service or program.
------------------------------------------

Some of these appear benign enough; I can't figure some of them out.

My question is how and why do they get through the hardware firewall?

I've tried to research this, but have yet to find the right place to
look.

Reply to me directly or post to the group if you can and will offer an
answer. If I should be asking some other group, let me know.

Thanks.


Re: linksys wrt54g router seems to leak.
CJWertz@gmail.com writes:
Quoted text here. Click to load it

Good.



It's supposed to, yes.  

Quoted text here. Click to load it

Were you looking at yahoo finance at the time?

Quoted text here. Click to load it

This doesn't look terribly good.  :-\\

For comparison, in my software firewall log, I see nothing but source
IP's from my LAN, localhost, and hosts on the network to which I VPN
(via software vpn client on my pc).

Turn your router over.  What hardware version is it?  v1/2/3/4/5?

Now, some older ones IIRC were simple packet filters where pushing
some packets past them was relatively easy--doing something useful
with them was harder though, complicated by the NAT issue. Later
models implemented stateful packet inspection which improved things
further.  Now, are you using the default IP address range or did you
reassign it?  Has your router been hacked-- if you login to its admin
interface, have hosts on your lan perhaps been added to the DMZ (hence
sitting right on the 'net)?  There are vulnerabilities on those wrt54g
boxes out there and if you've never updated the firmware, you might
have been hit by the script kiddies.  Cross site scripting attacks are
also possible agains the admin login interface, bypassing any security
and allowing router access.



Best Regards,
--
Todd H.
http://www.toddh.net /

Re: linksys wrt54g router seems to leak.
Thanks for the reply.
(I thought I answered this, but I don't see it posted; I must have
done something dumb.)
Comments below.

On Jul 10, 4:58 pm, comph...@toddh.net (Todd H.) wrote:
Quoted text here. Click to load it

Yes, I had been looking at Yahoo finance. This might somehow explain
some of the log entries I see, but it only explains some of them.

I've been speculating that these connection attempts somehow reflect
something that "hitchhikes" on a connection I make to some particular
site, but I don't know enough to know if that can be.
Quoted text here. Click to load it

I have v 3

Quoted text here. Click to load it

The doc says this router does the stateful packet inspection.

I haven't reassigned any I addresses. Should I be looking into this?

Nothing is in a dmz.

I do have remote administration disabled.

I guess I'd better look into updating the firmware.

I'm wondering if I should reset to all the defaults and start over
making the changes I've made. Essentially, I did the things the "book"
recommends: change password, change ssid, and so on; most of these
effect wireless which I now have turned off.

I still wish i could understand this better.

Quoted text here. Click to load it



Re: linksys wrt54g router seems to leak.
CJWertz@gmail.com writes:
Quoted text here. Click to load it

It'd take some time for me to delve into, and someone more in a web
programming realm would have a better answer, but depending onthe page
and such, it wouldn't be unusual for some ajax or an applet of some
sort to be responsible for those connections and them being
legitimately ignored by the hardware device.

Quoted text here. Click to load it

Good--that router can run a full version of dd-wrt firmware if you
choose to go that route.

Quoted text here. Click to load it

Good.


There is malware and scripting code out on the web that will look for
popular routers at their default address and attempt to exploit them.
The WRT is very common.  I'd consider at least changing the subnet
range to something else within RFC 1918 private address space
(10.x.x.x, 192.168.x.x, 172.16-31.x.x), and/or for bonus points moving
it off the .1 host address.  That is only an obscurity measure,
though, but can be part of "defense in depth."

Quoted text here. Click to load it

Good!

Quoted text here. Click to load it

I don't have all the answers here for you either.  It'd require more
time and information than we have here to get to a root cause as to
why these particular things got past the router and hit your desktop
firewall.

It does make a great case in point to use against those who think
desktop firewall software is "redundant if you have border
protection."

Best Regards,
--
Todd H.
http://www.toddh.net /

Re: linksys wrt54g router seems to leak.

Quoted text here. Click to load it

You can also post to alt.internet.wireless as there are some free 3rd party
firmware for the wrt54g that may have better FW capabilities.

Use Wallwatcher if you can (free) to watch the traffic to and from the
router.

http://sonic.net/wallwatcher/


Site Timeline