linksys wrt54g router seems to leak.

This can probably be considered a newbie kind of question.

I have a linksys wrt54g broadband router (firmware version 3.03.6).
Right ow, I have wireless disabled because I don't need it.

I have firewall protection enabled. My knowledge about this is
limited, but my impression is that enabling the firewall prevents
unsolicited internet traffic from getting past the router into my home
network.

I also have McAFee Personal Firewall Plus (v 7.1) running on this PC.
The firewall log tells me that McAFee is blocking occasional
connection attempts.

------------------------------------------------------------ ----------
Here are a some recent samples:

-- A computer at ichart1.finance.vip.re4.yahoo.com has attempted an
unsolicited connection to TCP port 1862 on your computer.
TCP port 1862 is commonly used by the "techra-server" service or
program.

-- A computer at bs1b1.ads.vip.re2.yahoo.com has attempted an
unsolicited connection to TCP port 1859 on your computer.

--A computer at dl00053.lunarpages.com has attempted an unsolicited
connection to TCP port 1790 on your computer.
TCP port 1790 is commonly used by the "Narrative Media Streaming
Protocol" service or program.

--A computer at IP Address 64.95.25.214 has attempted an unsolicited
connection to TCP port 2925 on your computer.
TCP port 2925 is commonly used by the "Firewall Redundancy Protocol"
service or program.
------------------------------------------

Some of these appear benign enough; I can't figure some of them out.

My question is how and why do they get through the hardware firewall?

I've tried to research this, but have yet to find the right place to
look.

Reply to me directly or post to the group if you can and will offer an
answer. If I should be asking some other group, let me know.

Thanks.

Re: linksys wrt54g router seems to leak.

CJWertz@gmail.com writes:
> This can probably be considered a newbie kind of question.
>
> I have a linksys wrt54g broadband router (firmware version 3.03.6).
> Right ow, I have wireless disabled because I don't need it.

Good.


> I have firewall protection enabled. My knowledge about this is
> limited, but my impression is that enabling the firewall prevents
> unsolicited internet traffic from getting past the router into my home
> network.

It's supposed to, yes.

> I also have McAFee Personal Firewall Plus (v 7.1) running on this
> PC. The firewall log tells me that McAFee is blocking occasional
> connection attempts.
>
> ------------------------------------------------------------ ----------
> Here are a some recent samples:
>
> -- A computer at ichart1.finance.vip.re4.yahoo.com has attempted an
> unsolicited connection to TCP port 1862 on your computer.
> TCP port 1862 is commonly used by the "techra-server" service or
> program.

Were you looking at yahoo finance at the time?

> -- A computer at bs1b1.ads.vip.re2.yahoo.com has attempted an
> unsolicited connection to TCP port 1859 on your computer.
>
> --A computer at dl00053.lunarpages.com has attempted an unsolicited
> connection to TCP port 1790 on your computer.
> TCP port 1790 is commonly used by the "Narrative Media Streaming
> Protocol" service or program.
>
> --A computer at IP Address 64.95.25.214 has attempted an unsolicited
> connection to TCP port 2925 on your computer.
> TCP port 2925 is commonly used by the "Firewall Redundancy Protocol"
> service or program.
> ------------------------------------------
>
> Some of these appear benign enough; I can't figure some of them out.
>
> My question is how and why do they get through the hardware firewall?
>
> I've tried to research this, but have yet to find the right place to
> look.

This doesn't look terribly good. :-\

For comparison, in my software firewall log, I see nothing but source
IP's from my LAN, localhost, and hosts on the network to which I VPN
(via software vpn client on my pc).

Turn your router over. What hardware version is it? v1/2/3/4/5?

Now, some older ones IIRC were simple packet filters where pushing
some packets past them was relatively easy--doing something useful
with them was harder though, complicated by the NAT issue. Later
models implemented stateful packet inspection which improved things
further. Now, are you using the default IP address range or did you
reassign it? Has your router been hacked-- if you login to its admin
interface, have hosts on your lan perhaps been added to the DMZ (hence
sitting right on the 'net)? There are vulnerabilities on those wrt54g
boxes out there and if you've never updated the firmware, you might
have been hit by the script kiddies. Cross site scripting attacks are
also possible agains the admin login interface, bypassing any security
and allowing router access.



Best Regards,
--
Todd H.
http://www.toddh.net/

Re: linksys wrt54g router seems to leak.

wrote in message
news:1184096627.226996.75380@g4g2000hsf.googlegroups.com...
> This can probably be considered a newbie kind of question.
>
> I have a linksys wrt54g broadband router (firmware version 3.03.6).
> Right ow, I have wireless disabled because I don't need it.
>
> I have firewall protection enabled. My knowledge about this is
> limited, but my impression is that enabling the firewall prevents
> unsolicited internet traffic from getting past the router into my home
> network.
>
> I also have McAFee Personal Firewall Plus (v 7.1) running on this PC.
> The firewall log tells me that McAFee is blocking occasional
> connection attempts.
>
> ------------------------------------------------------------ ----------
> Here are a some recent samples:
>
> -- A computer at ichart1.finance.vip.re4.yahoo.com has attempted an
> unsolicited connection to TCP port 1862 on your computer.
> TCP port 1862 is commonly used by the "techra-server" service or
> program.
>
> -- A computer at bs1b1.ads.vip.re2.yahoo.com has attempted an
> unsolicited connection to TCP port 1859 on your computer.
>
> --A computer at dl00053.lunarpages.com has attempted an unsolicited
> connection to TCP port 1790 on your computer.
> TCP port 1790 is commonly used by the "Narrative Media Streaming
> Protocol" service or program.
>
> --A computer at IP Address 64.95.25.214 has attempted an unsolicited
> connection to TCP port 2925 on your computer.
> TCP port 2925 is commonly used by the "Firewall Redundancy Protocol"
> service or program.
> ------------------------------------------
>
> Some of these appear benign enough; I can't figure some of them out.
>
> My question is how and why do they get through the hardware firewall?
>
> I've tried to research this, but have yet to find the right place to
> look.
>
> Reply to me directly or post to the group if you can and will offer an
> answer. If I should be asking some other group, let me know.

You can also post to alt.internet.wireless as there are some free 3rd party
firmware for the wrt54g that may have better FW capabilities.

Use Wallwatcher if you can (free) to watch the traffic to and from the
router.

http://sonic.net/wallwatcher/

Re: linksys wrt54g router seems to leak.

Thanks for the reply.
(I thought I answered this, but I don't see it posted; I must have
done something dumb.)
Comments below.

On Jul 10, 4:58 pm, comph...@toddh.net (Todd H.) wrote:
> CJWe...@gmail.com writes:
> > This can probably be considered a newbie kind of question.
>
> > I have a linksys wrt54g broadband router (firmware version 3.03.6).
> > Right ow, I have wireless disabled because I don't need it.
>
> Good.
>
> > I have firewall protection enabled. My knowledge about this is
> > limited, but my impression is that enabling the firewall prevents
> > unsolicited internet traffic from getting past the router into my home
> > network.
>
> It's supposed to, yes.
>
> > I also have McAFee Personal Firewall Plus (v 7.1) running on this
> > PC. The firewall log tells me that McAFee is blocking occasional
> > connection attempts.
>
> > ------------------------------------------------------------ ----------
> > Here are a some recent samples:
>
> > -- A computer at ichart1.finance.vip.re4.yahoo.com has attempted an
> > unsolicited connection to TCP port 1862 on your computer.
> > TCP port 1862 is commonly used by the "techra-server" service or
> > program.
>
> Were you looking at yahoo finance at the time?
>
>

Yes, I had been looking at Yahoo finance. This might somehow explain
some of the log entries I see, but it only explains some of them.

I've been speculating that these connection attempts somehow reflect
something that "hitchhikes" on a connection I make to some particular
site, but I don't know enough to know if that can be.
>
> > -- A computer at bs1b1.ads.vip.re2.yahoo.com has attempted an
> > unsolicited connection to TCP port 1859 on your computer.
>
> > --A computer at dl00053.lunarpages.com has attempted an unsolicited
> > connection to TCP port 1790 on your computer.
> > TCP port 1790 is commonly used by the "Narrative Media Streaming
> > Protocol" service or program.
>
> > --A computer at IP Address 64.95.25.214 has attempted an unsolicited
> > connection to TCP port 2925 on your computer.
> > TCP port 2925 is commonly used by the "Firewall Redundancy Protocol"
> > service or program.
> > ------------------------------------------
>
> > Some of these appear benign enough; I can't figure some of them out.
>
> > My question is how and why do they get through the hardware firewall?
>
> > I've tried to research this, but have yet to find the right place to
> > look.
>
> This doesn't look terribly good. :-\
>
> For comparison, in my software firewall log, I see nothing but source
> IP's from my LAN, localhost, and hosts on the network to which I VPN
> (via software vpn client on my pc).
>
> Turn your router over. What hardware version is it? v1/2/3/4/5?

I have v 3

>
> Now, some older ones IIRC were simple packet filters where pushing
> some packets past them was relatively easy--doing something useful
> with them was harder though, complicated by the NAT issue. Later
> models implemented stateful packet inspection which improved things
> further. Now, are you using the default IP address range or did you
> reassign it? Has your router been hacked-- if you login to its admin
> interface, have hosts on your lan perhaps been added to the DMZ (hence
> sitting right on the 'net)? There are vulnerabilities on those wrt54g
> boxes out there and if you've never updated the firmware, you might
> have been hit by the script kiddies. Cross site scripting attacks are
> also possible agains the admin login interface, bypassing any security
> and allowing router access.
>

The doc says this router does the stateful packet inspection.

I haven't reassigned any I addresses. Should I be looking into this?

Nothing is in a dmz.

I do have remote administration disabled.

I guess I'd better look into updating the firmware.

I'm wondering if I should reset to all the defaults and start over
making the changes I've made. Essentially, I did the things the "book"
recommends: change password, change ssid, and so on; most of these
effect wireless which I now have turned off.

I still wish i could understand this better.

> Best Regards,
> --
> Todd H.http://www.toddh.net/

Re: linksys wrt54g router seems to leak.

CJWertz@gmail.com writes:
> > > I also have McAFee Personal Firewall Plus (v 7.1) running on this
> > > PC. The firewall log tells me that McAFee is blocking occasional
> > > connection attempts.
> >
> > > ------------------------------------------------------------ ----------
> > > Here are a some recent samples:
> >
> > > -- A computer at ichart1.finance.vip.re4.yahoo.com has attempted an
> > > unsolicited connection to TCP port 1862 on your computer.
> > > TCP port 1862 is commonly used by the "techra-server" service or
> > > program.
> >
> > Were you looking at yahoo finance at the time?
>
> Yes, I had been looking at Yahoo finance. This might somehow explain
> some of the log entries I see, but it only explains some of them.
>
> I've been speculating that these connection attempts somehow reflect
> something that "hitchhikes" on a connection I make to some particular
> site, but I don't know enough to know if that can be.

It'd take some time for me to delve into, and someone more in a web
programming realm would have a better answer, but depending onthe page
and such, it wouldn't be unusual for some ajax or an applet of some
sort to be responsible for those connections and them being
legitimately ignored by the hardware device.

> I have v 3

Good--that router can run a full version of dd-wrt firmware if you
choose to go that route.

> The doc says this router does the stateful packet inspection.

Good.

> I haven't reassigned any I addresses. Should I be looking into this?

There is malware and scripting code out on the web that will look for
popular routers at their default address and attempt to exploit them.
The WRT is very common. I'd consider at least changing the subnet
range to something else within RFC 1918 private address space
(10.x.x.x, 192.168.x.x, 172.16-31.x.x), and/or for bonus points moving
it off the .1 host address. That is only an obscurity measure,
though, but can be part of "defense in depth."

> Nothing is in a dmz.
> I do have remote administration disabled.

Good!

> I guess I'd better look into updating the firmware.
>
> I'm wondering if I should reset to all the defaults and start over
> making the changes I've made. Essentially, I did the things the "book"
> recommends: change password, change ssid, and so on; most of these
> effect wireless which I now have turned off.
>
> I still wish i could understand this better.

I don't have all the answers here for you either. It'd require more
time and information than we have here to get to a root cause as to
why these particular things got past the router and hit your desktop
firewall.

It does make a great case in point to use against those who think
desktop firewall software is "redundant if you have border
protection."

Best Regards,
--
Todd H.
http://www.toddh.net/