9 Replies Latest reply: Dec 26, 2010 3:00 PM by Ian R. Brown
Ian R. Brown Level 6 Level 6 (17,900 points)
I have just been looking in Console - Messages and noticed numerous entries like this:-

+25/12/2010 13:10:02 Firewall[77] Stealth Mode connection attempt to UDP 192.168.1.64:56497 from 192.168.1.254:53+

Should I be concerned as it sounds quite sinister?

If there is a risk what can I do?

24" 2.8 GHz (Penryn) 4GB RAM iMac, Mac OS X (10.6.4), FCE 4 + FCS 3 . . . Little Knowledge, Many Opinions.
  • 1. Re: "Stealth Mode Connection Attempt" . . . . Should I be worried?
    Ian R. Brown Level 6 Level 6 (17,900 points)
    I have rather belatedly, as usual, done a search and discovered several posts like mine.

    However, if anyone could explain what my details mean, I would be much obliged.

    I have "Stealth Mode" set up in System Preferences>Security>Advanced and I am also using File Sharing with my other computer.
  • 2. Re: "Stealth Mode Connection Attempt" . . . . Should I be worried?
    Antonio Rocco Level 6 Level 6 (10,190 points)
    Hello Ian

    It looks like a standard DNS query on port 53 - the colon 53 part - either being made/returned from/to a computer with an IP address of 192.168.1.64 (presumably yours?) to what I'm going to assume is your gateway/router 192.168.1.254? The port initiating or receiving the request is one of many ephemeral ports Apple (and others) uses to establish and/or maintain transient requests - 56497.

    This is my reading of it - perhaps others can offer more insight? I personally think its nothing to worry about. If you want to know which application and/or process started the ball rolling you could use a number of command line utilities:

    sudo lsof -i | grep LISTEN


    The above should show all ports that are listening. This one:

    sudo lsof -i -P | grep portnumber


    Should target all active connections based on the port number

    If the command line is not to your taste installing and monitoring something like 'Little Snitch' should show you something? Probably mDNSResponder (Bonjour etc) as it uses a number of ports in the 50000+ range.

    Apple have a support article listing what ports they often use:

    http://support.apple.com/kb/ts1629

    HTH?

    Tony
  • 3. Re: "Stealth Mode Connection Attempt" . . . . Should I be worried?
    Charles Dyer Level 4 Level 4 (2,620 points)
    It appears that you have a DSL or U-verse device from AT&T. The 192.168.1.254 is characteristic of AT&T's modems; for reasons which no doubt make sense in Atlanta, they use the last available IP in the Class C range instead of the first available IP the way other people do. I've seen this with modems from Westell, Motorola, and 2Wire, all on AT&T's service, so either it's a DSL modem thing (and my old Thompson modem from when I was using a DSL service from someone other than AT&T did not use that address) or it's an AT&T thing. The :53 part of the IP indicates that this is a request from port 53; the UPD part says that it's a UPD port. UPD (and TCP) port 53 is DNS. <http://www.auditmypc.com/port/udp-port-53.asp>. It seems that there's a DNS update coming from your modem. Did you get that message when you tried to go to a new website? If so, that's probably legit. However, you might want to read this <http://pages.uoregon.edu/joe/port53wars/port53wars.pdf>. There are a lot of problems associated with DNS. For more, you could look up 'DNS server cache poisoning'.
  • 4. Re: "Stealth Mode Connection Attempt" . . . . Should I be worried?
    Ian R. Brown Level 6 Level 6 (17,900 points)
    Thanks for the responses.

    The overwhelming number of those messages use the same "from" IP address but I have spotted an odd few that are different.

    Incidentally, I can't remember how to find my computer and router's IP address?
  • 5. Re: "Stealth Mode Connection Attempt" . . . . Should I be worried?
    Charles Dyer Level 4 Level 4 (2,620 points)
    Easily done. Two methods:

    GUI way: System Preferences/Network/Ethernet (if wired, substitute AirPort if wireless) Click on 'Advanced'. If wired, you should see your TCP setup immediately, displaying your IPv4 address and your router's IPv4 address. If wireless, you need to click on the TCP/IP tab, and then you'll see your TCP setup.

    CLI way: launch Terminal, type 'ifconfig -a' and you should see a list of all the MAC and IPv4 and IPv6 addresses for all your network cards, together with the router IPs.
  • 6. Re: "Stealth Mode Connection Attempt" . . . . Should I be worried?
    Antonio Rocco Level 6 Level 6 (10,190 points)
    Hi Ian

    Are the odd few that are different within the same subnet as your private LAN? The 192.168.1.x Range? If they are they may be simply stale references for another network device (eg: another mac, iphone, ipad etc) that were issued those addresses in the past.

    Tony
  • 7. Re: "Stealth Mode Connection Attempt" . . . . Should I be worried?
    Ian R. Brown Level 6 Level 6 (17,900 points)
    Thanks Charles. Those 2 are the computer and router.

    Tony, out of several hundred using the above addresses I have noticed, after a quick skim through, these addresses from yesterday:-

    25/12/2010 13:33:14 Firewall[77] Stealth Mode connection attempt to TCP 192.168.1.64:49591 from 173.194.37.104:80
    25/12/2010 13:33:14 Firewall[77] Stealth Mode connection attempt to TCP 192.168.1.64:49590 from 209.85.227.100:80
    25/12/2010 13:33:14 Firewall[77] Stealth Mode connection attempt to TCP 192.168.1.64:49592 from 66.235.142.20:80

    Any idea what they might be?
  • 8. Re: "Stealth Mode Connection Attempt" . . . . Should I be worried?
    Charles Dyer Level 4 Level 4 (2,620 points)
    Well, the :80 indicates that they're port 80, HTTP. 173.194.37.104 is a Google IP and so is 209.85.227.100. 66.235.142.20 belongs to someone called Omniture. You can find out some info about some IPs by going to http://networktools.nl/whois/ and inputting the IP.

    Commonly used ports:

    25 is SMTP, outgoing mail
    53 is DNS
    80 is HTTP, the web
    110 is POP3, outgoing mail
    143 us IMPA, also outgoing mail
    443 is HTTPS, secure web

    <http://en.wikipedia.org/wiki/Listof_TCP_and_UDP_portnumbers> is a list of TCP ports.
  • 9. Re: "Stealth Mode Connection Attempt" . . . . Should I be worried?
    Ian R. Brown Level 6 Level 6 (17,900 points)
    Thanks Charles, that is very interesting info.

    Possibly more interesting are these two sentences from the Wikipedia article on Omniture:-

    +"Omniture collects data from Apple and Adobe, who use Omniture to collect usage statistics across their products. It is possible to opt-out of the Omniture data-collection system, and to block the tracking".+