Skip navigation
This discussion is archived

"Stealth Mode Connection Attempt" . . . . Should I be worried?

4294 Views 9 Replies Latest reply: Dec 26, 2010 3:00 PM by Ian R. Brown RSS
Ian R. Brown Level 6 Level 6 (17,505 points)
Currently Being Moderated
Dec 26, 2010 2:54 AM
I have just been looking in Console - Messages and noticed numerous entries like this:-

+25/12/2010 13:10:02 Firewall[77] Stealth Mode connection attempt to UDP 192.168.1.64:56497 from 192.168.1.254:53+

Should I be concerned as it sounds quite sinister?

If there is a risk what can I do?
24" 2.8 GHz (Penryn) 4GB RAM iMac, Mac OS X (10.6.4), FCE 4 + FCS 3 . . . Little Knowledge, Many Opinions.
  • Antonio Rocco Level 6 Level 6 (10,100 points)
    Hello Ian

    It looks like a standard DNS query on port 53 - the colon 53 part - either being made/returned from/to a computer with an IP address of 192.168.1.64 (presumably yours?) to what I'm going to assume is your gateway/router 192.168.1.254? The port initiating or receiving the request is one of many ephemeral ports Apple (and others) uses to establish and/or maintain transient requests - 56497.

    This is my reading of it - perhaps others can offer more insight? I personally think its nothing to worry about. If you want to know which application and/or process started the ball rolling you could use a number of command line utilities:

    sudo lsof -i | grep LISTEN


    The above should show all ports that are listening. This one:

    sudo lsof -i -P | grep portnumber


    Should target all active connections based on the port number

    If the command line is not to your taste installing and monitoring something like 'Little Snitch' should show you something? Probably mDNSResponder (Bonjour etc) as it uses a number of ports in the 50000+ range.

    Apple have a support article listing what ports they often use:

    http://support.apple.com/kb/ts1629

    HTH?

    Tony
    iBook G3 (10.4.11)
  • Charles Dyer Level 4 Level 4 (2,610 points)
    It appears that you have a DSL or U-verse device from AT&T. The 192.168.1.254 is characteristic of AT&T's modems; for reasons which no doubt make sense in Atlanta, they use the last available IP in the Class C range instead of the first available IP the way other people do. I've seen this with modems from Westell, Motorola, and 2Wire, all on AT&T's service, so either it's a DSL modem thing (and my old Thompson modem from when I was using a DSL service from someone other than AT&T did not use that address) or it's an AT&T thing. The :53 part of the IP indicates that this is a request from port 53; the UPD part says that it's a UPD port. UPD (and TCP) port 53 is DNS. <http://www.auditmypc.com/port/udp-port-53.asp>. It seems that there's a DNS update coming from your modem. Did you get that message when you tried to go to a new website? If so, that's probably legit. However, you might want to read this <http://pages.uoregon.edu/joe/port53wars/port53wars.pdf>. There are a lot of problems associated with DNS. For more, you could look up 'DNS server cache poisoning'.
    iMac 2.66 GHz Core 2 Duo 4 GB., Mac OS X (10.6.5), eMac 1.25 GHz 2 GB, eMac 700, beige G3, assorted Windows boxes
  • Charles Dyer Level 4 Level 4 (2,610 points)
    Easily done. Two methods:

    GUI way: System Preferences/Network/Ethernet (if wired, substitute AirPort if wireless) Click on 'Advanced'. If wired, you should see your TCP setup immediately, displaying your IPv4 address and your router's IPv4 address. If wireless, you need to click on the TCP/IP tab, and then you'll see your TCP setup.

    CLI way: launch Terminal, type 'ifconfig -a' and you should see a list of all the MAC and IPv4 and IPv6 addresses for all your network cards, together with the router IPs.
    iMac 2.66 GHz Core 2 Duo 4 GB., Mac OS X (10.6.5), eMac 1.25 GHz 2 GB, eMac 700, beige G3, assorted Windows boxes
  • Antonio Rocco Level 6 Level 6 (10,100 points)
    Hi Ian

    Are the odd few that are different within the same subnet as your private LAN? The 192.168.1.x Range? If they are they may be simply stale references for another network device (eg: another mac, iphone, ipad etc) that were issued those addresses in the past.

    Tony
    iBook G3 (10.4.11)
  • Charles Dyer Level 4 Level 4 (2,610 points)
    Well, the :80 indicates that they're port 80, HTTP. 173.194.37.104 is a Google IP and so is 209.85.227.100. 66.235.142.20 belongs to someone called Omniture. You can find out some info about some IPs by going to http://networktools.nl/whois/ and inputting the IP.

    Commonly used ports:

    25 is SMTP, outgoing mail
    53 is DNS
    80 is HTTP, the web
    110 is POP3, outgoing mail
    143 us IMPA, also outgoing mail
    443 is HTTPS, secure web

    <http://en.wikipedia.org/wiki/Listof_TCP_and_UDP_portnumbers> is a list of TCP ports.
    iMac 2.66 GHz Core 2 Duo 4 GB., Mac OS X (10.6.5), eMac 1.25 GHz 2 GB, eMac 700, beige G3, assorted Windows boxes

Actions

More Like This

  • Retrieving data ...

Bookmarked By (1)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.