Stealth mode connection attempt

Zyriab wrote:

I'm getting quite a few of these showing up in my Console logs:

20/01/2012 16:02:44.923 Firewall: Stealth Mode connection attempt to TCP 192.********** from 17.172.**********

192.*********

That's your IP number, shouldn't post that online in a public forum.

62618 is the port number the malware is attempting to contact.

17.********** is the IP address of the attacking computer, 443 is the port number on that machine.

Generally you will see thousands of such attacks when you view your logs, it shows that a connection is being attempted, likely by malware looking to spread.

However it's a attempt, not that it got in. 🙂

Note: I ran a whoIS on 17.172.******** and that IP belongs to Apple. So it's likely some sort of service to your machine, iCloud or something.

<Edited by Host>

Zyriab wrote:

...

does this mean that these connection attempts are getting past my router's firewall?

It's just a attempt by Apple to provide some sort of update or service, no successful connection or it would state that.

You must have your Firewall set to maximum to be blocking this service, likely iCloud notifications.

Set your Firewall settings a bit lower to allow Apple to track you. 😝

I also have same issue as Zyriab...and a couple of additional questions:

1) Console log is packed with Info messages related to connection attempts from AEBS router. Is that normal? Why does it do that that? it knows it's connected.

2) Why if the AEBS has NAT turned on...Do I still see connection attempts from undesirable external IP addresses? Does that mean that AEBS firewall isn't working?

3) system profiler states: Firewall Logging: No / Stealth Mode: No. Why the discrepancy?

thanks

I would guess that 99% of the Stealth connection attempts are "forgotten" requests that your computer has made to other servers. If something makes a request, then decides it doesn't care about it any more and moves on, there is nothing waiting for the reply that eventually arrives. The Firewall flags that response as a Stealth mode connection attempt.

For chriswalsh, 1 and 2 are caused by what I've tried to explain here. 3 has been a long-standing bug.

Barney-15E

Thanks.

Sorry, but I missed the answer to the question from Zyriab: "does this mean that these connection attempts are getting past my router's firewall?"

Am I correct in interpretting your response "it's just a attempt by Apple", as Yes, the connection attempt has got past the router firewall? If so, How?

Thanks

It gets through the router because the port is open and it is a valid response to a request some process on your computer made.

thanks - much appreciated.

So—when do I need to worry about what I'm reading in Console?

There is a very good technical explaination by Terry Lambert on this thread: https://discussions.apple.com/thread/2762219#13205934 which matches what Barney-15E said.

These log messages typically occur after visiting a Web page and then closing the page (before it has finished loading or because it has background connections).

Yes, the router is letting those packets in, but this is correct behaviour. It is correctly letting through the reply packets to a previous request that your computer had sent out through the router. The router's firewall or NAT is doing its job properly: these are solicited packets, not unsolicited ones. They are reply packets, not connection initiating packets.

The Mac OS X firewall is also working properly in protecting the computer, but it is incorrectly adding a log entry that says "Stealth Mode connection attempt to TCP..." which clutters up the log files as well as making people unnecessarily worried. The log message is incorrect, because it is not a "connection attempt" but just a reply packet without a receiver anymore. The packet is not trying to initiate a new connection. It should recognise that it is just a stray response packet and silently ignore it, but unfortunately it doesn't.

Conclusion: both the router and your Mac are working securely and you can ignore these log messages.

Ah! Thanks for the clear explanation, Hoylen! I'm relieved.

And I appreciate this point in Terry's article: "All that said, it's extremely unlikely anyone will do anything to your Mac from the outside. You should be much more concerned about what apps YOU install on your computer and from WHERE."

Indeed!

ds store wrote:

Zyriab wrote:

I'm getting quite a few of these showing up in my Console logs:

20/01/2012 16:02:44.923 Firewall: Stealth Mode connection attempt to TCP 192.********** from 17.172.**********

192.*********

That's your IP number, shouldn't post that online in a public forum.

62618 is the port number the malware is attempting to contact.

17.********** is the IP address of the attacking computer, 443 is the port number on that machine.

Generally you will see thousands of such attacks when you view your logs, it shows that a connection is being attempted, likely by malware looking to spread.

However it's a attempt, not that it got in. 🙂

Note: I ran a whoIS on 17.172.******** and that IP belongs to Apple. So it's likely some sort of service to your machine, iCloud or something.

<Edited by Host>

192.168.x.x is fine to post anywhere. That whole range of addresses are Private IP addresses and can not be reached from the Internet. My whole home network uses 192.168.1.1 (my routers IP) to .150 (IPs used by devices on my LAN/Network.

The 172 address could be a Private IP or a Public IP. 172.16.0.0 to 172.31.255.555 are private address and others in that range are public That may be the OPs public IP of his router, what the WAN/Internet port gets assigned by his IPS. I don't know as the complete address is not shown.

If it isn't then it from the outside, IE someplace on the NET. If they are getting through to his computer then he does not have his router setup correctly or is allowing incoming connections on port 443.

My MBP locks up when this happens and I must power down every time.

Does this happen to anyone else?

I checked Console and it looks like multiple multiple ports were attempted access.....

Thank you,

Steve

can you tell me if my mac is being hacked or signed onto by someone else. here is the shell command report:

Last login: Fri Aug 23 18:36:19 on ttys000

curt-studio-a:~ appleuser$ w

18:51 up 6:20, 2 users, load averages: 1.65 1.52 1.35

USER TTY FROM LOGIN@ IDLE WHAT

appleuser console - 12:39 6:12 -

appleuser s000 - 18:51 - w

curt-studio-a:~ appleuser$ netstT

-bash: netstT: command not found

curt-studio-a:~ appleuser$ NETSTAT

Active Internet connections

Proto Recv-Q Send-Q Local Address Foreign Address (state)

tcp4 0 0 curt-studio-a.lo.54225 lga15s35-in-f9.1.http ESTABLISHED

tcp4 0 0 curt-studio-a.lo.54224 lga15s29-in-f8.1.http ESTABLISHED

tcp4 0 0 curt-studio-a.lo.53982 lga15s29-in-f4.1.http CLOSE_WAIT

tcp4 0 0 curt-studio-a.lo.53980 lga15s29-in-f4.1.http CLOSE_WAIT

tcp4 0 0 curt-studio-a.lo.53979 lga15s29-in-f4.1.http CLOSE_WAIT

tcp4 0 0 curt-studio-a.lo.53977 lga15s29-in-f4.1.http CLOSE_WAIT

tcp4 0 0 curt-studio-a.lo.53975 lga15s29-in-f5.1.http CLOSE_WAIT

tcp4 0 0 curt-studio-a.lo.53973 lga15s29-in-f5.1.http CLOSE_WAIT

tcp4 0 0 curt-studio-a.lo.53972 lga15s29-in-f0.1.http CLOSE_WAIT

tcp4 0 0 curt-studio-a.lo.53971 lga15s29-in-f0.1.http CLOSE_WAIT

tcp4 0 0 curt-studio-a.lo.53964 lga15s29-in-f7.1.http CLOSE_WAIT

tcp4 0 0 curt-studio-a.lo.53963 lga15s29-in-f7.1.http CLOSE_WAIT

tcp4 0 0 curt-studio-a.lo.53962 lga15s29-in-f7.1.http CLOSE_WAIT

tcp4 0 0 curt-studio-a.lo.53957 lga15s29-in-f7.1.http CLOSE_WAIT

tcp4 0 0 curt-studio-a.lo.53955 lga15s29-in-f7.1.http CLOSE_WAIT

tcp4 0 0 curt-studio-a.lo.53929 lga15s29-in-f1.1.http CLOSE_WAIT

tcp4 0 0 curt-studio-a.lo.53928 lga15s29-in-f1.1.http CLOSE_WAIT

tcp4 0 0 curt-studio-a.lo.53840 lga15s29-in-f6.1.http CLOSE_WAIT

tcp4 0 0 curt-studio-a.lo.53837 lga15s29-in-f3.1.http CLOSE_WAIT

tcp4 0 0 curt-studio-a.lo.53836 lga15s29-in-f3.1.http CLOSE_WAIT

tcp4 0 0 curt-studio-a.lo.53835 lga15s29-in-f3.1.http CLOSE_WAIT

tcp4 0 0 curt-studio-a.lo.53834 lga15s29-in-f3.1.http CLOSE_WAIT

tcp4 0 0 curt-studio-a.lo.53833 lga15s29-in-f3.1.http CLOSE_WAIT

tcp4 0 0 curt-studio-a.lo.53299 lga15s35-in-f0.1.http CLOSE_WAIT

tcp4 0 0 curt-studio-a.lo.53297 lga15s35-in-f7.1.http CLOSE_WAIT

tcp4 0 0 curt-studio-a.lo.53296 lga15s35-in-f14..http CLOSE_WAIT

tcp4 0 0 curt-studio-a.lo.53294 lga15s35-in-f14..http CLOSE_WAIT

tcp4 0 0 curt-studio-a.lo.53293 lga15s35-in-f14..http CLOSE_WAIT

tcp4 0 0 curt-studio-a.lo.53292 lga15s35-in-f14..http CLOSE_WAIT

tcp4 0 0 curt-studio-a.lo.53291 lga15s35-in-f0.1.http CLOSE_WAIT

tcp4 0 0 curt-studio-a.lo.53290 lga15s35-in-f14..http CLOSE_WAIT

tcp4 0 0 curt-studio-a.lo.53289 lga15s35-in-f14..http CLOSE_WAIT

tcp4 0 0 curt-studio-a.lo.53287 lga15s35-in-f14..http CLOSE_WAIT

tcp4 0 0 curt-studio-a.lo.53283 lga15s35-in-f2.1.http CLOSE_WAIT

tcp4 0 0 curt-studio-a.lo.53282 lga15s35-in-f2.1.http CLOSE_WAIT

tcp4 0 0 curt-studio-a.lo.53277 lga15s35-in-f2.1.http CLOSE_WAIT

tcp4 0 0 curt-studio-a.lo.53276 lga15s35-in-f2.1.http CLOSE_WAIT

tcp4 0 0 curt-studio-a.lo.53275 lga15s35-in-f2.1.http CLOSE_WAIT

tcp4 0 0 curt-studio-a.lo.53274 lga15s35-in-f4.1.http CLOSE_WAIT

tcp4 0 0 curt-studio-a.lo.53273 lga15s35-in-f4.1.http CLOSE_WAIT

tcp4 0 0 curt-studio-a.lo.53271 lga15s35-in-f4.1.http CLOSE_WAIT

tcp4 0 0 curt-studio-a.lo.53270 lga15s35-in-f4.1.http CLOSE_WAIT

tcp4 0 0 curt-studio-a.lo.53268 lga15s35-in-f4.1.http CLOSE_WAIT

tcp4 0 0 curt-studio-a.lo.53266 lga15s35-in-f4.1.http CLOSE_WAIT

tcp4 0 0 curt-studio-a.lo.53138 lga15s35-in-f15..https CLOSE_WAIT

tcp4 0 0 curt-studio-a.lo.53136 lga15s29-in-f16..https CLOSE_WAIT

tcp4 0 0 curt-studio-a.lo.53077 lga15s35-in-f8.1.http CLOSE_WAIT

tcp4 0 0 curt-studio-a.lo.53076 lga15s35-in-f8.1.http CLOSE_WAIT

tcp4 0 0 curt-studio-a.lo.53075 lga15s35-in-f8.1.http CLOSE_WAIT

tcp4 0 0 curt-studio-a.lo.53074 lga15s35-in-f8.1.http CLOSE_WAIT

tcp4 0 0 curt-studio-a.lo.53073 lga15s35-in-f8.1.http CLOSE_WAIT

tcp4 0 0 curt-studio-a.lo.53072 lga15s35-in-f8.1.http CLOSE_WAIT

tcp4 0 0 curt-studio-a.lo.53071 lga15s35-in-f8.1.http CLOSE_WAIT

tcp4 0 0 curt-studio-a.lo.53070 lga15s35-in-f8.1.http CLOSE_WAIT

tcp4 0 0 curt-studio-a.lo.53069 lga15s35-in-f8.1.http CLOSE_WAIT

tcp4 0 0 curt-studio-a.lo.53068 lga15s35-in-f8.1.http CLOSE_WAIT

tcp4 0 0 curt-studio-a.lo.53067 lga15s35-in-f8.1.http CLOSE_WAIT

tcp4 0 0 curt-studio-a.lo.53066 lga15s35-in-f8.1.http CLOSE_WAIT

tcp4 0 0 curt-studio-a.lo.53065 lga15s35-in-f8.1.http CLOSE_WAIT

tcp4 0 0 curt-studio-a.lo.53064 lga15s35-in-f8.1.http CLOSE_WAIT

tcp4 0 0 curt-studio-a.lo.53062 lga15s35-in-f8.1.http CLOSE_WAIT

tcp4 0 0 curt-studio-a.lo.53061 lga15s35-in-f8.1.http CLOSE_WAIT

tcp4 0 0 curt-studio-a.lo.53060 lga15s35-in-f8.1.http CLOSE_WAIT

tcp4 0 0 curt-studio-a.lo.53059 lga15s35-in-f8.1.http CLOSE_WAIT

tcp4 0 0 curt-studio-a.lo.53058 lga15s35-in-f8.1.http CLOSE_WAIT

tcp4 0 0 curt-studio-a.lo.53057 lga15s35-in-f8.1.http CLOSE_WAIT

tcp4 0 0 curt-studio-a.lo.53056 lga15s35-in-f8.1.http CLOSE_WAIT

tcp4 0 0 curt-studio-a.lo.53055 lga15s35-in-f8.1.http CLOSE_WAIT

tcp4 0 0 curt-studio-a.lo.53054 lga15s35-in-f8.1.http CLOSE_WAIT

tcp4 0 0 curt-studio-a.lo.53053 lga15s35-in-f8.1.http CLOSE_WAIT

tcp4 0 0 curt-studio-a.lo.53052 lga15s35-in-f8.1.http CLOSE_WAIT

tcp4 0 0 curt-studio-a.lo.53051 lga15s35-in-f8.1.http CLOSE_WAIT

tcp4 0 0 curt-studio-a.lo.53050 lga15s35-in-f8.1.http CLOSE_WAIT

tcp4 0 0 curt-studio-a.lo.53048 lga15s35-in-f8.1.http CLOSE_WAIT

tcp4 0 0 curt-studio-a.lo.53047 lga15s35-in-f8.1.http CLOSE_WAIT

tcp4 0 0 curt-studio-a.lo.53046 lga15s35-in-f8.1.http CLOSE_WAIT

tcp4 0 0 curt-studio-a.lo.53045 lga15s35-in-f8.1.http CLOSE_WAIT

tcp4 0 0 curt-studio-a.lo.53043 lga15s35-in-f8.1.http CLOSE_WAIT

tcp4 0 0 curt-studio-a.lo.53042 lga15s35-in-f8.1.http CLOSE_WAIT

tcp4 0 0 curt-studio-a.lo.53038 lga15s35-in-f8.1.http CLOSE_WAIT

tcp4 0 0 curt-studio-a.lo.53036 lga15s35-in-f8.1.http CLOSE_WAIT

tcp4 0 0 curt-studio-a.lo.53035 lga15s35-in-f8.1.http CLOSE_WAIT

tcp4 0 0 curt-studio-a.lo.53034 lga15s35-in-f8.1.http CLOSE_WAIT

tcp4 0 0 curt-studio-a.lo.53032 lga15s35-in-f8.1.http CLOSE_WAIT

tcp4 0 0 curt-studio-a.lo.53031 lga15s35-in-f8.1.http CLOSE_WAIT

tcp4 0 0 curt-studio-a.lo.53030 lga15s35-in-f8.1.http CLOSE_WAIT

tcp4 0 0 curt-studio-a.lo.53029 lga15s35-in-f8.1.http CLOSE_WAIT

tcp4 0 0 curt-studio-a.lo.53028 lga15s35-in-f8.1.http CLOSE_WAIT

tcp4 0 0 curt-studio-a.lo.53027 lga15s35-in-f8.1.http CLOSE_WAIT

tcp4 0 0 curt-studio-a.lo.53026 lga15s35-in-f8.1.http CLOSE_WAIT

tcp4 0 0 curt-studio-a.lo.53025 lga15s35-in-f8.1.http CLOSE_WAIT

tcp4 0 0 curt-studio-a.lo.53024 lga15s35-in-f8.1.http CLOSE_WAIT

tcp4 0 0 curt-studio-a.lo.53023 lga15s35-in-f8.1.http CLOSE_WAIT

tcp4 0 0 curt-studio-a.lo.53022 lga15s35-in-f8.1.http CLOSE_WAIT

tcp4 0 0 curt-studio-a.lo.53021 lga15s35-in-f8.1.http CLOSE_WAIT

tcp4 0 0 curt-studio-a.lo.53020 lga15s35-in-f8.1.http CLOSE_WAIT

tcp4 0 0 curt-studio-a.lo.53019 lga15s35-in-f8.1.http CLOSE_WAIT

tcp4 0 0 curt-studio-a.lo.53018 lga15s35-in-f8.1.http CLOSE_WAIT

tcp4 0 0 curt-studio-a.lo.53017 lga15s35-in-f8.1.http CLOSE_WAIT

tcp4 0 0 curt-studio-a.lo.53016 lga15s35-in-f8.1.http CLOSE_WAIT

tcp4 0 0 curt-studio-a.lo.53015 lga15s35-in-f8.1.http CLOSE_WAIT

tcp4 0 0 curt-studio-a.lo.53013 lga15s35-in-f8.1.http CLOSE_WAIT

tcp4 0 0 curt-studio-a.lo.53008 lga15s35-in-f8.1.http CLOSE_WAIT

tcp4 0 0 curt-studio-a.lo.49159 17.172.232.200.5223 ESTABLISHED

udp46 0 0 *.* *.*

udp6 0 0 *.61601 *.*

udp4 0 0 *.61601 *.*