Freaky firewall log

Saw this pop up on my firewall log today.

Somebody is scanning your computer.
Your computer's UDP ports:
1024, 1026, 1027, and 1029 have been scanned from 34.168.1.34..

First node:

OrgName: Internet Assigned Numbers Authority
OrgID: IANA
Address: 4676 Admiralty Way, Suite 330
City: Marina del Rey
StateProv: CA
PostalCode: 90292-6695
Country: US

NetRange: 192.168.0.0 - 192.168.255.255
CIDR: 192.168.0.0/16
NetName: IANA-CBLK1
NetHandle: NET-192-168-0-0-1
Parent: NET-192-0-0-0-0
NetType: IANA Special Use
NameServer: BLACKHOLE-1.IANA.ORG
NameServer: BLACKHOLE-2.IANA.ORG
Comment: This block is reserved for special purposes.
Comment: Please see RFC 1918 for additional information.
Comment:
RegDate: 1994-03-15
Updated: 2002-09-16

OrgAbuseHandle: IANA-IP-ARIN
OrgAbuseName: Internet Corporation for Assigned Names and Number
OrgAbusePhone: +1-310-301-5820
OrgAbuseEmail: abuse@iana.org

OrgTechHandle: IANA-IP-ARIN
OrgTechName: Internet Corporation for Assigned Names and Number
OrgTechPhone: +1-310-301-5820
OrgTechEmail: abuse@iana.org

# ARIN WHOIS database, last updated 2006-04-04 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.


There is a masked node of *** right before Halliburtion and has no WHOIS.

Backtrace source:

OrgName: Halliburton Company
OrgID: HALLIB-1
Address: 10200 Bellaire Blvd
City: Houston
StateProv: TX
PostalCode: 77072-5299
Country: US

NetRange: 34.0.0.0 - 34.255.255.255
CIDR: 34.0.0.0/8
NetName: HALLIBURTON
NetHandle: NET-34-0-0-0-1
Parent:
NetType: Direct Assignment
NameServer: A4.NSTLD.COM
NameServer: F4.NSTLD.COM
NameServer: G4.NSTLD.COM
NameServer: H4.NSTLD.COM
NameServer: J4.NSTLD.COM
NameServer: L4.NSTLD.COM
Comment:
RegDate: 1991-03-11
Updated: 2004-05-03

OrgAbuseHandle: IAP2-ARIN
OrgAbuseName: IP Abuse POC
OrgAbusePhone: +1-281-575-3000
OrgAbuseEmail: ipabuse@halliburton.com

OrgTechHandle: DNSAD52-ARIN
OrgTechName: DNSADMIN POC
OrgTechPhone: +1-281-575-3000
OrgTechEmail: dnsadmin@halliburton.com

# ARIN WHOIS database, last updated 2006-04-04 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.


It happen as soon as I turned on my PC today after coming home from work.

Anyone know what those ports go to?

Port 1024 UDP is reserved for future use (i.e is used for nothing now)
Port 1026 UDP is used for Calendar Access Protocol
Port 1027 is unassigned
Port 1029 is used for solid-mux (whatever that is)

All these can be looked up from http://www.iana.org/assignments/port-numbers

I'm also puzzled as to why anyone would scan the 192.168.x.x subnet.
Those are RFC1918 numbers -- reserved for private use and as such, utterly unroutable. Most properly configured internet routers with happily drop them, so scanning anything in RFC 1918 space is an exercise in futility (unless one is scanning one's own private network)

Go figure...


--MAB

Weird, I will check out solid-mux to see that that does.

ZoneAlarm can - lots can, for that matter...

That doesn't necessarily mean that it is trojan activity, but you should definitely scan your computer for spyware using Ad-Aware and/or SpyBot. Both are free.

Get Ad-Aware here; http://www.lavasoftusa.com/
Get SpyBot here: http://www.safer-networking.org/



Get more info about the ports at these sites:

http://www.simovits.com/sve/nyhetsarkiv/1999/nyheter9902.html
http://www.my-proxy.com/content/Security%20Tech/The%20Well-known%20Trojan%20Ports.html
http://www.auditmypc.com/port/tcpudp-14.asp



On edit: Also, update your virus program and scan your system.

Link: http://www.hackerwatch.org/probe/


If you're behind a router and have a software firewall in addition you probably have nothing to worry about.