Packet drop errors

Cheryl

Cheryl

Rosie Moderator
Staff member
Mod
I am wondering if some one know how to read this. It is from the event log of my 2Wire DSL modem.

FW: severity=low src=xx.xxx.xxx.xx dst=xx.xxx.xxx.xx ipprot=6 sport=1887 dport=6129 TCP Port Scan Detected, Packet Dropped

This is showing up at least twice every hour. What does it mean?
 
Is it always tcp port 6129 they're trying to connect to, or is that just an example?

Could be someone is actually trying to see what services are running on your computer - more likely not 'someone' but 'some computer(s) possessed by a virus' that is trying to spread itself.

I did a quick check - 6129/tcp is the port used by something called "Dameware Mini Remote Control" software, remote admin software supposedly intended for help desks & network admins. It's a Windows thang, so you should have nothing to worry about (http://www.dameware.com). Supposedly some worms install dameware for later control of infected computers.

Some versions of the Agobot worm (probably other worms too) scan for 6129/tcp. Dunno whether it's looking for vulnerabilities in some versions of dameware, or default passwords or what...
 
Interesting. No, it is not just port 6129. I also have the same kind of record with port 3127, 2745, and 80.

Could this be my firewall (modem's) stopping it and dropping the packets?

It is not only my machine that is on this modem. My husband's Windows XP is also connected. Now should I worry?
 
Scruffy,

You gave me the hint I needed. Did more research and found:

Possibly an infected machine trying to spread its virus.

"A machine infected with Phatbot/Agobot has been known to scan some of the following TCP ports in rapid succession (and not necessarily this order): 2745 1025 80 3127 6129 1433 5000 445 443 135"

"search for worms that are using this port 6129 and discovered from Symantec »securityresponse.symantec.com/avcenter.. that it is probably W32.Mockbot.A.Worm Discovered on: February 25, 2004."

It is my firewall that is dropping these packets.

I must keep my antivirus updated on both machines and keep the firewall on always.
 
Yeah, probably nothing much to worry about as long as you're careful with updates and firewall.
 
You must log in or register to reply here.
Back
Top