Gargoyle Forum

Hi all,

I always see one unknown host which broadcasts from UDP port 67 to the 255.255.255.68 there's an only outgoing data transfer from this host. Additionnally, it takes its own IP which doesn't correspond the settings of the DHCP server that I've set (I set that the addresses must be only 10.33.48.*** and this host is 10.43.***.***)


Please help me with your answers

http://www.issociate.de/board/post/4281 ... rnet?.html

check that, it sounds like it may be something coming from your
cable / internet provider?

you could always try blocking that port with a firewall and
see what happens.

OK, I've blocked in/out traffic to/from ports 67,68 - I see the same situation.

Also I blocked the access to network by IP of the host - and the host rests in the list of active connections.

Additionnaly, I began to see the 127.0.0.1:4096 to 127.0.0.1:53 connections.

Please help me with this...

More info is needed on your setup.

Here's info for Port 4096:

http://www.auditmypc.com/port/tcp-port-4096.asp

and port info on Port 53:

http://www.linklogger.com/TCP53.htm

---------------------------------

Are you running a DSL modem and your router as a Bridge?

127.0.0.1 is your machine's internal loopback address.

About the only thing that could be suspicious is if you have
some type of spyware or trojan programs that are running and
you are un-aware of those.

I'm running the cable modem which gives me also telephone and digital TV. My provider tells me that I can't access this modem in any way.
The router is not a bridge. It's only an access point for my home network - most of hosts are wired and only my laptop is wireless and I've restricted access by MAC address in firewall.

Just found in the /etc/config/firewall this:
config 'rule'
option 'src' 'wan'
option 'proto' 'udp'
option 'dest_port' '68'
option 'target' 'ACCEPT'

May be it is the cause of UDP traffic???

If you've only got 1 wireless device... what you could try to do
maybe over Thanksgiving or something, is disable the wireless
and see what happens.

Check if that mysterious IP shows up.

If it does not, then you can eliminate all the wired clients and
just have to look at the wireless connection and/or whatever
may be on your laptop.

Break it down in pieces. I suspect its nothing to be concerned
over as it looks like all these ports are used by normal DNS
and standard TCP/IP or UDP traffic.

OK I did many things at same time:
1. Put a comment to the lines of /etc/config/firewall;
2. Disabled wireless;
3. Selected the option "allow clients to use alternate DNS servers" in the Connection>basic>LAN;

I don't know where is the cause.... of this but the host disappeared..

Sorry, it has appeared again. I don't know what to do...

BTW - netstat -a output gives this:
******
********
udp 0 0 0.0.0.0:67 0.0.0.0:*

And there's an unkown device - ifconfig gives this:
imq0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00