Windows Firewall Log Question

BillyJack asked 2 years ago

Out of curiosity, I recently started a Windows firewall log. Everything seems normal except when I visit one particular website.

When I visit that site, I will get several entries (3 to 12 in a row) like this:

DROP TCP XXX.XX.XX.XX 192.168.1.106 8080 1206 1500 A 2481002320 3877332167 6432 - - - RECEIVE

The IP will vary a little but when I do a lookup, they all trace back to the same company that owns the website in question.

Is this a indication of malicious activity? And what are they attempting to do?

I know that port 1500 is used by Macromedia flash and the site does use flash. But other sites that I visit also use flash and they do not generate these types of log entries.

I have also viewed my router log and see that it blocks incoming several TCP connections per day from various IPs (usually located in China or Russia). But there is no pattern, a particular IP will try for a while over several different ports and then “give up”.

From what I know, my router log is typical. Is it?

Thanks for any help. I hope I posted this question in the right catergory.

1 Answers
Rob Vargas Staff answered 2 years ago

The router stuff *is* typical. At one employer, we started blocking everything from those Chinese and sometimes Russian IP's simply because we were seeing 300-400 every night. They are probing for vulnerabilities. Basically the hacker equivalent of white noise.

The stuff WIndows Wirewall is logging, yeah, that sounds like Flash. Probably trying to access or to create cookies.

If you feel adventurous, you can shut down Windows Firewall before going to that site, and see if anything different happens. But if that's malicious stuff, then you're letting it in.

Know the answer? Login or sign up for an account to answer this question.
Sign Up