Why do I get "Stealth Mode Connection Attempts" from MacOSXHints?

6502 · 01-22-2007, 06:57 PM

My system log shows stealth mode connection attempts from 129.250.134.25, which is MacOSXHints.com's IP address.

These messages usually hit me a couple of minutes after visiting the web site and continue for awhile after closing my web browser.

A brief excerpt from the log...
Jan 22 18:48:45 G4-Desktop kernel[0]: Stealth Mode connection attempt to TCP 192.168.1.101:58511 from 129.250.134.25:80
Jan 22 18:49:09 G4-Desktop kernel[0]: Stealth Mode connection attempt to TCP 192.168.1.101:58511 from 129.250.134.25:80
Jan 22 18:49:58 G4-Desktop kernel[0]: Stealth Mode connection attempt to TCP 192.168.1.101:58511 from 129.250.134.25:80

I don't think I'm being hacked by Rob Griffiths.

I've never really understood why connecting to legitimate web sites sometimes results in a flood of these messages. And why it shows a connection attempt on port 58511.

Would anyone here care to tell me what happens to generate these messages?

hayne · 01-22-2007, 07:07 PM

These are likely just delayed responses to a web page request made by your browser just before you quit your web browser.
The port 58511 is likely the port that was used by your web browser.

When a web browser makes a connection to port 80 on a web server, there will be some high-numbered port that the web browser uses on your machine as the 'incoming' port for responses from the web server.
You can see this happening if you run the following command (in a Terminal window) at the same time as the browser is accessing the web site:

sudo /usr/sbin/lsof -i -P

The lines that start with "Safari" (or whatever your browser is) indicate the ports being used by Safari.

6502 · 01-22-2007, 07:56 PM

That's cool.

I haven't used lsof to get active connections/ports before. I typically use it to check for busy files. That's going into my repertoire!

If I you don't mind a couple of followup questions...

What's the normal timeout on a web server for connection-requests? I don't get the messages from most servers -- just a select few such as macosxhints.com.

I've gotten these messages for several minutes after closing a browser window or clicking on a link before a page finishes loading. I'm still getting messages from 2 minutes ago when I briefly checked the forum index page. Does that point to a server-misconfiguration?

hayne · 01-22-2007, 08:50 PM

A few minutes doesn't seem too far out of line for a web-page timeout.
The content in question might be from an ad-server and these are often slow.

If you use "Ethereal" (under X11) or just 'tcpdump', you can look at the contents of those packets and see what they are about.

6502 · 01-22-2007, 10:39 PM

Thanks!

Very useful info!

01-22-2007, 06:57 PM	#1
6502 Major Leaguer Join Date: Mar 2006 Posts: 335	Why do I get "Stealth Mode Connection Attempts" from MacOSXHints? My system log shows stealth mode connection attempts from 129.250.134.25, which is MacOSXHints.com's IP address. These messages usually hit me a couple of minutes after visiting the web site and continue for awhile after closing my web browser. A brief excerpt from the log... Jan 22 18:48:45 G4-Desktop kernel[0]: Stealth Mode connection attempt to TCP 192.168.1.101:58511 from 129.250.134.25:80 Jan 22 18:49:09 G4-Desktop kernel[0]: Stealth Mode connection attempt to TCP 192.168.1.101:58511 from 129.250.134.25:80 Jan 22 18:49:58 G4-Desktop kernel[0]: Stealth Mode connection attempt to TCP 192.168.1.101:58511 from 129.250.134.25:80 I don't think I'm being hacked by Rob Griffiths. I've never really understood why connecting to legitimate web sites sometimes results in a flood of these messages. And why it shows a connection attempt on port 58511. Would anyone here care to tell me what happens to generate these messages?

01-22-2007, 07:07 PM	#2
hayne Site Admin Join Date: Jan 2002 Location: Montreal Posts: 32,473	These are likely just delayed responses to a web page request made by your browser just before you quit your web browser. The port 58511 is likely the port that was used by your web browser. When a web browser makes a connection to port 80 on a web server, there will be some high-numbered port that the web browser uses on your machine as the 'incoming' port for responses from the web server. You can see this happening if you run the following command (in a Terminal window) at the same time as the browser is accessing the web site: sudo /usr/sbin/lsof -i -P The lines that start with "Safari" (or whatever your browser is) indicate the ports being used by Safari. __________________ hayne.net/macosx.html

01-22-2007, 08:50 PM	#4
hayne Site Admin Join Date: Jan 2002 Location: Montreal Posts: 32,473	A few minutes doesn't seem too far out of line for a web-page timeout. The content in question might be from an ad-server and these are often slow. If you use "Ethereal" (under X11) or just 'tcpdump', you can look at the contents of those packets and see what they are about. __________________ hayne.net/macosx.html

01-22-2007, 07:56 PM	#3
6502 Major Leaguer Join Date: Mar 2006 Posts: 335	That's cool. I haven't used lsof to get active connections/ports before. I typically use it to check for busy files. That's going into my repertoire! If I you don't mind a couple of followup questions... What's the normal timeout on a web server for connection-requests? I don't get the messages from most servers -- just a select few such as macosxhints.com. I've gotten these messages for several minutes after closing a browser window or clicking on a link before a page finishes loading. I'm still getting messages from 2 minutes ago when I briefly checked the forum index page. Does that point to a server-misconfiguration?

01-22-2007, 10:39 PM	#5
6502 Major Leaguer Join Date: Mar 2006 Posts: 335	Thanks! Very useful info!