JohnyCanuck
(1000+ posts)
Send PM |
Profile |
Ignore
|
Sat Jan-24-04 08:32 PM
Original message |
Computer security/firewall question for Gurus |
|
Edited on Sat Jan-24-04 08:35 PM by JohnyCanuck
I'm running the free version of Kerio Firewall 4.0 on my Win 98 PC. I recently turned on the logging function and noticed messages in my log indicating Microsoft File and Printer Sharing was attempting to send outbound UDP packets to various IP address which whois searches show as belonging to various telcos and communication companies (I'm assuming ISPs) scattered all over the globe, e.g. US, Brazil, Turkey etc. This happens about 2 or 3 times per minute. Currently I have this traffic blocked by the firewall so it is not getting out, although when I first noticed it in the logs it was being allowed out.
I have no unusual or unidentified tasks or programs showing up in the task monitor. I've run spybot and ad-aware 6.0 to see if that made a difference. When I ran ad-aware and removed some tracking cookies I thought it had fixed the problem because the messages seemed to stop for a while, but then they started up again a few hours later and yet ad-aware shows no more objects found when I run it.
I installed Kazaa just over a year ago, but I haven't used it in ages and I have it configured NOT to start automatically at startup (confirmed by the Task List that Kazaa.exe is not running). I've only got one TCP/IP connection on the computer, i.e. my DSL connection to my ISP. Also Micrsoft file and print sharing is NOT bound to the PPPOE protocol or to the NIC.
Anyone have any idea what could on earth could be causing this (spyware, trojan etc) and/or how to get it to stop? Here's a couple sample lines from the firewall log. (E1H3E0 is my PC)
Microsoft file and printer sharing -> Out E1HE3E0:nbname 209.222.187.39:nbname UDP denied
Microsoft file and printer sharing -> Out E1HE3E0:nbname 209.161.238.255:nbname UDP denied
Am I correct in assuming that the packet to 209.161.238.255 would be a multicast to any computers within the 209.161.238.xxx subnet?
Any suggestions or helpful comments would be much appreciated.
|
kiahzero
(1000+ posts)
Send PM |
Profile |
Ignore
|
Sat Jan-24-04 08:35 PM
Response to Original message |
1. The 255 one is not necessarily a multicast |
|
You can have a x.x.x.255 IP adress.
Not sure why your PC is trying to broadcast UDP packets... can you get the outbound port?
|
JohnyCanuck
(1000+ posts)
Send PM |
Profile |
Ignore
|
Sat Jan-24-04 08:39 PM
Response to Reply #1 |
2. No port #s in the firewall log |
|
Unfortunately the Port #s don't show up in the log file. I've looked through the help info from Kerio but haven't yet seen anything that would tell me how to get that info to show up.
|
Nlighten1
(1000+ posts)
Send PM |
Profile |
Ignore
|
Sat Jan-24-04 08:41 PM
Response to Reply #1 |
3. x.x.x.255 is a broadcast address... |
|
you can't use it for an IP address though.
|
Nlighten1
(1000+ posts)
Send PM |
Profile |
Ignore
|
Sat Jan-24-04 08:46 PM
Response to Reply #3 |
|
UDP is a connectionless protocol so I doubt this is anything suspicious. Windows 98 is very chatty and it uses broadcast traffic wayyyyy too much.
|
kiahzero
(1000+ posts)
Send PM |
Profile |
Ignore
|
Sat Jan-24-04 08:53 PM
Response to Reply #3 |
9. I could swear that I've got one at school |
|
I'll have to check on that
|
Sentath
(1000+ posts)
Send PM |
Profile |
Ignore
|
Sat Jan-24-04 10:13 PM
Response to Reply #3 |
|
Unless I'm severly mistaken they have options in some of their IOS versions that let you use 255 in the last octet.
And another 'switch' that makes 0 an allowable host address.
|
ProdigalJunkMail
(1000+ posts)
Send PM |
Profile |
Ignore
|
Sat Jan-24-04 10:40 PM
Response to Reply #12 |
16. no reason to say 'bleeping cisco' |
|
255 can absolutely be used in the last octet...just depends on the mask. 0 is just as valid...
TheProdigal
|
ProdigalJunkMail
(1000+ posts)
Send PM |
Profile |
Ignore
|
Sat Jan-24-04 10:38 PM
Response to Reply #3 |
15. dependent on the mask |
|
it could be a valid IP address, but it is highly unlikely that it refers to a single station and is more likely intended for a group of machines...
TheProdigal
|
Nlighten1
(1000+ posts)
Send PM |
Profile |
Ignore
|
Sat Jan-24-04 08:42 PM
Response to Original message |
|
go to http://www.foundstone.com and download their portscanner. Run it and see what ports are open and then open a DOS window and type NETSTAT.
|
JohnyCanuck
(1000+ posts)
Send PM |
Profile |
Ignore
|
Sat Jan-24-04 08:44 PM
Response to Reply #4 |
5. Going there now. thanks n/t |
Nlighten1
(1000+ posts)
Send PM |
Profile |
Ignore
|
Sat Jan-24-04 08:48 PM
Response to Reply #5 |
7. Click on "Resources" and then click "free tools" |
|
Edited on Sat Jan-24-04 08:49 PM by Nlighten1
Click on "Intrusion Detection" and then download FPort
|
JohnyCanuck
(1000+ posts)
Send PM |
Profile |
Ignore
|
Sat Jan-24-04 09:34 PM
Response to Reply #7 |
10. Unfortunately fport is not supported on Win98. DOH!!!! |
|
but when I do the netstat command the current connections show up as:
Active Connections
Proto Local Address Foreign Address State TCP e1h3e0:1025 localhost.look.ca:44334 ESTABLISHED TCP e1h3e0:1027 localhost.look.ca:1029 ESTABLISHED TCP e1h3e0:1029 localhost.look.ca:1027 ESTABLISHED TCP e1h3e0:44334 localhost.look.ca:1025 ESTABLISHED
|
Nlighten1
(1000+ posts)
Send PM |
Profile |
Ignore
|
Sat Jan-24-04 10:04 PM
Response to Reply #10 |
11. Are you running Kazaa or something? |
|
TCP e1h3e0:1025 localhost.look.ca:44334 ESTABLISHED
This is the only one I wonder about.
|
JohnyCanuck
(1000+ posts)
Send PM |
Profile |
Ignore
|
Sat Jan-24-04 10:16 PM
Response to Reply #11 |
13. Kazaa.exe is deffinitely not showing up in the task lisk |
|
Kazaa is installed on my system but configured not to start at bootup (ie not in the startup list in msconfig) and when I do the ctrl alt delete thing and check the task list kazaa.exe is not running. I went through every task in the task list and if I didn't know what it was I checked the name in Google and all tasks appear to be legitimate windows tasks or firewall, antivirus etc. programs. I don't have any other P2P software installed that I am aware of (other than kazaa) and I am the only user on this PC.
I tried to remove Kazaa altogether using the add/remove programs in Ctrl panel but got an error indicating a dll file was missing and the remove failed at that point.
|
Nlighten1
(1000+ posts)
Send PM |
Profile |
Ignore
|
Sat Jan-24-04 10:37 PM
Response to Reply #13 |
|
Go here and download TCP View http://www.sysinternals.com/ntw2k/source/tcpview.shtmlRun it and see if you can find the program that has that port open. Also tell me the status (listening etc.)
|
JohnyCanuck
(1000+ posts)
Send PM |
Profile |
Ignore
|
Sat Jan-24-04 11:09 PM
Response to Reply #14 |
|
Sorry Nightlen1, but in Win98 the tcpview program doesn't show the programs holding open the ports. However according to another poster on this thread these TCP connections are legit including the one with the high port # and the UDP stuff is probably just microsoft junk.
I guess I'll just say to hell with it for now and keep the UDP stuff blocked with the firewall. In the near future I plan to wipe the HD clean and install 2000 or XP so if by some chance it is something illegitimate that should take care of it.
Thanks for all your help.
|
ProdigalJunkMail
(1000+ posts)
Send PM |
Profile |
Ignore
|
Sat Jan-24-04 10:45 PM
Response to Reply #10 |
17. the 10xx ports are netbios and windows has those open |
|
almost all the time...just a nuisance listening port for inbound traffic for netbios browsing...used by microsoft networking and sharing
Port 44334 is an ephemeral port and is used temporarily while a connection is open...this is all referenced to localhost (which is your machine) and should be of little concern
TheProdigal
|
ConcernedCanuk
(1000+ posts)
Send PM |
Profile |
Ignore
|
Sat Jan-24-04 08:51 PM
Response to Original message |
8. Re AdAware - I'm runnng 6.0 |
|
. .
and I do the "update" thing on a regular(at least weekly) basis,
It makes a big difference, and its an "update", as opposed to the "upgrade" that alot of freeware tries to bug you with.
Now, I gotta find that Freeware, Kerio Firewall 4.0 you mentioned !
I'm off to aGooglin' :toast:
|
mvd
(1000+ posts)
Send PM |
Profile |
Ignore
|
Sun Jan-25-04 02:54 PM
Response to Reply #8 |
22. Beware of the 4.0 series |
|
Edited on Sun Jan-25-04 02:55 PM by mvd
It is still a beta-quality type product, even though Kerio treats it as final. Also, you have to pay if you want active-content blocking. The free 2.x series has a very good reputation, but it's not for security novices.
|
ProdigalJunkMail
(1000+ posts)
Send PM |
Profile |
Ignore
|
Sat Jan-24-04 10:48 PM
Response to Original message |
18. most likely what you are seeing |
|
is netbios traffic that windows uses for file and print sharing and since it is sent to a broadcast address it is not leaving your local network and certainly not crossing out onto the internet. Your ISP would be dropping this traffic if it were to make it that far. There is nothing to worry about here as these ports are maintained as open for the process of browsing in windows.
If you were to turn off file and print sharing these would go away. If you will check YOUR IP address I think it will probably be in the same range of numbers 209.161.238.xxx.
TheProdigal
|
JohnyCanuck
(1000+ posts)
Send PM |
Profile |
Ignore
|
Sat Jan-24-04 11:03 PM
Response to Reply #18 |
19. Are you referring here to the UDP traffic in my original post? |
|
What had me somewhat alarmed was when the whois lookups on the IP addresses I was trying to connect to showed them as belonging to Telcos and telecom companies all over the globe. I thought if it was just legitimate Microsoft traffic the IP addresses would show up as belonging to Microsoft. Some of the addresses are broadcast, ie the last octet being 255, but some are also individual IP addresses as well.
However I have them blocked with the firewall, so I guess I won't loose any sleep over it. I figure it's about time I upgrade to 2000 o XP anyway so sometime soon I'll probably reformat the HD and install a new OS anyway. Thanks for your input.
|
ProdigalJunkMail
(1000+ posts)
Send PM |
Profile |
Ignore
|
Sat Jan-24-04 11:09 PM
Response to Reply #19 |
|
the IP addresses you are seeing are commonly allocated by ISPs and you would see nothing of Microsoft's addresses. The communications you are seeing are most likely internal microsoft browsing stuff and are little or nothing to be worried about. The IP addresses that are NOT broad/multicast in nature might be an issue though. Definitely run your spyware assassin of choice.
By the by, unless you have need of Win2000 (variant of the older NT tech) go with XP. I have it running here beside my Linux station and have been fairly pleased with it!
Good luck! TheProdigal
|
DU
AdBot (1000+ posts) |
Fri Apr 26th 2024, 12:48 PM
Response to Original message |