If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Display Modes |
#31
|
|||
|
|||
Gerard Schroeder wrote in
: On Thu, 15 Sep 2005 12:51:41 GMT, Duane Arnold wrote: That's for you to determine by using a link like to one below and entering the IP into the WhoIs search box and finding out of the IP is dubious or not. That's only HALF the answer. All it tells you is WHO made the request. That doesn't tell you if the request is valid. Well that's true and Sygate is really not telling you either. For example, the posted DNS address has NOT contacted me ever in the more than a year that my DSL to D-LINK setup has been in existance. So, WHY should a machine which purports to be a DNS machine all of a sudden contact me today? I don't know why you'll have to figure it out. For me when the ISP's DNS servers wanted to contact the public or external WAN IP used by the FW appliance, it was due to me configuring a static IP on one of the machine's NIC on the LAN. I set the machine's NIC back to using DHCP IP and I have not seen the DNS servers trying to initiate contact with my network. On the other hand, many of the requests happen every day all day. That STILL doesn't make them innocuous; it just makes them "probably" not suspicious. That would include, for example, the NDIS User mode I/O Driver, the NDIS Filter Intermeidate Driver, the Generic Host Process for Win32 Services, etc. You must have a Win XP machine as you're talking about NDIS User mode where in my case the wireless NIC driver was using NDIS User Mode to phone home to several sites. So at the time I set BlackIce to not allow communications by the NDIS User Mode driver. I am not using wireless anymore, so I disable Wireless Zero Configuration Service on XP to close that door. All I'm asking is for these events, none of which are explicitly user initiated, is it reasonable to tell the Sygate Personal Firewall to ACCEPT all these requests without complaint? It comes down to you knowing what's happening and who is doing it and not using Sygate like a crutch because Sygate is not giving you the true picture. You talk about NDIS User Mode and whatnot SVChost.exe (Generic Host Process), which are just doing their jobs and that is to communicate on the network LAN or WAN. It's not those processes that are initiating the communication as they only do it on the behalf of other processes that are making the requests. You need to determine what those processes are that are doing it and make determinations if it's legit or not and take the appropriate action. One uses the proper tools like Process Explorer to look at processes and see what processes hidden ones are using a particular process and not use Sygate like some kind of a crutch. Long version http://www.pcworld.com/downloads/fil...780,RSS,RSS,00. asp Short version http://tinyurl.com/99vur The link talks about tools you can use. Long version http://www.windowsecurity.com/articl...jan_Horses_and _Rootkit_Tools_in_a_Windows_Environment.html Short version http://tinyurl.com/klw1 And for the particular Windows O/S you are using, you can go get a Windows Resource Kit book that will tell you everything about the O/S and what is happening. You may be able to check one out at the public library. I don't have any solutions such as BlackIce with its Application Control running on my machines, because personal FW solutions that are using it are a worthless feature IMHO. I have BlackIce running on my laptop, but the Application Control feature is disabled as I don't need it asking me the ridiculous questions as I got a good take on what's happening or I know how to use the proper tools and find out what is happening. Some other tips and there is one for Win 2K too. http://labmice.techtarget.com/articl...ychecklist.htm The buck stops with you and the O/S. It doesn't stop anywhere else. Duane |
Ads |
#32
|
|||
|
|||
Gerard Schroeder wrote in
: On Thu, 15 Sep 2005 13:43:02 GMT, Duane Arnold wrote: If the user's machine was sitting behind a simple NAT router for the protection and not running the PFW solution on the machine, none of the ridiculous authorization questions the end-user is dealing with would be asked. I have DSL going to a D-Link just like everyone else. Is this D-Link wired and wireless transmitter the "NAT Router" you bespeak of? You don't specify a model number so I'll assume it's wire/wireless AP router that falls into this category. http://www.homenethelp.com/web/explain/about-NAT.asp Duane |
#33
|
|||
|
|||
Gerard Schroeder wrote:
The question becomes: 1. HOW do users learn MORE about the PURPOSE of this OPEN NETWORK LIBRARY? 2. HOW do we obtain possible REASONS for a machine contacting us on this port? That advice was the purpose of the original question. I don't know of a simple answer to your questions. The only people I have ever had contact with that could *possibly* explain the reasons for *every* incoming/outgoing packet are security experts - most notably firewall experts. So, one of the posters gave a solution for you, a solution that I use frequently: deny the request and see if anything breaks. Good luck. -- The reader should exercise normal caution and backup the Registry and data files regularly, and especially before making any changes to their PC, as well as performing regular virus and spyware scans. I am not liable for problems or mishaps that occur from the reader using advice posted here. No warranty, express or implied, is given with the posting of this message. |
#34
|
|||
|
|||
Gerard Schroeder wrote:
I'm confused whether the D-Link wired and wireless box I have connected to the DSL modem is considered the "router" you bespeak of. Is it? I can't say with 100% certainty if the D-Link is a router, but it probably is. -- The reader should exercise normal caution and backup the Registry and data files regularly, and especially before making any changes to their PC, as well as performing regular virus and spyware scans. I am not liable for problems or mishaps that occur from the reader using advice posted here. No warranty, express or implied, is given with the posting of this message. |
#35
|
|||
|
|||
Gerard Schroeder wrote: On Thu, 15 Sep 2005 06:14:04 GMT, nutso fasst wrote: "Gerard Schroeder" wrote in message snip What would be nice is for users to post (and for experts to doublecheck) what they consider to be innocuous requests uninitiated by them which appear in their yes/no request list from Sygate. I am willing to START that list of what appears to be common innocuous requests (for expert review). Google the name of the process initiating the outgoing connection. Here is my list of common requests not explicitly initiated by me which my Sygate Personal Firewall seems to report daily so that others may consult it before accepting or rejecting a Sygate Personal Firewall request to allow access: NDIS User mode I/O Driver (ndisuio.sys) has received a Multicast packet from the remote machine [192.168.0.1]. Do you want to allow this program to access the network? that's not important. 192.168.0.1 is from your LAN. if you receive a packet from a computer on your LAN, it's not big deal! NDIS Filter Intermediate Driver (eacfilt.sys) has received a Multicast packet from the remote machine [192.168.0.1]. Do you want to allow this program to access the network? ditto NDIS Filter Intermediate Driver (eacfilt.sys) is trying to broadcast to [192.168.0.255] using remote port 137 (NETBIOS-NS - Browsing request of NetBIOS over TCP/IP). Do you want to allow this program to access the network? So now this process, (you may google it), but it's clearly being harmless. It is on your comp, and sending a packet to every computer on your LAN. Don't think that one of your computers is attacking another! NDIS User mode I/O Driver (ndisuio.sys) has received a Broadcast packet from the remote machine [192.168.0.100]. Do you want to allow this program to access the network? ditto Firefox (firefox.exe) is being contacted from a remote machine news.google.com [216.239.37.147] using local port 1615 (NETBILL-AUTH - NetBill Authorization Server). Do you want to allow this program to access the network? I juse use firefox as a web browser. It just makes outgoing connections. So, once the outgoing connection was made, packets go either way. Each outgoing connection may use a diff port, I don't see why this local port is called NETBILL-AUTH maybe i'm wrong. but this is firefox, nothing to worry about. Firefox (firefox.exe) is being contacted from a remote machine [206.13.28.12] using local port 1258 (OPENNL - Open Network Library). Do you want to allow this program to access the network? ditto. dunno what this opennl is about - even after googling. but this is firedox, surely not receiving an incoming connection .unless you're not using it as just a web browser or something. do you recognise OpenNL?! Generic Host Process for Win32 Services (svchost.exe) is trying to connect to [207.46.157.60] using remote port 443 (HTTPS - HTTP protocol over TLS/SSL). Do you want to allow this program to access the network? Generic Host Process for Win32 Services (svchost.exe) is trying to connect to time.windows.com [207.46.130.100 using remote port 123 (NTP - Network Time Protocol). Do you want to allow this program to access the network? windows does make these annoying outgoing connections. it may not be worth checking out waht windows is doing. any outgoing connection from svchost.exe should be considered fine. unless svchost.exe got overwritten by a malicious version. You can't be that paranoid on a windows system. trust svchost.exe ! it's a famous windows prcoess. as sygate knows Firefox (firefox.exe) is being contacted from a remote machine [80.237.203.14] using local port 4503 Do you want to allow this program to access the network? yes you want to use your web browser. The windows firewall which blocks all incoming connections is very good. Yes, malware may make outgoing connections. But at least you'll let windows processes communicate outside. and you'll let your browser communicate. And has has been said. don't be afraid of some spyware transmitting. If it's there, then remove it. If it were dangerous, it'd get past your attempt at blocking outgoing connections anyawy. Blocking outgoing connections as paranoidly as you are now causes the mess that you have now. far more stress than any spyware!!! |
#36
|
|||
|
|||
Gerard Schroeder wrote: On Thu, 15 Sep 2005 15:48:26 +0100, Mike wrote: Novices do not have the knowledge as you so patently demonstrate. You need a hardware firewall like the ones built into Zyxel routers etc. Is the D-Link wireless/wired box connected to the DSL modem set up in the default configuration sufficient? it is a great help. it blocks all incoming connections. Beyond that, do not block all outgoing connections, or allow yourself to be hassled by your personal firewall over it. Use software, like Active Ports, that will list Established Connections. At least it won't hassle you with popups. It gives the process name. Do not look for great lists . Just google the name of the process that is making the outgoing connection. And if you get 100 links saying it's spyware, then you should start running different spyware removal utilities until you successfully get rid of it. Or is there something ELSE I should purchase to get this "hardware firewall"? your 'home router'(actually a NAT device) blocks incoming. I have a DLink one too. You can go to http://192.168.0.1 and configure it. Or if that dosen't work, find out its IP open a command prompt start..run..cmdENTER and type ipconfig /all and see what it says for 'Gateway' (That is your 'router'). do http://gatewayip see, it has a firewall built in. But still, don't bother blocking outgoing connections, even with that. if you have spyware, get rid of it properly. If you had a router you would not have seen it or been startled plus you would have been protected. and you do have a router. ('home router'). It blocks incoming. Which is very good. You should look at outgoing but not be hassled with popups. and not be paranoid. useg oogle on an unknown process making an outgoing connection. just see if google says it's spyware. |
#37
|
|||
|
|||
Gerard Schroeder wrote: On Thu, 15 Sep 2005 19:25:21 -0600, Bruce Chambers wrote: Sygate Personal Firewall: Firefox (firefox.exe) is being contacted from a remote machine [206.13.28.12] using local port 1258 (OPENNL - Open Network Library). Do you want to allow this program to access the network? Do you have another computer on your internal network with that specific IP address? Is that computer allowed to connect to the Internet via your computer? Of course not! If I had another machine on the same tiny home network with that IP address (which would be highly unlikely in a 192.168.0.XXX network), then I would NOT have posted that specific request in the list above as it would have been an obvious innocuous request. Again, knowing the machine name & owner is only HALF the story. Actually, it's only 1/3 the story as the following is important: 1. WHO is the owner of that machine? 2. WHAT is the purpose of the port being used? 3. WHY is that machine contacting me? Is this information available somewhere? Note that the WHO part is trivial to obtain, e.g., we can obtain that from: http://www.dnsstuff.com http://www.nwtools.com http://www.netsol.com http://remote.12dt.com/rns http://www.zoneedit.com/lookup.html etc.; but that doesn't tell us WHAT or WHY. The WHAT part, albeit often highly technical, is not too very difficult to obtain, e.g., we can use any of the following which describe the ports: http://www.bekkoame.ne.jp/~s_ita/por...1200-1299.html http://www.seifried.org/security/ports/1000/1258.html http://www.iana.org/assignments/port-numbers http://www.sonomawireless.com/~ports/port1200-1299.html http://www.auditmypc.com/freescan/re...m/portlist.asp etc.; but that doesn't tell us WHY they contacted us. The WHY part is the key question. For example, WHY would dns1.snfcca.sbcglobal.net contact my machine on tcp tdp/udp port 1258 named the Open Network Library? The question becomes: 1. HOW do users learn MORE about the PURPOSE of this OPEN NETWORK LIBRARY? 2. HOW do we obtain possible REASONS for a machine contacting us on this port? That advice was the purpose of the original question. difficult to know those answers, especially on a windows machine. So, ppl don't. the key thing is knowing that it isn't malware. Believe me, you can go further than you are in asking HOW and WHY. You could download Ethereal - a packet sniffer, and start asking why this program is sending this or that. It doesn't matter. You have to know what Processes/Programs you trust. I have no idea what that openNL was though. i'd have thought that local ports on the client side wouldn't have names. Anyhow. you trust firefox, don't you? And the Program/Process was firefox, so let it be. And if you see a process that you don't understnad what it does. then google, - Who cares what it does - all that matters is if it's a famous trojan process. if you're having problems with slow itnernet access, then it most probably is spyware. And if the spyware were really dangerous, it'd get past you. maybe replacing it'd have replaced a known microsoft process , added some code, that process now makes an outgoing connection. you may want to run spyware spyware checks. Try using the windows firewall only for a year, and see if you have problems. By the way. You are alraedy blocking incoming connections with your router. So the windows firewall is doing the same thing, but it's just another layer of security. Even turning off the windows firewall won't be a prob, 'cos you're still blocking incoming connections anyway. |
#38
|
|||
|
|||
I always wonder what to do when you get a spoofed IP through your NAT.
For example, this Sygate personal firewall message got me wondering what was REALLY going on here. NT Kernel System (ntoskrnl.exe) is trying to send an ICMP Type 8 (Echo Request) packet to [202.232.13.185]. Do you want to allow this program to access the network? Yes No Details Details: File Version : 5.1.2600.2622 File Description : NT Kernel & System (ntoskrnl.exe) File Path : C:\WINDOWS\system32\ntoskrnl.exe Process ID : 0x4 (Heximal) 4 (Decimal) Connection origin : local initiated Protocol : ICMP Local Address : 192.168.0.108 ICMP Type : 8 (Echo Request) ICMP Code : 0 Remote Name : Remote Address : 202.232.13.185 Ethernet packet details: Ethernet II (Packet Length: 120) Destination: 00-80-c8-b0-33-8a Source: 00-20-e0-2d-07-a5 Type: IP (0x0800) Internet Protocol Version: 4 Header Length: 20 bytes Flags: .0.. = Don't fragment: Not set ..0. = More fragments: Not set Fragment offset:0 Time to live: 4 Protocol: 0x1 (ICMP - Internet Control Message Protocol) Header checksum: 0x891b (Correct) Source: 192.168.0.108 Destination: 202.232.13.185 Internet Control Message Protocol Type: 8 (Echo Request) Code: 0 Data (68 bytes) Binary dump of the packet: 0000: 00 80 C8 B0 69 8A 00 20 : E0 8F 07 A5 08 00 45 00 | ....i.. ......E. 0010: 00 5C 01 6B 00 00 04 01 : 1B 89 C0 A8 00 64 CA E8 | .\.k.........d.. 0020: 0D B9 08 00 E4 FF 03 00 : 10 00 00 00 00 00 00 00 | ................ 0030: 00 00 00 00 00 00 00 00 : 00 00 00 00 00 00 00 00 | ................ 0040: 00 00 00 00 00 00 00 00 : 00 00 00 00 00 00 00 00 | ................ 0050: 00 00 00 00 00 00 00 00 : 00 00 00 00 00 00 00 00 | ................ 0060: 00 00 00 00 00 00 00 00 : 00 00 4A 45 44 45 46 43 | ..........JEDEFC 0070: 41 43 41 43 41 43 41 43 : | ACACACAC |
#39
|
|||
|
|||
On Sun, 18 Sep 2005 23:25:47 GMT, Milrose Lewis wrote:
NT Kernel System (ntoskrnl.exe) is trying to send an ICMP Type 8 (Echo Request) packet to [202.232.13.185]. Do you want to allow this program to access the network? That's a KNOWN TROJAN. Kill it! DO NOT let it access your SYSTEM! You have BIG PROBLEMS if that is occurring. I suggest you immediately run a full system scan by going to http://grc.com/default.htm (press on the "Shields Up" link) While you're at it, scan for the trojan that initiated this request http://www.windowsecurity.com/trojanscan (works only with IE) Since your system was obviously compromised, request a full system audit https://secure1.securityspace.com/sm...sic_index.html Only after running these three programs that everyone runs monthly will your system be safe from that trojan you have! |
#40
|
|||
|
|||
"Michelle Peters" wrote in message . .. On Sun, 18 Sep 2005 23:25:47 GMT, Milrose Lewis wrote: NT Kernel System (ntoskrnl.exe) is trying to send an ICMP Type 8 (Echo Request) packet to [202.232.13.185]. Do you want to allow this program to access the network? That's a KNOWN TROJAN. Kill it! DO NOT let it access your SYSTEM! You have BIG PROBLEMS if that is occurring. Hmm... you might be right. That IP address appears to be in Japan and appears to have no DNS name. Is there any reason your machine should have been contacting Japan at that moment? [Doing a whois lookup of the IP address at www.netsol.com, which tells you to do a whois lookup at www.apnic.net, gives this information.] |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Windows Firewall not working (Error 10047) | mistefani | Security and Administration with Windows XP | 4 | October 1st 06 11:52 PM |
Problem about Window Xp SP2 firewall and the buildin FTP command | ping | Windows Service Pack 2 | 2 | June 23rd 05 02:47 PM |
XPsp2 firewall - bug? - disables on certain networks | RJ | Windows Service Pack 2 | 7 | January 24th 05 10:55 AM |
XP (SP2) and Firewall Alert Setting... | JFF KRWD | Windows Service Pack 2 | 3 | October 21st 04 03:14 PM |
Windows Firewall | Walter Hall | Security and Administration with Windows XP | 1 | September 27th 04 09:05 PM |